selinux(8)            SELinux Command Line documentation            selinux(8)

       SELinux - NSA Security-Enhanced Linux (SELinux)

       NSA Security-Enhanced Linux (SELinux) is an implementation of a
       flexible mandatory access control architecture in the Linux operating
       system.  The SELinux architecture provides general support for the
       enforcement of many kinds of mandatory access control policies,
       including those based on the concepts of Type Enforcement®, Role-
       Based Access Control, and Multi-Level Security.  Background information
       and technical documentation about SELinux can be found at

       The /etc/selinux/config configuration file controls whether SELinux is
       enabled or disabled, and if enabled, whether SELinux operates in
       permissive mode or enforcing mode.  The SELINUX variable may be set to
       any one of disabled, permissive, or enforcing to select one of these
       options.  The disabled option completely disables the SELinux kernel
       and application code, leaving the system running without any SELinux
       protection.  The permissive option enables the SELinux code, but causes
       it to operate in a mode where accesses that would be denied by policy
       are permitted but audited.  The enforcing option enables the SELinux
       code and causes it to enforce access denials as well as auditing them.
       Permissive mode may yield a different set of denials than enforcing
       mode, both because enforcing mode will prevent an operation from
       proceeding past the first denial and because some application code will
       fall back to a less privileged mode of operation if denied access.

       The /etc/selinux/config configuration file also controls what policy is
       active on the system.  SELinux allows for multiple policies to be
       installed on the system, but only one policy may be active at any given
       time.  At present, multiple kinds of SELinux policy exist: targeted,
       mls for example.  The targeted policy is designed as a policy where
       most user processes operate without restrictions, and only specific
       services are placed into distinct security domains that are confined by
       the policy.  For example, the user would run in a completely unconfined
       domain while the named daemon or apache daemon would run in a specific
       domain tailored to its operation.  The MLS (Multi-Level Security)
       policy is designed as a policy where all processes are partitioned into
       fine-grained security domains and confined by policy.  MLS also
       supports the Bell And LaPadula model, where processes are not only
       confined by the type but also the level of the data.

       You can define which policy you will run by setting the SELINUXTYPE
       environment variable within /etc/selinux/config.  You must reboot and
       possibly relabel if you change the policy type to have it take effect
       on the system.  The corresponding policy configuration for each such
       policy must be installed in the /etc/selinux/{SELINUXTYPE}/

       A given SELinux policy can be customized further based on a set of
       compile-time tunable options and a set of runtime policy booleans.
       system-config-selinux allows customization of these booleans and

       Many domains that are protected by SELinux also include SELinux man
       pages explaining how to customize their policy.

       All files, directories, devices ... have a security context/label
       associated with them.  These context are stored in the extended
       attributes of the file system.  Problems with SELinux often arise from
       the file system being mislabeled. This can be caused by booting the
       machine with a non SELinux kernel.  If you see an error message
       containing file_t, that is usually a good indicator that you have a
       serious problem with file system labeling.

       The best way to relabel the file system is to create the flag file
       /.autorelabel and reboot.  system-config-selinux, also has this
       capability.  The restorecon/fixfiles commands are also available for
       relabeling files.

       This manual page was written by Dan Walsh <>.


       booleans(8), setsebool(8), togglesebool(8), restorecon(8), fixfiles(8),
       setfiles(8), semanage(8)

       Every confined service on the system has a man page in the following


       For example, httpd has the httpd_selinux(8) man page.

       man -k selinux

       Will list all SELinux man pages.                 29 Apr 2005                       selinux(8)