Jump To Close Expand all Collapse all Table of contents SELinux User's and Administrator's Guide I. SELinux Expand section "I. SELinux" Collapse section "I. SELinux" 1. Introduction Expand section "1. Introduction" Collapse section "1. Introduction" 1.1. Benefits of running SELinux 1.2. Examples 1.3. SELinux Architecture 1.4. SELinux States and Modes 1.5. Additional Resources 2. SELinux Contexts Expand section "2. SELinux Contexts" Collapse section "2. SELinux Contexts" 2.1. Domain Transitions 2.2. SELinux Contexts for Processes 2.3. SELinux Contexts for Users 3. Targeted Policy Expand section "3. Targeted Policy" Collapse section "3. Targeted Policy" 3.1. Confined Processes 3.2. Unconfined Processes 3.3. Confined and Unconfined Users Expand section "3.3. Confined and Unconfined Users" Collapse section "3.3. Confined and Unconfined Users" 3.3.1. The sudo Transition and SELinux Roles 4. Working with SELinux Expand section "4. Working with SELinux" Collapse section "4. Working with SELinux" 4.1. SELinux Packages 4.2. Which Log File is Used 4.3. Main Configuration File 4.4. Permanent Changes in SELinux States and Modes Expand section "4.4. Permanent Changes in SELinux States and Modes" Collapse section "4.4. Permanent Changes in SELinux States and Modes" 4.4.1. Enabling SELinux Expand section "4.4.1. Enabling SELinux" Collapse section "4.4.1. Enabling SELinux" 4.4.1.1. Permissive Mode 4.4.1.2. Enforcing Mode 4.4.2. Disabling SELinux 4.5. Changing SELinux Modes at Boot Time 4.6. Booleans Expand section "4.6. Booleans" Collapse section "4.6. Booleans" 4.6.1. Listing Booleans 4.6.2. Configuring Booleans 4.6.3. Shell Auto-Completion 4.7. SELinux Contexts – Labeling Files Expand section "4.7. SELinux Contexts – Labeling Files" Collapse section "4.7. SELinux Contexts – Labeling Files" 4.7.1. Temporary Changes: chcon 4.7.2. Persistent Changes: semanage fcontext 4.7.3. How File Context is Determined 4.8. The file_t and default_t Types 4.9. Mounting File Systems Expand section "4.9. Mounting File Systems" Collapse section "4.9. Mounting File Systems" 4.9.1. Context Mounts 4.9.2. Changing the Default Context 4.9.3. Mounting an NFS Volume 4.9.4. Multiple NFS Mounts 4.9.5. Making Context Mounts Persistent 4.10. Maintaining SELinux Labels Expand section "4.10. Maintaining SELinux Labels" Collapse section "4.10. Maintaining SELinux Labels" 4.10.1. Copying Files and Directories 4.10.2. Moving Files and Directories 4.10.3. Checking the Default SELinux Context 4.10.4. Archiving Files with tar 4.10.5. Archiving Files with star 4.11. Information Gathering Tools 4.12. Prioritizing and Disabling SELinux Policy Modules 4.13. Multi-Level Security (MLS) Expand section "4.13. Multi-Level Security (MLS)" Collapse section "4.13. Multi-Level Security (MLS)" 4.13.1. MLS and System Privileges 4.13.2. Enabling MLS in SELinux 4.13.3. Creating a User With a Specific MLS Range 4.13.4. Setting Up Polyinstantiated Directories 4.14. File Name Transition 4.15. Disabling ptrace() 4.16. Thumbnail Protection 5. The sepolicy Suite Expand section "5. The sepolicy Suite" Collapse section "5. The sepolicy Suite" 5.1. The sepolicy Python Bindings 5.2. Generating SELinux Policy Modules: sepolicy generate 5.3. Understanding Domain Transitions: sepolicy transition 5.4. Generating Manual Pages: sepolicy manpage 6. Confining Users Expand section "6. Confining Users" Collapse section "6. Confining Users" 6.1. Linux and SELinux User Mappings 6.2. Confining New Linux Users: useradd 6.3. Confining Existing Linux Users: semanage login 6.4. Changing the Default Mapping 6.5. xguest: Kiosk Mode 6.6. Booleans for Users Executing Applications 7. Securing Programs Using Sandbox Expand section "7. Securing Programs Using Sandbox" Collapse section "7. Securing Programs Using Sandbox" 7.1. Running an Application Using Sandbox 8. sVirt Expand section "8. sVirt" Collapse section "8. sVirt" 8.1. Security and Virtualization 8.2. sVirt Labeling 9. Secure Linux Containers 10. SELinux systemd Access Control Expand section "10. SELinux systemd Access Control" Collapse section "10. SELinux systemd Access Control" 10.1. SELinux Access Permissions for Services 10.2. SELinux and journald 11. Troubleshooting Expand section "11. Troubleshooting" Collapse section "11. Troubleshooting" 11.1. What Happens when Access is Denied 11.2. Top Three Causes of Problems Expand section "11.2. Top Three Causes of Problems" Collapse section "11.2. Top Three Causes of Problems" 11.2.1. Labeling Problems Expand section "11.2.1. Labeling Problems" Collapse section "11.2.1. Labeling Problems" 11.2.1.1. What is the Correct Context? 