selinux(8) SELinux Command Line documentation selinux(8)
NAME
selinux - NSA Security-Enhanced Linux (SELinux)
DESCRIPTION
NSA Security-Enhanced Linux (SELinux) is an implementation of a flexi-
ble mandatory access control architecture in the Linux operating sys-
tem. The SELinux architecture provides general support for the
enforcement of many kinds of mandatory access control policies, includ-
ing those based on the concepts of Type Enforcement®, Role- Based
Access Control, and Multi-Level Security. Background information and
technical documentation about SELinux can be found at
http://www.nsa.gov/selinux.
The /etc/selinux/config configuration file controls whether SELinux is
enabled or disabled, and if enabled, whether SELinux operates in per-
missive mode or enforcing mode. The SELINUX variable may be set to any
one of disabled, permissive, or enforcing to select one of these
options. The disabled option completely disables the SELinux kernel
and application code, leaving the system running without any SELinux
protection. The permissive option enables the SELinux code, but causes
it to operate in a mode where accesses that would be denied by policy
are permitted but audited. The enforcing option enables the SELinux
code and causes it to enforce access denials as well as auditing them.
Permissive mode may yield a different set of denials than enforcing
mode, both because enforcing mode will prevent an operation from pro-
ceeding past the first denial and because some application code will
fall back to a less privileged mode of operation if denied access.
The /etc/selinux/config configuration file also controls what policy is
active on the system. SELinux allows for multiple policies to be
installed on the system, but only one policy may be active at any given
time. At present, two kinds of SELinux policy exist: targeted and
strict. The targeted policy is designed as a policy where most pro-
cesses operate without restrictions, and only specific services are
placed into distinct security domains that are confined by the policy.
For example, the user would run in a completely unconfined domain while
the named daemon or apache daemon would run in a specific domain tai-
lored to its operation. The strict policy is designed as a policy
where all processes are partitioned into fine-grained security domains
and confined by policy. It is anticipated in the future that other
policies will be created (Multi-Level Security for example). You can
define which policy you will run by setting the SELINUXTYPE environment
variable within /etc/selinux/config. The corresponding policy configu-
ration for each such policy must be installed in the
/etc/selinux/SELINUXTYPE/ directories.
A given SELinux policy can be customized further based on a set of com-
pile-time tunable options and a set of runtime policy booleans. sys-
tem-config-securitylevel allows customization of these booleans and
tunables.
Many domains that are protected by SELinux also include selinux man
pages explainging how to customize their policy.
FILE LABELING
All files, directories, devices ... have a security context/label asso-
ciated with them. These context are stored in the extended attributes
of the file system. Problems with SELinux often arise from the file
system being mislabeled. This can be caused by booting the machine with
a non selinux kernel. If you see an error message containing file_t,
that is usually a good indicator that you have a serious problem with
file system labeling.
The best way to relabel the file system is to create the flag file
/.autorelabel and reboot. system-config-securitylevel, also has this
capability. The restorcon/fixfiles commands are also available for
relabeling files.
AUTHOR
This manual page was written by Dan Walsh <dwalsh@redhat.com>.
SEE ALSO
booleans(8), setsebool(8), selinuxenabled(8), togglesebool(8), restore-
con(8), setfiles(8), ftpd_selinux(8), named_selinux(8),
rsync_selinux(8), httpd_selinux(8), nfs_selinux(8), samba_selinux(8),
kerberos_selinux(8), nis_selinux(8), ypbind_selinux(8)
FILES
/etc/selinux/config
dwalsh@redhat.com 29 Apr 2005 selinux(8)
semanage(8) semanage(8)
NAME
semanage - SELinux Policy Management tool
SYNOPSIS
semanage {login|user|port|interface|fcontext|translation} -l [-n]
semanage login -{a|d|m} [-sr] login_name
semanage user -{a|d|m} [-LrRP] selinux_name
semanage port -{a|d|m} [-tr] [-p protocol] port | port_range
semanage interface -{a|d|m} [-tr] interface_spec
semanage fcontext -{a|d|m} [-frst] file_spec
semanage translation -{a|d|m} [-T] level
DESCRIPTION
semanage is used to configure certain elements of SELinux policy with-
out requiring modification to or recompilation from policy sources.
