On Apache/2.4.6 (CentOS)
Under GNU General Public License
2025-06-23 22:07 @127.0.0.1 CrawledBy Wget/1.21.2
selinux_config(5) SELinux configuration file selinux_config(5)
NAME
config - The SELinux sub-system configuration file.
DESCRIPTION
The SELinux config file controls the state of SELinux regarding:
1. The policy enforcement status - enforcing, permissive or disabled.
2. The policy name or type that forms a path to the policy to be loaded and its
supporting configuration files.
3. How local users and booleans will be managed when the policy is loaded (note
that this function was used by older releases of SELinux and is now depre-
cated).
4. How SELinux-aware login applications should behave if no valid SELinux users
are configured.
5. Whether the system is to be relabeled or not.
The entries controlling these functions are described in the FILE FORMAT section.
The fully qualified path name of the SELinux configuration file is /etc/selinux/config.
If the config file is missing or corrupt, then no SELinux policy is loaded (i.e. SELinux
is disabled).
The sestatus (8) command and the libselinux function selinux_path (3) will return the
location of the config file.
FILE FORMAT
The config file supports the following parameters:
SELINUX = enforcing | permissive | disabled
SELINUXTYPE = policy_name
SETLOCALDEFS = 0 | 1
REQUIREUSERS = 0 | 1
AUTORELABEL = 0 | 1
Where:
SELINUX
This entry can contain one of three values:
enforcing
SELinux security policy is enforced.
permissive
SELinux security policy is not enforced but logs the warnings (i.e. the
action is allowed to proceed).
disabled
SELinux is disabled and no policy is loaded.
The entry can be determined using the sestatus(8) command or selinux_getenforce-
mode(3).
SELINUXTYPE
The policy_name entry is used to identify the policy type, and becomes the direc-
tory name of where the policy and its configuration files are located.
The entry can be determined using the sestatus(8) command or selinux_getpolicy-
type(3).
The policy_name is relative to a path that is defined within the SELinux subsystem
that can be retrieved by using selinux_path(3). An example entry retrieved by
selinux_path(3) is:
/etc/selinux/
The policy_name is then appended to this and becomes the 'policy root' location
that can be retrieved by selinux_policy_root_path(3). An example entry retrieved
is:
/etc/selinux/targeted
The actual binary policy is located relative to this directory and also has a pol-
icy name pre-allocated. This information can be retrieved using selinux_binary_pol-
icy_path(3). An example entry retrieved by selinux_binary_policy_path(3) is:
/etc/selinux/targeted/policy/policy
The binary policy name has by convention the SELinux policy version that it sup-
ports appended to it. The maximum policy version supported by the kernel can be
determined using the sestatus(8) command or security_policyvers(3). An example
binary policy file with the version is:
/etc/selinux/targeted/policy/policy.24
SETLOCALDEFS
This entry is deprecated and should be removed or set to 0.
If set to 1, then selinux_mkload_policy(3) will read the local customization for
booleans (see booleans(5)) and users (see local.users(5)).
REQUIRESEUSERS
This optional entry can be used to fail a login if there is no matching or default
entry in the seusers(5) file or if the seusers file is missing.
It is checked by getseuserbyname(3) that is called by SELinux-aware login applica-
tions such as PAM(8).
If set to 0 or the entry missing:
getseuserbyname(3) will return the GNU / Linux user name as the SELinux
user.
If set to 1:
getseuserbyname(3) will fail.
The getseuserbyname(3) man page should be consulted for its use. The format of the
seusers file is shown in seusers(5).
AUTORELABEL
This is an optional entry that allows the file system to be relabeled.
If set to 0 and there is a file called .autorelabel in the root directory, then on
a reboot, the loader will drop to a shell where a root login is required. An admin-
istrator can then manually relabel the file system.
If set to 1 or no entry present (the default) and there is a .autorelabel file in
the root directory, then the file system will be automatically relabeled using fix-
files -F restore
In both cases the /.autorelabel file will be removed so that relabeling is not done
again.
EXAMPLE
This example config file shows the minimum contents for a system to run SELinux in enforc-
ing mode, with a policy_name of 'targeted':
SELINUX = enforcing
SELINUXTYPE = targeted
SEE ALSO
selinux(8), sestatus(8), selinux_path(3), selinux_policy_root_path(3), selinux_binary_pol-
icy_path(3), getseuserbyname(3), PAM(8), fixfiles(8), selinux_mkload_policy(3),
selinux_getpolicytype(3), security_policyvers(3), selinux_getenforcemode(3), seusers(5),
booleans(5), local.users(5)
Security Enhanced Linux 18 Nov 2011 selinux_config(5)
Generated by $Id: phpMan.php,v 4.55 2007/09/05 04:42:51 chedong Exp $ Author: Che Dong
On Apache/2.4.6 (CentOS)
Under GNU General Public License
2025-06-23 22:07 @127.0.0.1 CrawledBy Wget/1.21.2