Provided by: selinux-utils_3.8.1-1build2_amd64 bug

NAME
       SELinux - Security-Enhanced Linux (SELinux)


DESCRIPTION
       Security-Enhanced   Linux  (SELinux)  is  an  implementation  of  a  flexible  mandatory  access  control
       architecture in the Linux operating system.  The SELinux architecture provides general  support  for  the
       enforcement  of many kinds of mandatory access control policies, including those based on the concepts of
       Type EnforcementĀ®, Role- Based Access Control, and  Multi-Level  Security.   Background  information  and
       technical documentation about SELinux can be found at https://github.com/SELinuxProject.

       The  /etc/selinux/config  configuration  file  controls  whether  SELinux  is enabled or disabled, and if
       enabled, whether SELinux operates in permissive mode or enforcing mode.  The SELINUX variable may be  set
       to  any  one of disabled, permissive, or enforcing to select one of these options.  The disabled disables
       most of the SELinux kernel  and  application  code,  leaving  the  system  running  without  any  SELinux
       protection.   The  permissive  option  enables the SELinux code, but causes it to operate in a mode where
       accesses that would be denied by policy are permitted but audited.   The  enforcing  option  enables  the
       SELinux code and causes it to enforce access denials as well as auditing them.  permissive mode may yield
       a  different  set  of  denials than enforcing mode, both because enforcing mode will prevent an operation
       from proceeding past the first denial and because  some  application  code  will  fall  back  to  a  less
       privileged mode of operation if denied access.

       NOTE: Disabling SELinux by setting SELINUX=disabled in /etc/selinux/config is deprecated and depending on
       kernel  version  and configuration it might not lead to SELinux being completely disabled.  Specifically,
       the SELinux hooks will still be executed internally, but the SELinux policy will not  be  loaded  and  no
       operation  will  be denied.  In such state, the system will act as if SELinux was disabled, although some
       operations might behave slightly differently.  To properly disable SELinux, it is recommended to use  the
       selinux=0 kernel boot option instead.  In that case SELinux will be disabled regardless of what is set in
       the /etc/selinux/config file.

       The  /etc/selinux/config  configuration  file also controls what policy is active on the system.  SELinux
       allows for multiple policies to be installed on the system, but only one policy  may  be  active  at  any
       given time.  At present, multiple kinds of SELinux policy exist: targeted, mls for example.  The targeted
       policy  is designed as a policy where most user processes operate without restrictions, and only specific
       services are placed into distinct security domains that are confined by the  policy.   For  example,  the
       user  would  run in a completely unconfined domain while the named daemon or apache daemon would run in a
       specific domain tailored to its operation.  The MLS (Multi-Level Security) policy is designed as a policy
       where all processes are partitioned into fine-grained security domains and confined by policy.  MLS  also
       supports  the  Bell  And  LaPadula  model, where processes are not only confined by the type but also the
       level of the data.

       You can define which policy  you  will  run  by  setting  the  SELINUXTYPE  environment  variable  within
       /etc/selinux/config.   You must reboot and possibly relabel if you change the policy type to have it take
       effect on the system.  The corresponding policy configuration for each such policy must be  installed  in
       the /etc/selinux/{SELINUXTYPE}/ directories.

       A given SELinux policy can be customized further based on a set of compile-time tunable options and a set
       of runtime policy booleans.  system-config-selinux allows customization of these booleans and tunables.

       Many  domains  that  are  protected by SELinux also include SELinux man pages explaining how to customize
       their policy.


FILE LABELING
       All files, directories, devices ... have a security context/label associated with  them.   These  context
       are  stored  in  the  extended attributes of the file system.  Problems with SELinux often arise from the
       file system being mislabeled. This can be caused by booting the machine with a non  SELinux  kernel.   If
       you  see  an  error  message  containing file_t, that is usually a good indicator that you have a serious
       problem with file system labeling.

       The best way to  relabel  the  file  system  is  to  create  the  flag  file  /.autorelabel  and  reboot.
       system-config-selinux, also has this capability.  The restorecon/fixfiles commands are also available for
       relabeling files.

       Please  note  that  using  mount  flag nosuid also disables SELinux domain transitions, unless permission
       nosuid_transition is used in the policy to allow  this,  which  in  turn  needs  also  policy  capability
       nnp_nosuid_transition.


AUTHOR
       This manual page was written by Dan Walsh <dwalsh@redhat.com>.


FILES
       /etc/selinux/config


SEE ALSO
       booleans(8), setsebool(8), sepolicy(8), system-config-selinux(8), togglesebool(8), restorecon(8),
       fixfiles(8), setfiles(8), semanage(8), sepolicy(8)

       Every confined service on the system has a man page in the following format:

       <servicename>_selinux(8)

       For example, httpd has the httpd_selinux(8) man page.

       man -k selinux

       Will list all SELinux man pages.

dwalsh@redhat.com                                  29 Apr 2005                                        selinux(8)