Provided by: selinux-utils_3.4-1build4_amd64 bug


       SELinux - NSA Security-Enhanced Linux (SELinux)


       NSA  Security-Enhanced Linux (SELinux) is an implementation of a flexible mandatory access
       control architecture in the Linux operating system.   The  SELinux  architecture  provides
       general  support  for  the enforcement of many kinds of mandatory access control policies,
       including those based on the concepts of Type EnforcementĀ®, Role-  Based  Access  Control,
       and  Multi-Level  Security.   Background  information  and  technical  documentation about
       SELinux can be found at

       The  /etc/selinux/config  configuration  file  controls  whether  SELinux  is  enabled  or
       disabled,  and  if enabled, whether SELinux operates in permissive mode or enforcing mode.
       The SELINUX variable may be set to any one of disabled, permissive, or enforcing to select
       one  of  these  options.  The disabled disables most of the SELinux kernel and application
       code, leaving the system running without any SELinux protection.   The  permissive  option
       enables  the SELinux code, but causes it to operate in a mode where accesses that would be
       denied by policy are permitted but audited.  The enforcing option enables the SELinux code
       and  causes  it  to  enforce access denials as well as auditing them.  permissive mode may
       yield a different set of denials than enforcing mode, both  because  enforcing  mode  will
       prevent  an  operation  from proceeding past the first denial and because some application
       code will fall back to a less privileged mode of operation if denied access.

       NOTE: Disabling SELinux by setting SELINUX=disabled in /etc/selinux/config  is  deprecated
       and  depending  on  kernel  version  and  configuration it might not lead to SELinux being
       completely disabled.  Specifically, the SELinux hooks will still be  executed  internally,
       but the SELinux policy will not be loaded and no operation will be denied.  In such state,
       the system will act as if SELinux was disabled,  although  some  operations  might  behave
       slightly differently.  To properly disable SELinux, it is recommended to use the selinux=0
       kernel boot option instead.  In that case SELinux will be disabled regardless of  what  is
       set in the /etc/selinux/config file.

       The  /etc/selinux/config  configuration  file  also  controls what policy is active on the
       system.  SELinux allows for multiple policies to be installed on the system, but only  one
       policy  may  be  active  at  any given time.  At present, multiple kinds of SELinux policy
       exist: targeted, mls for example.  The targeted policy is designed as a policy where  most
       user  processes  operate  without restrictions, and only specific services are placed into
       distinct security domains that are confined by the policy.  For example,  the  user  would
       run in a completely unconfined domain while the named daemon or apache daemon would run in
       a specific domain tailored to its operation.  The MLS  (Multi-Level  Security)  policy  is
       designed  as  a  policy  where  all  processes  are partitioned into fine-grained security
       domains and confined by policy.  MLS also supports the  Bell  And  LaPadula  model,  where
       processes are not only confined by the type but also the level of the data.

       You  can  define which policy you will run by setting the SELINUXTYPE environment variable
       within /etc/selinux/config.  You must reboot and possibly relabel if you change the policy
       type  to  have  it  take effect on the system.  The corresponding policy configuration for
       each such policy must be installed in the /etc/selinux/{SELINUXTYPE}/ directories.

       A given SELinux policy can be customized further based on a set  of  compile-time  tunable
       options  and a set of runtime policy booleans.  system-config-selinux allows customization
       of these booleans and tunables.

       Many domains that are protected by SELinux also include SELinux man pages  explaining  how
       to customize their policy.


       All  files,  directories,  devices ... have a security context/label associated with them.
       These context are stored in the extended attributes of the  file  system.   Problems  with
       SELinux  often  arise from the file system being mislabeled. This can be caused by booting
       the machine with a non SELinux kernel.  If you see an  error  message  containing  file_t,
       that  is  usually  a  good  indicator  that  you  have  a serious problem with file system

       The best way to relabel the file system is to  create  the  flag  file  /.autorelabel  and
       reboot.    system-config-selinux,  also  has  this  capability.   The  restorecon/fixfiles
       commands are also available for relabeling files.

       Please note that using mount flag nosuid also disables SELinux domain transitions,  unless
       permission nosuid_transition is used in the policy to allow this, which in turn needs also
       policy capability nnp_nosuid_transition.


       This manual page was written by Dan Walsh <>.




       booleans(8), setsebool(8), sepolicy(8), system-config-selinux(8), togglesebool(8),
       restorecon(8), fixfiles(8), setfiles(8), semanage(8), sepolicy(8)

       Every confined service on the system has a man page in the following format:


       For example, httpd has the httpd_selinux(8) man page.

       man -k selinux

       Will list all SELinux man pages.