Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

Chapter 5. Working with SELinux

The following sections give a brief overview of the main SELinux packages in Red Hat Enterprise Linux; installing and updating packages; which log files are used; the main SELinux configuration file; enabling and disabling SELinux; SELinux modes; configuring Booleans; temporarily and persistently changing file and directory labels; overriding file system labels with the mount command; mounting NFS volumes; and how to preserve SELinux contexts when copying and archiving files and directories.

5.1. SELinux Packages

In Red Hat Enterprise Linux, the SELinux packages are installed by default, in a full installation, unless they are manually excluded during installation. If performing a minimal installation in text mode, the policycoreutils-python and the policycoreutils-gui package are not installed by default. Also, by default, SELinux targeted policy is used, and SELinux runs in enforcing mode. The following is a brief description of the SELinux packages that are installed on your system by default:
  • policycoreutils provides utilities such as restorecon, secon, setfiles, semodule, load_policy, and setsebool, for operating and managing SELinux.
  • selinux-policy provides the SELinux Reference Policy. The SELinux Reference Policy is a complete SELinux policy, and is used as a basis for other policies, such as the SELinux targeted policy; refer to the Tresys Technology SELinux Reference Policy page for further information. This package also provides the /usr/share/selinux/devel/policygentool development utility, as well as example policy files.
  • selinux-policy-targeted provides the SELinux targeted policy.
  • libselinux – provides an API for SELinux applications.
  • libselinux-utils provides the avcstat, getenforce, getsebool, matchpathcon, selinuxconlist, selinuxdefcon, selinuxenabled, setenforce, and togglesebool utilities.
  • libselinux-python provides Python bindings for developing SELinux applications.
The following is a brief description of the main optional packages, which have to be installed via the yum install <package-name> command:
  • selinux-policy-mls provides the MLS SELinux policy.
  • setroubleshoot-server translates denial messages, produced when access is denied by SELinux, into detailed descriptions that are viewed with the sealert utility, also provided by this package.
  • setools-console – this package provides the Tresys Technology SETools distribution, a number of tools and libraries for analyzing and querying policy, audit log monitoring and reporting, and file context management[6]. The setools package is a meta-package for SETools. The setools-gui package provides the apol, seaudit, and sediffx tools. The setools-console package provides the seaudit-report, sechecker, sediff, seinfo, sesearch, findcon, replcon, and indexcon command-line tools. Refer to the Tresys Technology SETools page for information about these tools.
  • mcstrans translates levels, such as s0-s0:c0.c1023, to an easier to read form, such as SystemLow-SystemHigh. This package is not installed by default.
  • policycoreutils-python provides utilities such as semanage, audit2allow, audit2why, and chcat, for operating and managing SELinux.
  • policycoreutils-gui provides system-config-selinux, a graphical tool for managing SELinux.

[6] Brindle, Joshua. "Re: blurb for fedora setools packages" Email to Murray McAllister. 1 November 2008. Any edits or changes in this version were done by Murray McAllister.