selinux

a b c d e f g h i j k l m n o p q r s t u v w x y z _
selinux(8)	      SELinux Command Line documentation	   selinux(8)



NAME
       selinux - NSA Security-Enhanced Linux (SELinux)


DESCRIPTION
       NSA Security-Enhanced Linux (SELinux) is an implementation of a flexi-
       ble mandatory access control architecture in the Linux operating	 sys-
       tem.   The  SELinux  architecture  provides  general  support  for the
       enforcement of  many  kinds  of	mandatory  access  control  policies,
       including  those	 based	on  the	 concepts of Type Enforcement®, Role-
       Based Access Control, and Multi-Level Security.	 Background  informa-
       tion  and  technical  documentation  about  SELinux  can	 be  found at
       http://www.nsa.gov/selinux.

       The /etc/selinux/config configuration file controls whether SELinux is
       enabled	or disabled, and if enabled, whether SELinux operates in per-
       missive mode or enforcing mode.	The SELINUX variable may  be  set  to
       any  one	 of disabled, permissive, or enforcing to select one of these
       options.	 The disabled option completely disables the  SELinux  kernel
       and  application	 code, leaving the system running without any SELinux
       protection.  The permissive  option  enables  the  SELinux  code,  but
       causes  it to operate in a mode where accesses that would be denied by
       policy are permitted but audited.  The enforcing	 option	 enables  the
       SELinux code and causes it to enforce access denials as well as audit-
       ing them.  Permissive mode may yield a different set of	denials	 than
       enforcing  mode, both because enforcing mode will prevent an operation
       from proceeding past the first denial  and  because  some  application
       code  will  fall back to a less privileged mode of operation if denied
       access.

       The /etc/selinux/config configuration file also controls	 what  policy
       is  active  on the system.  SELinux allows for multiple policies to be
       installed on the system, but only one policy  may  be  active  at  any
       given  time.   At present, two kinds of SELinux policy exist: targeted
       and strict.  The targeted policy is designed as a  policy  where	 most
       processes operate without restrictions, and only specific services are
       placed into distinct security domains that are confined by the policy.
       For  example,  the  user	 would	run in a completely unconfined domain
       while the named daemon or apache daemon would run in a specific domain
       tailored	 to its operation.  The strict policy is designed as a policy
       where all processes are partitioned into fine-grained security domains
       and  confined  by  policy.  It is anticipated in the future that other
       policies will be created (Multi-Level Security for example).  You  can
       define  which  policy you will run by setting the SELINUXTYPE environ-
       ment variable within /etc/selinux/config.   The	corresponding  policy
       configuration   for   each  such	 policy	 must  be  installed  in  the
       /etc/selinux/SELINUXTYPE/ directories.

       A given SELinux policy can be customized further based  on  a  set  of
       compile-time  tunable  options  and  a set of runtime policy booleans.
       system-config-securitylevel allows customization of these booleans and
       tunables.


AUTHOR
       This manual page was written by Dan Walsh <dwalsh@redhat.com>.


SEE ALSO
       booleans(8), setsebool(8), selinuxenabled(8), togglesebool(8)


FILES
       /etc/selinux/config



dwalsh@redhat.com		 11 Aug 2004			   selinux(8)