selinux_config(5) | SELinux configuration file | selinux_config(5) |
config - The SELinux sub-system configuration file.
The SELinux config file controls the state of SELinux regarding:
The entries controlling these functions are described in the FILE FORMAT section.
The fully qualified path name of the SELinux configuration file is /etc/selinux/config.
If the config file is missing or corrupt, then no SELinux policy is loaded (i.e. SELinux is disabled).
The sestatus (8) command and the libselinux function selinux_path (3) will return the location of the config file.
The config file supports the following parameters:
Where:
SELINUX
The entry can be determined using the sestatus(8) command or selinux_getenforcemode(3).
SELINUXTYPE
The entry can be determined using the sestatus(8) command or selinux_getpolicytype(3).
The policy_name is relative to a path that is defined
within the SELinux subsystem that can be retrieved by using
selinux_path(3). An example entry retrieved by selinux_path(3)
is:
The policy_name is then appended to this and becomes the 'policy root' location that can be retrieved by selinux_policy_root_path(3). An example entry retrieved is:
The actual binary policy is located relative to this directory and
also has a policy name pre-allocated. This information can be retrieved
using selinux_binary_policy_path(3). An example entry retrieved by
selinux_binary_policy_path(3) is:
The binary policy name has by convention the SELinux policy
version that it supports appended to it. The maximum policy version
supported by the kernel can be determined using the sestatus(8)
command or security_policyvers(3). An example binary policy file with
the version is:
SETLOCALDEFS
If set to 1, then selinux_mkload_policy(3) will read the local customization for booleans (see booleans(5)) and users (see local.users(5)).
REQUIRESEUSERS
It is checked by getseuserbyname(3) that is called by SELinux-aware login applications such as PAM(8).
If set to 0 or the entry missing:
If set to 1:
The getseuserbyname(3) man page should be consulted for its use. The format of the seusers file is shown in seusers(5).
AUTORELABEL
If set to 0 and there is a file called .autorelabel in the root directory, then on a reboot, the loader will drop to a shell where a root login is required. An administrator can then manually relabel the file system.
If set to 1 or no entry present (the default) and there is a .autorelabel file in the root directory, then the file system will be automatically relabeled using fixfiles -F restore
In both cases the /.autorelabel file will be removed so that relabeling is not done again.
This example config file shows the minimum contents for a system to run SELinux in enforcing mode, with a policy_name of 'targeted':
selinux(8), sestatus(8), selinux_path(3), selinux_policy_root_path(3), selinux_binary_policy_path(3), getseuserbyname(3), PAM(8), fixfiles(8), selinux_mkload_policy(3), selinux_getpolicytype(3), security_policyvers(3), selinux_getenforcemode(3), seusers(5), booleans(5), local.users(5)
18 Nov 2011 | Security Enhanced Linux |