selinux - Online Manual Page Of Unix/Linux

  Command: man perldoc info search(apropos)

WebSearch:
Our Recommended Sites: Full-Featured Editor
  
selinux(8)                      SELinux Command Line documentation                     selinux(8)



NAME
       selinux - NSA Security-Enhanced Linux (SELinux)


DESCRIPTION
       NSA  Security-Enhanced Linux (SELinux) is an implementation of a flexible mandatory access
       control architecture in the Linux operating system.   The  SELinux  architecture  provides
       general  support  for  the enforcement of many kinds of mandatory access control policies,
       including those based on the concepts of Type Enforcement(R), Role-  Based  Access  Control,
       and  Multi-Level  Security.   Background  information  and  technical  documentation about
       SELinux can be found at http://www.nsa.gov/selinux.

       The /etc/selinux/config configuration file controls whether SELinux  is  enabled  or  dis-
       abled, and if enabled, whether SELinux operates in permissive mode or enforcing mode.  The
       SELINUX variable may be set to any one of disabled, permissive, or enforcing to select one
       of these options.  The disabled option completely disables the SELinux kernel and applica-
       tion code, leaving the system running without  any  SELinux  protection.   The  permissive
       option  enables  the  SELinux code, but causes it to operate in a mode where accesses that
       would be denied by policy are permitted but audited.  The  enforcing  option  enables  the
       SELinux code and causes it to enforce access denials as well as auditing them.  Permissive
       mode may yield a different set of denials than enforcing mode, both because enforcing mode
       will  prevent an operation from proceeding past the first denial and because some applica-
       tion code will fall back to a less privileged mode of operation if denied access.

       The /etc/selinux/config configuration file also controls what policy is active on the sys-
       tem.   SELinux  allows  for  multiple policies to be installed on the system, but only one
       policy may be active at any given time.  At present, two kinds of  SELinux  policy  exist:
       targeted  and  strict.   The  targeted policy is designed as a policy where most processes
       operate without restrictions, and only specific services are placed into distinct security
       domains  that are confined by the policy.  For example, the user would run in a completely
       unconfined domain while the named daemon or apache daemon would run in a  specific  domain
       tailored  to its operation.  The strict policy is designed as a policy where all processes
       are partitioned into fine-grained security domains and confined by policy.  It is  antici-
       pated  in  the  future that other policies will be created (Multi-Level Security for exam-
       ple).  You can define which policy you will run by  setting  the  SELINUXTYPE  environment
       variable within /etc/selinux/config.  The corresponding policy configuration for each such
       policy must be installed in the /etc/selinux/SELINUXTYPE/ directories.

       A given SELinux policy can be customized further based on a set  of  compile-time  tunable
       options  and  a  set  of runtime policy booleans.  system-config-securitylevel allows cus-
       tomization of these booleans and tunables.


AUTHOR
       This manual page was written by Dan Walsh <>.


SEE ALSO
       booleans(8), setsebool(8), selinuxenabled(8), togglesebool(8)


FILES
       /etc/selinux/config



                          11 Aug 2004                                 selinux(8)