Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Mail Systems
Eclipse Documentation

How To Guides
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Problem Solutions
Privacy Policy




NOTE: CentOS Enterprise Linux is built from the Red Hat Enterprise Linux source code. Other than logo and name changes CentOS Enterprise Linux is compatible with the equivalent Red Hat version. This document applies equally to both Red Hat and CentOS Enterprise Linux.

21.2. Files Related to SELinux

The following sections describe SELinux configuration files and related file systems.

21.2.1. The /selinux/ Pseudo-File System

The /selinux/ pseudo-file system contains commands that are most commonly used by the kernel subsystem. This type of file system is similar to the /proc/ pseudo-file system.

In most cases, administrators and users do not need to manipulate this component compared to other SELinux files and directories.

The following example shows sample contents of the /selinux/ directory:

-rw-rw-rw-  1 root root 0 Sep 22 13:14 access
dr-xr-xr-x  1 root root 0 Sep 22 13:14 booleans
--w-------  1 root root 0 Sep 22 13:14 commit_pending_bools
-rw-rw-rw-  1 root root 0 Sep 22 13:14 context
-rw-rw-rw-  1 root root 0 Sep 22 13:14 create
--w-------  1 root root 0 Sep 22 13:14 disable
-rw-r--r--  1 root root 0 Sep 22 13:14 enforce
-rw-------  1 root root 0 Sep 22 13:14 load
-r--r--r--  1 root root 0 Sep 22 13:14 mls
-r--r--r--  1 root root 0 Sep 22 13:14 policyvers
-rw-rw-rw-  1 root root 0 Sep 22 13:14 relabel
-rw-rw-rw-  1 root root 0 Sep 22 13:14 user

For example, running the cat command on the enforce file reveals either a 1 for enforcing mode or 0 for permissive mode.

21.2.2. SELinux Configuration Files

The following sections describe SELinux configuration and policy files, and related file systems located in the /etc/ directory. The /etc/sysconfig/selinux Configuration File

There are two ways to configure SELinux under Red Hat Enterprise Linux: using the Security Level Configuration Tool (system-config-securitylevel), or manually editing the configuration file (/etc/sysconfig/selinux).

The /etc/sysconfig/selinux file is the primary configuration file for enabling or disabling SELinux, as well as setting which policy to enforce on the system and how to enforce it.

Note Note

The /etc/sysconfig/selinux contains a symbolic link to the actual configuration file, /etc/selinux/config.

The following explains the full subset of options available for configuration:

  • SELINUX=<enforcing|permissive|disabled> — Defines the top-level state of SELinux on a system.

    • enforcing — The SELinux security policy is enforced.

    • permissive — The SELinux system prints warnings but does not enforce policy. This is useful for debugging and troubleshooting purposes. In permissive mode, more denials will be logged, as subjects will be able to continue with actions otherwise denied in enforcing mode. For example, traversing a directory tree will produce multiple avc: denied messages for every directory level read, where a kernel in enforcing mode would have stopped the initial traversal and kept further denial messages from occurring.

    • disabled — SELinux is fully disabled. SELinux hooks are disengaged from the kernel and the pseudo-file system is unregistered.

      Tip Tip

      Actions made while SELinux is disabled may cause the file system to no longer have the proper security context as defined by the policy. Running fixfiles relabel prior to enabling SELinux will relabel the file system so that SELinux works properly when enabled. For more information, refer to the fixfiles(8) manpage.

    Note Note

    Additional white space at the end of a configuration line or as extra lines at the end of the file may cause unexpected behavior. To be safe, remove unnecessary white spaces.

  • SELINUXTYPE=<targeted|strict> — Specifies which policy is currently being enforced by SELinux.

    • targeted — Only targeted network daemons are protected.

      Important Important

      The following daemons are protected in the default targeted policy: dhcpd, httpd (apache.te), named, nscd, ntpd, portmap, snmpd, squid, and syslogd. The rest of the system runs in the unconfined_t domain.

      The policy files for these daemons can be found in /etc/selinux/targeted/src/policy/domains/program and are subject to change, as newer versions of Red Hat Enterprise Linux are released.

      Policy enforcement for these daemons can be turned on or off, using Boolean values controlled by Security Level Configuration Tool (system-config-securitylevel). Switching a Boolean value for a targeted daemon disables the policy transition for the daemon, which prevents, for example, init from transitioning dhcpd from the unconfined_t domain to the domain specified in dhcpd.te. The domain unconfined_t allows subjects and objects with that security context to run under standard Linux security.

    • strict — Full SELinux protection, for all daemons. Security contexts are defined for all subjects and objects, and every single action is processed by the policy enforcement server. The /etc/selinux/ Directory

The /etc/selinux/ directory is the primary location for all policy files as well as the main configuration file.

The following example shows sample contents of the /etc/selinux/ directory:

-rw-r--r--  1 root root  448 Sep 22 17:34 config
drwxr-xr-x  5 root root 4096 Sep 22 17:27 strict
drwxr-xr-x  5 root root 4096 Sep 22 17:28 targeted

The two subdirectories, strict/ and targeted/, are the specific directories where the policy files of the same name (i.e., strict and targeted) are contained.

For more information on SELinux policy and policy configuration, refer to the rhel-pwg-selinux.

21.2.3. SELinux Utilities

The following are some of the most commonly used SELinux utilities:

  • /usr/bin/setenforce — Modifies in real-time the mode SELinux is running. By executing setenforce 1, SELinux is put in enforcing mode. By executing setenforce 0, SELinux is put in permissive mode. To actually disable SELinux, you need to either set the parameter in /etc/sysconfig/selinux or pass the parameter selinux=0 to the kernel, either in /etc/grub.conf or at boot time.

  • /usr/bin/sestatus -v — Gets the detailed status of a system running SELinux. The following example shows an excerpt of sestatus output:

    SELinux status:         enabled
    SELinuxfs mount:        /selinux
    Current mode:           enforcing
    Policy version:         18
  • /usr/bin/newrole — Runs a new shell in a new context, or role. Policy must allow the transition to the new role.

  • /sbin/restorecon — Sets the security context of one or more files by marking the extended attributes with the appropriate file or security context.

  • /sbin/fixfiles — Checks or corrects the security context database on the file system.

Refer to the man page associated with these utilities for more information.

For more information on all binary utilities available, refer to the setools or policycoreutils package contents by running rpm -ql <package-name>, where <package-name> is the name of the specific package.

  Published under the terms of the GNU General Public License Design by Interspire