selinux(8) - phpMan

Command: man perldoc info search(apropos)  


selinux(8)            SELinux Command Line documentation            selinux(8)



NAME
       SELinux - NSA Security-Enhanced Linux (SELinux)

DESCRIPTION
       NSA  Security-Enhanced Linux (SELinux) is an implementation of a flexible mandatory
       access control architecture in the Linux operating system.  The  SELinux  architec-
       ture provides general support for the enforcement of many kinds of mandatory access
       control policies, including those based on the concepts of Type Enforcement(R), Role-
       Based Access Control, and Multi-Level Security.  Background information and techni-
       cal      documentation      about      SELinux      can      be      found       at
       http://www.nsa.gov/research/selinux.

       The  /etc/selinux/config  configuration file controls whether SELinux is enabled or
       disabled, and if enabled, whether SELinux operates in permissive mode or  enforcing
       mode.   The  SELINUX  variable  may  be  set to any one of disabled, permissive, or
       enforcing to select one of these options.  The disabled option completely  disables
       the  SELinux  kernel  and  application code, leaving the system running without any
       SELinux protection.  The permissive option enables the SELinux code, but causes  it
       to  operate  in  a mode where accesses that would be denied by policy are permitted
       but audited.  The enforcing option enables  the  SELinux  code  and  causes  it  to
       enforce  access denials as well as auditing them.  Permissive mode may yield a dif-
       ferent set of denials than enforcing mode, both because enforcing mode will prevent
       an  operation  from  proceeding  past the first denial and because some application
       code will fall back to a less privileged mode of operation if denied access.

       The /etc/selinux/config configuration file also controls what policy is  active  on
       the  system.   SELinux  allows for multiple policies to be installed on the system,
       but only one policy may be active at any given time.  At present, multiple kinds of
       SELinux  policy  exist: targeted, mls for example.  The targeted policy is designed
       as a policy where most user processes operate without restrictions, and  only  spe-
       cific  services  are placed into distinct security domains that are confined by the
       policy.  For example, the user would run in a completely  unconfined  domain  while
       the  named  daemon  or apache daemon would run in a specific domain tailored to its
       operation.  The MLS (Multi-Level Security) policy is designed as a policy where all
       processes  are  partitioned into fine-grained security domains and confined by pol-
       icy.  MLS also supports the Bell And LaPadula model, where processes are  not  only
       confined by the type but also the level of the data.

       You  can  define  which  policy you will run by setting the SELINUXTYPE environment
       variable within /etc/selinux/config.  You must reboot and possibly relabel  if  you
       change  the  policy  type  to have it take effect on the system.  The corresponding
       policy  configuration  for  each   such   policy   must   be   installed   in   the
       /etc/selinux/{SELINUXTYPE}/ directories.

       A  given  SELinux  policy  can be customized further based on a set of compile-time
       tunable options and a set of runtime policy booleans.  system-config-selinux allows
       customization of these booleans and tunables.

       Many  domains that are protected by SELinux also include SELinux man pages explain-
       ing how to customize their policy.

FILE LABELING
       All files, directories, devices ... have a security context/label  associated  with
       them.   These  context  are  stored  in the extended attributes of the file system.
       Problems with SELinux often arise from the file system being mislabeled.  This  can
       be  caused  by  booting the machine with a non SELinux kernel.  If you see an error
       message containing file_t, that is usually a good indicator that you have a serious
       problem with file system labeling.

       The  best  way  to relabel the file system is to create the flag file /.autorelabel
       and reboot.  system-config-selinux, also has this capability.  The  restorecon/fix-
       files commands are also available for relabeling files.

AUTHOR
       This manual page was written by Dan Walsh <dwalsh AT redhat.com>.

FILES
       /etc/selinux/config

SEE ALSO
       booleans(8), setsebool(8), togglesebool(8), restorecon(8), fixfiles(8),
       setfiles(8), semanage(8)

       Every confined service on the system has a man page in the following format:

       <servicename>_selinux(8)

       For example, httpd has the httpd_selinux(8) man page.

       man -k selinux

       Will list all SELinux man pages.



dwalsh AT redhat.com                 29 Apr 2005                       selinux(8)

Generated by $Id: phpMan.php,v 4.55 2007/09/05 04:42:51 chedong Exp $ Author: Che Dong
On Apache
Under GNU General Public License
2017-12-12 04:43 @127.0.0.1 CrawledBy CCBot/2.0 (http://commoncrawl.org/faq/)
Valid XHTML 1.0!Valid CSS!