This includes the mapping from Linux usernames to SELinux user identi-
ties (which controls the initial security context assigned to Linux
users when they login and bounds their authorized role set) as well as
security context mappings for various kinds of objects, such as network
ports, interfaces, and nodes (hosts) as well as the file context map-
ping. See the EXAMPLES section below for some examples of common usage.
Note that the semanage login command deals with the mapping from Linux
usernames (logins) to SELinux user identities, while the semanage user
command deals with the mapping from SELinux user identities to autho-
rized role sets. In most cases, only the former mapping needs to be
adjusted by the administrator; the latter is principally defined by the
base policy and usually does not require modification.
OPTIONS
-a, --add
Add a OBJECT record NAME
-d, --delete
Delete a OBJECT record NAME
-f, --ftype
File Type. This is used with fcontext. Requires a file type
as shown in the mode field by ls, e.g. use -d to match only
directories or -- to match only regular files.
-h, --help
display this message
-l, --list
List the OBJECTS
-L, --level
Default SELinux Level for SELinux use, s0 Default. (MLS/MCS Sys-
tems only)
-m, --modify
Modify a OBJECT record NAME
-n, --noheading
Do not print heading when listing OBJECTS.
-p, --proto
Protocol for the specified port (tcp|udp).
-r, --range
MLS/MCS Security Range (MLS/MCS Systems only)
-R, --role
SELinux Roles. You must enclose multiple roles within quotes,
separate by spaces. Or specify -R multiple times.
-P, --prefix
SELinux Prefix. Prefix added to home_dir_t and home_t for
labeling users home directories.
-s, --seuser
SELinux user name
-t, --type
SELinux Type for the object
-T, --trans
SELinux Translation
EXAMPLE
# View SELinux user mappings
$ semanage user -l
# Allow joe to login as staff_u
$ semanage login -a -s staff_u joe
# Add file-context for everything under /web (used by restorecon)
$ semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
# Allow Apache to listen on port 81
$ semanage port -a -t http_port_t -p tcp 81
AUTHOR
This man page was written by Daniel Walsh <dwalsh@redhat.com> and Rus-
sell Coker <rcoker@redhat.com>. Examples by Thomas Bleher <ThomasBle-
her@gmx.de>.
2005111103 semanage(8)
restorecon(8) restorecon(8)
NAME
restorecon - restore file(s) default SELinux security contexts.
SYNOPSIS
restorecon [-o outfilename ] [-R] [-n] [-v] [-e directory ] pathname...
restorecon -f infilename [-o outfilename ] [-e directory ] [-R] [-n]
[-v] [-F]
DESCRIPTION
This manual page describes the restorecon program.
This program is primarily used to set the security context (extended
attributes) on one or more files.
It can be run at any time to correct errors, to add support for new
policy, or with the -n option it can just check whether the file con-
texts are all as you expect.
OPTIONS
-i ignore files that do not exist
-f infilename
infilename contains a list of files to be processed by applica-
tion. Use - for stdin.
-e directory
directory to exclude (repeat option for more than one direc-
tory.)
-R -r change files and directories file labels recursively
-n don’t change any file labels.
-o outfilename
save list of files with incorrect context in outfilename.
-v show changes in file labels.
-vv show changes in file labels, if type, role, or user are chang-
ing.
-F Force reset of context to match file_context for customizable
files, or the user section, if it has changed.
ARGUMENTS
pathname... The pathname for the file(s) to be relabeled.
NOTE
restorecon does not follow symbolic links.
AUTHOR
This man page was written by Dan Walsh <dwalsh@redhat.com>. Some of
the content of this man page was taken from the setfiles man page writ-
ten by Russell Coker <russell@coker.com.au>. The program was written
by Dan Walsh <dwalsh@redhat.com>.
SEE ALSO
load_policy(8), checkpolicy(8) setfiles(8)
2002031409 restorecon(8)