|
NAME | DESCRIPTION | FILE FORMAT | EXAMPLE | SEE ALSO | COLOPHON |
selinux_config(5) SELinux configuration file selinux_config(5)
config - The SELinux sub-system configuration file.
The SELinux config file controls the state of SELinux regarding:
1. The policy enforcement status - enforcing, permissive or
disabled.
2. The policy name or type that forms a path to the policy to
be loaded and its supporting configuration files.
3. How local users and booleans will be managed when the
policy is loaded (note that this function was used by
older releases of SELinux and is now deprecated).
4. How SELinux-aware login applications should behave if no
valid SELinux users are configured.
5. Whether the system is to be relabeled or not.
The entries controlling these functions are described in the FILE
FORMAT section.
The fully qualified path name of the SELinux configuration file is
/etc/selinux/config.
If the config file is missing or corrupt, then no SELinux policy is
loaded (i.e. SELinux is disabled).
The sestatus (8) command and the libselinux function selinux_path (3)
will return the location of the config file.
The config file supports the following parameters:
SELINUX = enforcing | permissive | disabled
SELINUXTYPE = policy_name
SETLOCALDEFS = 0 | 1
REQUIREUSERS = 0 | 1
AUTORELABEL = 0 | 1
Where:
SELINUX
This entry can contain one of three values:
enforcing
SELinux security policy is enforced.
permissive
SELinux security policy is not enforced but logs
the warnings (i.e. the action is allowed to
proceed).
disabled
SELinux is disabled and no policy is loaded.
The entry can be determined using the sestatus(8) command or
selinux_getenforcemode(3).
SELINUXTYPE
The policy_name entry is used to identify the policy type, and
becomes the directory name of where the policy and its
configuration files are located.
The entry can be determined using the sestatus(8) command or
selinux_getpolicytype(3).
The policy_name is relative to a path that is defined within
the SELinux subsystem that can be retrieved by using
selinux_path(3). An example entry retrieved by selinux_path(3)
is:
/etc/selinux/
The policy_name is then appended to this and becomes the
'policy root' location that can be retrieved by
selinux_policy_root_path(3). An example entry retrieved is:
/etc/selinux/targeted
The actual binary policy is located relative to this directory
and also has a policy name pre-allocated. This information can
be retrieved using selinux_binary_policy_path(3). An example
entry retrieved by selinux_binary_policy_path(3) is:
/etc/selinux/targeted/policy/policy
The binary policy name has by convention the SELinux policy
version that it supports appended to it. The maximum policy
version supported by the kernel can be determined using the
sestatus(8) command or security_policyvers(3). An example
binary policy file with the version is:
/etc/selinux/targeted/policy/policy.24
SETLOCALDEFS
This entry is deprecated and should be removed or set to 0.
If set to 1, then selinux_mkload_policy(3) will read the local
customization for booleans (see booleans(5)) and users (see
local.users(5)).
REQUIRESEUSERS
This optional entry can be used to fail a login if there is no
matching or default entry in the seusers(5) file or if the
seusers file is missing.
It is checked by getseuserbyname(3) that is called by SELinux-
aware login applications such as PAM(8).
If set to 0 or the entry missing:
getseuserbyname(3) will return the GNU / Linux user
name as the SELinux user.
If set to 1:
getseuserbyname(3) will fail.
The getseuserbyname(3) man page should be consulted for its
use. The format of the seusers file is shown in seusers(5).
AUTORELABEL
This is an optional entry that allows the file system to be
relabeled.
If set to 0 and there is a file called .autorelabel in the
root directory, then on a reboot, the loader will drop to a
shell where a root login is required. An administrator can
then manually relabel the file system.
If set to 1 or no entry present (the default) and there is a
.autorelabel file in the root directory, then the file system
will be automatically relabeled using fixfiles -F restore
In both cases the /.autorelabel file will be removed so that
relabeling is not done again.
This example config file shows the minimum contents for a system to
run SELinux in enforcing mode, with a policy_name of 'targeted':
SELINUX = enforcing
SELINUXTYPE = targeted
selinux(8), sestatus(8), selinux_path(3),
selinux_policy_root_path(3), selinux_binary_policy_path(3),
getseuserbyname(3), PAM(8), fixfiles(8), selinux_mkload_policy(3),
selinux_getpolicytype(3), security_policyvers(3),
selinux_getenforcemode(3), seusers(5), booleans(5), local.users(5)
This page is part of the selinux (Security-Enhanced Linux user-space
libraries and tools) project. Information about the project can be
found at ⟨https://github.com/SELinuxProject/selinux/wiki⟩. If you
have a bug report for this manual page, see
⟨https://github.com/SELinuxProject/selinux/wiki/Contributing⟩. This
page was obtained from the project's upstream Git repository
⟨https://github.com/SELinuxProject/selinux⟩ on 2017-07-05. If you
discover any rendering problems in this HTML version of the page, or
you believe there is a better or more up-to-date source for the page,
or you have corrections or improvements to the information in this
COLOPHON (which is not part of the original manual page), send a mail
to man-pages@man7.org
Security Enhanced Linux 18 Nov 2011 selinux_config(5)
Pages that refer to this page: selinux_colors_path(3), booleans(5), customizable_types(5), default_contexts(5), default_type(5), failsafe_context(5), local.users(5), removable_context(5), securetty_types(5), selabel_db(5), selabel_file(5), selabel_media(5), selabel_x(5), service_seusers(5), seusers(5), user_contexts(5), virtual_domain_context(5), virtual_image_context(5)