/* Void Main's man pages */

{ phpMan } else { main(); }

Command: man perldoc info search(apropos)  

selinux(8)                                     SELinux Command Line documentation                                     selinux(8)



NAME
       selinux - NSA Security-Enhanced Linux (SELinux)


DESCRIPTION
       NSA  Security-Enhanced  Linux  (SELinux)  is an implementation of a flexible mandatory access control architecture in the
       Linux operating system.  The SELinux architecture provides general support for the enforcement of many kinds of mandatory
       access  control  policies,  including those based on the concepts of Type Enforcement(R), Role- Based Access Control, and
       Multi-Level  Security.   Background  information  and  technical  documentation   about   SELinux   can   be   found   at
       http://www.nsa.gov/selinux.

       The  /etc/selinux/config  configuration  file  controls  whether  SELinux is enabled or disabled, and if enabled, whether
       SELinux operates in permissive mode or enforcing mode.  The SELINUX variable may be set to any one of  disabled,  permis-
       sive, or enforcing to select one of these options.  The disabled option completely disables the SELinux kernel and appli-
       cation code, leaving the system running without any SELinux protection.  The permissive option enables the SELinux  code,
       but  causes it to operate in a mode where accesses that would be denied by policy are permitted but audited.  The enforc-
       ing option enables the SELinux code and causes it to enforce access denials as well as auditing  them.   Permissive  mode
       may yield a different set of denials than enforcing mode, both because enforcing mode will prevent an operation from pro-
       ceeding past the first denial and because some application code will fall back to a less privileged mode of operation  if
       denied access.

       The  /etc/selinux/config configuration file also controls what policy is active on the system.  SELinux allows for multi-
       ple policies to be installed on the system, but only one policy may be active at any given time.  At present,  two  kinds
       of  SELinux  policy exist: targeted and strict.  The targeted policy is designed as a policy where most processes operate
       without restrictions, and only specific services are placed into distinct security domains that are confined by the  pol-
       icy.  For example, the user would run in a completely unconfined domain while the named daemon or apache daemon would run
       in a specific domain tailored to its operation.  The strict policy is designed as a policy where all processes are parti-
       tioned  into  fine-grained  security domains and confined by policy.  It is anticipated in the future that other policies
       will be created (Multi-Level Security for example).  You can define which policy you will run by setting the  SELINUXTYPE
       environment  variable  within  /etc/selinux/config.   The corresponding policy configuration for each such policy must be
       installed in the /etc/selinux/SELINUXTYPE/ directories.

       A given SELinux policy can be customized further based on a set of compile-time tunable options and a set of runtime pol-
       icy booleans.  system-config-securitylevel allows customization of these booleans and tunables.

       Many domains that are protected by SELinux also include selinux man pages explainging how to customize their policy.


FILE LABELING
       All  files, directories, devices ... have a security context/label associated with them.  These context are stored in the
       extended attributes of the file system.  Problems with SELinux often arise from the file system  being  mislabeled.  This
       can  be  caused by booting the machine with a non selinux kernel.  If you see an error message containing file_t, that is
       usually a good indicator that you have a serious problem with file system labeling.

       The best way to relabel the file system is to  create  the  flag  file  /.autorelabel  and  reboot.   system-config-secu-
       ritylevel, also has this capability.  The restorcon/fixfiles commands are also available for relabeling files.


AUTHOR
       This manual page was written by Dan Walsh <dwalshATredhat.com>.


SEE ALSO
       booleans(8),    setsebool(8),    selinuxenabled(8),   togglesebool(8),   restorecon(8),   setfiles(8),   ftpd_selinux(8),
       named_selinux(8),   rsync_selinux(8),   httpd_selinux(8),    nfs_selinux(8),    samba_selinux(8),    kerberos_selinux(8),
       nis_selinux(8), ypbind_selinux(8)



FILES
       /etc/selinux/config



dwalshATredhat.com                                          29 Apr 2005                                                selinux(8)
Valid XHTML 1.0!Valid CSS!