selinux - phpMan

Command: man perldoc info search(apropos)  

selinux(8)            SELinux Command Line documentation            selinux(8)



NAME
       selinux - NSA Security-Enhanced Linux (SELinux)


DESCRIPTION
       NSA  Security-Enhanced Linux (SELinux) is an implementation of a flexible mandatory
       access control architecture in the Linux operating system.  The  SELinux  architec-
       ture provides general support for the enforcement of many kinds of mandatory access
       control policies, including those based on the concepts of Type EnforcementĀ®, Role-
       Based Access Control, and Multi-Level Security.  Background information and techni-
       cal documentation about SELinux can be found at http://www.nsa.gov/selinux.

       The /etc/selinux/config configuration file controls whether SELinux is  enabled  or
       disabled,  and if enabled, whether SELinux operates in permissive mode or enforcing
       mode.  The SELINUX variable may be set to  any  one  of  disabled,  permissive,  or
       enforcing  to select one of these options.  The disabled option completely disables
       the SELinux kernel and application code, leaving the  system  running  without  any
       SELinux  protection.  The permissive option enables the SELinux code, but causes it
       to operate in a mode where accesses that would be denied by  policy  are  permitted
       but  audited.   The  enforcing  option  enables  the  SELinux code and causes it to
       enforce access denials as well as auditing them.  Permissive mode may yield a  dif-
       ferent set of denials than enforcing mode, both because enforcing mode will prevent
       an operation from proceeding past the first denial  and  because  some  application
       code will fall back to a less privileged mode of operation if denied access.

       The  /etc/selinux/config  configuration file also controls what policy is active on
       the system.  SELinux allows for multiple policies to be installed  on  the  system,
       but  only  one  policy  may  be active at any given time.  At present, two kinds of
       SELinux policy exist: targeted and strict.  The targeted policy is  designed  as  a
       policy  where  most  processes operate without restrictions, and only specific ser-
       vices are placed into distinct security domains that are confined  by  the  policy.
       For  example,  the user would run in a completely unconfined domain while the named
       daemon or apache daemon would run in a specific domain tailored to  its  operation.
       The  strict policy is designed as a policy where all processes are partitioned into
       fine-grained security domains and confined by policy.  It  is  anticipated  in  the
       future that other policies will be created (Multi-Level Security for example).  You
       can define which policy you will run by setting the SELINUXTYPE  environment  vari-
       able  within  /etc/selinux/config.  The corresponding policy configuration for each
       such policy must be installed in the /etc/selinux/SELINUXTYPE/ directories.

       A given SELinux policy can be customized further based on  a  set  of  compile-time
       tunable  options and a set of runtime policy booleans.  system-config-securitylevel
       allows customization of these booleans and tunables.

       Many domains that are protected by SELinux also include selinux man pages explaing-
       ing how to customize their policy.


FILE LABELING
       All  files,  directories, devices ... have a security context/label associated with
       them.  These context are stored in the extended  attributes  of  the  file  system.
       Problems  with  SELinux often arise from the file system being mislabeled. This can
       be caused by booting the machine with a non selinux kernel.  If you  see  an  error
       message containing file_t, that is usually a good indicator that you have a serious
       problem with file system labeling.
       The best way to relabel the file system is to create the  flag  file  /.autorelabel
       and  reboot.   system-config-securitylevel,  also has this capability.  The restor-
       con/fixfiles commands are also available for relabeling files.


AUTHOR
       This manual page was written by Dan Walsh <dwalsh AT redhat.com>.


SEE ALSO
       booleans(8), setsebool(8), selinuxenabled(8), togglesebool(8), restorecon(8),  set-
       files(8),  ftpd_selinux(8),  named_selinux(8),  rsync_selinux(8), httpd_selinux(8),
       nfs_selinux(8),     samba_selinux(8),     kerberos_selinux(8),      nis_selinux(8),
       ypbind_selinux(8)



FILES
       /etc/selinux/config



dwalsh AT redhat.com                 29 Apr 2005                       selinux(8)

Generated by $Id: phpMan.php,v 4.55 2007/09/05 04:42:51 chedong Exp $ Author: Che Dong
On Apache/1.3.41 (Unix) PHP/5.2.5 mod_perl/1.30 mod_gzip/1.3.26.1a
Under GNU General Public License
2008-11-20 08:00 @38.103.63.58 CrawledBy CCBot/1.0 (+http://www.commoncrawl.org/bot.html)
Valid XHTML 1.0!Valid CSS!