Red Hat Enterprise Linux 6

Security-Enhanced Linux

User Guide


Mirek Jahoda

Red Hat Customer Content Services

Robert Krátký

Red Hat Customer Content Services

Barbora Ančincová

Red Hat Customer Content Services

Legal Notice

Copyright © 2017 Red Hat, Inc.
This document is licensed by Red Hat under the Creative Commons Attribution-ShareAlike 3.0 Unported License. If you distribute this document, or a modified version of it, you must provide attribution to Red Hat, Inc. and provide a link to the original. If the document is modified, all Red Hat trademarks must be removed.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat Software Collections is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.


This guide assists users and administrators in managing and using Security-Enhanced Linux.
1. Trademark Information
2. Introduction
2.1. Benefits of running SELinux
2.2. Examples
2.3. SELinux Architecture
2.4. SELinux States and Modes
3. SELinux Contexts
3.1. Domain Transitions
3.2. SELinux Contexts for Processes
3.3. SELinux Contexts for Users
4. Targeted Policy
4.1. Confined Processes
4.2. Unconfined Processes
4.3. Confined and Unconfined Users
5. Working with SELinux
5.1. SELinux Packages
5.2. Which Log File is Used
5.3. Main Configuration File
5.4. Permanent Changes in SELinux States and Modes
5.4.1. Enabling SELinux
5.4.2. Disabling SELinux
5.5. Booleans
5.5.1. Listing Booleans
5.5.2. Configuring Booleans
5.6. SELinux Contexts – Labeling Files
5.6.1. Temporary Changes: chcon
5.6.2. Persistent Changes: semanage fcontext
5.7. The file_t and default_t Types
5.8. Mounting File Systems
5.8.1. Context Mounts
5.8.2. Changing the Default Context
5.8.3. Mounting an NFS Volume
5.8.4. Multiple NFS Mounts
5.8.5. Making Context Mounts Persistent
5.9. Maintaining SELinux Labels
5.9.1. Copying Files and Directories
5.9.2. Moving Files and Directories
5.9.3. Checking the Default SELinux Context
5.9.4. Archiving Files with tar
5.9.5. Archiving Files with star
5.10. Information Gathering Tools
5.11. Multi-Level Security (MLS)
5.11.1. MLS and System Privileges
5.11.2. Enabling MLS in SELinux
5.11.3. Creating a User With a Specific MLS Range
5.11.4. Setting Up Polyinstantiated Directories
6. Confining Users
6.1. Linux and SELinux User Mappings
6.2. Confining New Linux Users: useradd
6.3. Confining Existing Linux Users: semanage login
6.4. Changing the Default Mapping
6.5. xguest: Kiosk Mode
6.6. Booleans for Users Executing Applications
7. sVirt
7.1. Security and Virtualization
7.2. sVirt Labeling
8. Troubleshooting
8.1. What Happens when Access is Denied
8.2. Top Three Causes of Problems
8.2.1. Labeling Problems
8.2.2. How are Confined Services Running?
8.2.3. Evolving Rules and Broken Applications
8.3. Fixing Problems
8.3.1. Linux Permissions
8.3.2. Possible Causes of Silent Denials
8.3.3. Manual Pages for Services
8.3.4. Permissive Domains
8.3.5. Searching For and Viewing Denials
8.3.6. Raw Audit Messages
8.3.7. sealert Messages
8.3.8. Allowing Access: audit2allow
9. Further Information
9.1. Contributors
9.2. Other Resources
A. Revision History