Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Mail Systems
Eclipse Documentation

How To Guides
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Problem Solutions
Privacy Policy




Fedora 11

Security-Enhanced Linux

User Guide

Edition 1.3


Murray McAllister

Red Hat Engineering Content Services

Daniel Walsh

Red Hat Security Engineering

Dominick Grift

Technical editor for the Introduction, SELinux Contexts, Targeted Policy, Working with SELinux, Confining Users, and Troubleshooting chapters. 

Eric Paris

Technical editor for the Mounting File Systems and Raw Audit Messages sections. 
Red Hat Security Engineering

James Morris

Technical editor for the Introduction and Targeted Policy chapters. 
Red Hat Security Engineering

Scott Radvan

Red Hat Engineering Content Services

Legal Notice

Copyright © 2009 Red Hat, Inc. This material may only be distributed subject to the terms and conditions set forth in the Open Publication License, V1.0, (the latest version is presently available at
Fedora and the Fedora Infinity Design logo are trademarks or registered trademarks of Red Hat, Inc., in the U.S. and other countries.
Red Hat and the Red Hat "Shadow Man" logo are registered trademarks of Red Hat Inc. in the United States and other countries.
All other trademarks and copyrights referred to are the property of their respective owners.
Documentation, as with software itself, may be subject to export control. Read about Fedora Project export controls at
This book is about managing and using Security-Enhanced Linux®.

1. Document Conventions
1.1. Typographic Conventions
1.2. Pull-quote Conventions
1.3. Notes and Warnings
2. We Need Feedback!
1. Trademark Information
2. Introduction
2.1. Benefits of running SELinux
2.2. Examples
2.3. SELinux Architecture
2.4. SELinux on Other Operating Systems
3. SELinux Contexts
3.1. Domain Transitions
3.2. SELinux Contexts for Processes
3.3. SELinux Contexts for Users
4. Targeted Policy
4.1. Confined Processes
4.2. Unconfined Processes
4.3. Confined and Unconfined Users
5. Working with SELinux
5.1. SELinux Packages
5.2. Which Log File is Used
5.3. Main Configuration File
5.4. Enabling and Disabling SELinux
5.4.1. Enabling SELinux
5.4.2. Disabling SELinux
5.5. SELinux Modes
5.6. Booleans
5.6.1. Listing Booleans
5.6.2. Configuring Booleans
5.6.3. Booleans for NFS and CIFS
5.7. SELinux Contexts - Labeling Files
5.7.1. Temporary Changes: chcon
5.7.2. Persistent Changes: semanage fcontext
5.8. The file_t and default_t Types
5.9. Mounting File Systems
5.9.1. Context Mounts
5.9.2. Changing the Default Context
5.9.3. Mounting an NFS File System
5.9.4. Multiple NFS Mounts
5.9.5. Making Context Mounts Persistent
5.10. Maintaining SELinux Labels
5.10.1. Copying Files and Directories
5.10.2. Moving Files and Directories
5.10.3. Checking the Default SELinux Context
5.10.4. Archiving Files with tar
5.10.5. Archiving Files with star
6. Confining Users
6.1. Linux and SELinux User Mappings
6.2. Confining New Linux Users: useradd
6.3. Confining Existing Linux Users: semanage login
6.4. Changing the Default Mapping
6.5. xguest: Kiosk Mode
6.6. Booleans for Users Executing Applications
7. Troubleshooting
7.1. What Happens when Access is Denied
7.2. Top Three Causes of Problems
7.2.1. Labeling Problems
7.2.2. How are Confined Services Running?
7.2.3. Evolving Rules and Broken Applications
7.3. Fixing Problems
7.3.1. Linux Permissions
7.3.2. Possible Causes of Silent Denials
7.3.3. Manual Pages for Services
7.3.4. Permissive Domains
7.3.5. Searching For and Viewing Denials
7.3.6. Raw Audit Messages
7.3.7. sealert Messages
7.3.8. Allowing Access: audit2allow
8. Further Information
A. Revision History

  Published under the terms of the GNU General Public License Design by Interspire