Chapter 5. Working with SELinux
The following sections give a brief overview of the main SELinux packages in Red Hat Enterprise Linux; installing and updating packages; which log files are used; the main SELinux configuration file; enabling and disabling SELinux; SELinux modes; configuring Booleans; temporarily and persistently changing file and directory labels; overriding file system labels with the
mountcommand; mounting NFS volumes; and how to preserve SELinux contexts when copying and archiving files and directories.
5.1. SELinux Packages
In Red Hat Enterprise Linux, the SELinux packages are installed by default, in a full installation, unless they are manually excluded during installation. If performing a minimal installation in text mode, the policycoreutils-python and the policycoreutils-gui package are not installed by default. Also, by default, SELinux targeted policy is used, and SELinux runs in enforcing mode. The following is a brief description of the SELinux packages that are installed on your system by default:
- policycoreutils provides utilities such as
setsebool, for operating and managing SELinux.
- selinux-policy provides the SELinux Reference Policy. The SELinux Reference Policy is a complete SELinux policy, and is used as a basis for other policies, such as the SELinux targeted policy; refer to the Tresys Technology SELinux Reference Policy page for further information. This package also provides the
/usr/share/selinux/devel/policygentooldevelopment utility, as well as example policy files.
- selinux-policy-targeted provides the SELinux targeted policy.
- libselinux – provides an API for SELinux applications.
- libselinux-utils provides the
- libselinux-python provides Python bindings for developing SELinux applications.
The following is a brief description of the main optional packages, which have to be installed via the
yum install <package-name>command:
- selinux-policy-mls provides the MLS SELinux policy.
- setroubleshoot-server translates denial messages, produced when access is denied by SELinux, into detailed descriptions that are viewed with the
sealertutility, also provided by this package.
- setools-console – this package provides the Tresys Technology SETools distribution, a number of tools and libraries for analyzing and querying policy, audit log monitoring and reporting, and file context management. The setools package is a meta-package for SETools. The setools-gui package provides the
sediffxtools. The setools-console package provides the
indexconcommand-line tools. Refer to the Tresys Technology SETools page for information about these tools.
- mcstrans translates levels, such as
s0-s0:c0.c1023, to an easier to read form, such as
SystemLow-SystemHigh. This package is not installed by default.
- policycoreutils-python provides utilities such as
chcat, for operating and managing SELinux.
- policycoreutils-gui provides
system-config-selinux, a graphical tool for managing SELinux.