Show Table of Contents
18.104.22.168. SELinux Configuration Files
The following sections describe SELinux configuration and policy files, and related file systems located in the
/etc/sysconfig/selinux Configuration File
There are two ways to configure SELinux under Red Hat Enterprise Linux: using the SELinux Administration Tool (
system-config-selinux), or manually editing the configuration file (
/etc/sysconfig/selinuxfile is the primary configuration file for enabling or disabling SELinux, as well as for setting which policy to enforce on the system and how to enforce it.
/etc/sysconfig/selinuxcontains a symbolic link to the actual configuration file,
The following explains the full subset of options available for configuration:
SELINUX=enforcing|permissive|disabled— Defines the top-level state of SELinux on a system.
enforcing— The SELinux security policy is enforced.
permissive— The SELinux system prints warnings but does not enforce policy.This is useful for debugging and troubleshooting purposes. In permissive mode, more denials are logged because subjects can continue with actions that would otherwise be denied in enforcing mode. For example, traversing a directory tree in permissive mode produces
avc: deniedmessages for every directory level read. In enforcing mode, SELinux would have stopped the initial traversal and kept further denial messages from occurring.
disabled— SELinux is fully disabled. SELinux hooks are disengaged from the kernel and the pseudo-file system is unregistered.
NoteActions made while SELinux is disabled may result in the file system no longer having the correct security context. That is, the security context defined by the policy. The best way to relabel the file system is to create the flag file
/.autorelabeland reboot the machine. This causes the relabel to occur very early in the boot process, before any processes are running on the system. Using this procedure means that processes can not accidentally create files in the wrong context or start up in the wrong context.It is possible to use the
fixfiles relabelcommand prior to enabling SELinux to relabel the file system. This method is not recommended, however, because after it is complete, it is still possible to have processes potentially running on the system in the wrong context. These processes could create files that would also be in the wrong context.
NoteAdditional white space at the end of a configuration line or as extra lines at the end of the file may cause unexpected behavior. To be safe, remove unnecessary white space.
SELINUXTYPE=— Specifies which policy SELinux should enforce.
targeted— Only targeted network daemons are protected.
ImportantThe following daemons are protected in the default targeted policy:
dhcpd, httpd (apache.te), named, nscd, ntpd, portmap, snmpd, squid, and
syslogd. The rest of the system runs in the unconfined_t domain. This domain allows subjects and objects with that security context to operate using standard Linux security.The policy files for these daemons are located in
/etc/selinux/targeted/src/policy/domains/program. These files are subject to change as newer versions of Red Hat Enterprise Linux are released.Policy enforcement for these daemons can be turned on or off, using Boolean values controlled by the SELinux Administration Tool (
system-config-selinux).Setting a Boolean value for a targeted daemon to
1disables SELinux protection for the daemon. For example, you can set
init, which executes apps labeled
dhcpd_exec_t, from transitioning to the
getsebool -acommand to list all SELinux booleans. The following is an example of using the
setseboolcommand to set an SELinux boolean. The
-Poption makes the change permanent. Without this option, the boolean would be reset to
setsebool -P dhcpd_disable_trans=0
strict— Full SELinux protection, for all daemons. Security contexts are defined for all subjects and objects, and every action is processed by the policy enforcement server.
SETLOCALDEFS=— Controls how local definitions (users and booleans) are set. Set this value to 1 to have these definitions controlled by
load_policyfrom files in
/etc/selinux/<policyname>. or set it to 0 to have them controlled by
WarningYou should not change this value from the default (0) unless you are fully aware of the impact of such a change.