11.2.2. How are Confined Services Running? 11.2.3. Evolving Rules and Broken Applications 11.3. Fixing Problems Expand section "11.3. Fixing Problems" Collapse section "11.3. Fixing Problems" 11.3.1. Linux Permissions 11.3.2. Possible Causes of Silent Denials 11.3.3. Manual Pages for Services 11.3.4. Permissive Domains Expand section "11.3.4. Permissive Domains" Collapse section "11.3.4. Permissive Domains" 11.3.4.1. Making a Domain Permissive 11.3.4.2. Disabling Permissive Domains 11.3.4.3. Denials for Permissive Domains 11.3.5. Searching For and Viewing Denials 11.3.6. Raw Audit Messages 11.3.7. sealert Messages 11.3.8. Allowing Access: audit2allow 12. Further Information Expand section "12. Further Information" Collapse section "12. Further Information" 12.1. Contributors 12.2. Other Resources II. Managing Confined Services Expand section "II. Managing Confined Services" Collapse section "II. Managing Confined Services" 13. The Apache HTTP Server Expand section "13. The Apache HTTP Server" Collapse section "13. The Apache HTTP Server" 13.1. The Apache HTTP Server and SELinux 13.2. Types 13.3. Booleans 13.4. Configuration examples Expand section "13.4. Configuration examples" Collapse section "13.4. Configuration examples" 13.4.1. Running a static site 13.4.2. Sharing NFS and CIFS volumes 13.4.3. Sharing files between services 13.4.4. Changing port numbers 14. Samba Expand section "14. Samba" Collapse section "14. Samba" 14.1. Samba and SELinux 14.2. Types 14.3. Booleans 14.4. Configuration examples Expand section "14.4. Configuration examples" Collapse section "14.4. Configuration examples" 14.4.1. Sharing directories you create 14.4.2. Sharing a website 15. File Transfer Protocol Expand section "15. File Transfer Protocol" Collapse section "15. File Transfer Protocol" 15.1. Types 15.2. Booleans 16. Network File System Expand section "16. Network File System" Collapse section "16. Network File System" 16.1. NFS and SELinux 16.2. Types 16.3. Booleans 16.4. Configuration Examples Expand section "16.4. Configuration Examples" Collapse section "16.4. Configuration Examples" 16.4.1. Enabling SELinux Labeled NFS Support 17. Berkeley Internet Name Domain Expand section "17. Berkeley Internet Name Domain" Collapse section "17. Berkeley Internet Name Domain" 17.1. BIND and SELinux 17.2. Types 17.3. Booleans 17.4. Configuration Examples Expand section "17.4. Configuration Examples" Collapse section "17.4. Configuration Examples" 17.4.1. Dynamic DNS 18. Concurrent Versioning System Expand section "18. Concurrent Versioning System" Collapse section "18. Concurrent Versioning System" 18.1. CVS and SELinux 18.2. Types 18.3. Booleans 18.4. Configuration Examples Expand section "18.4. Configuration Examples" Collapse section "18.4. Configuration Examples" 18.4.1. Setting up CVS 19. Squid Caching Proxy Expand section "19. Squid Caching Proxy" Collapse section "19. Squid Caching Proxy" 19.1. Squid Caching Proxy and SELinux 19.2. Types 19.3. Booleans 19.4. Configuration Examples Expand section "19.4. Configuration Examples" Collapse section "19.4. Configuration Examples" 19.4.1. Squid Connecting to Non-Standard Ports 20. MariaDB (a replacement for MySQL) Expand section "20. MariaDB (a replacement for MySQL)" Collapse section "20. MariaDB (a replacement for MySQL)" 20.1. MariaDB and SELinux 20.2. Types 20.3. Booleans 20.4. Configuration Examples Expand section "20.4. Configuration Examples" Collapse section "20.4. Configuration Examples" 20.4.1. MariaDB Changing Database Location 21. PostgreSQL Expand section "21. PostgreSQL" Collapse section "21. PostgreSQL" 21.1. PostgreSQL and SELinux 21.2. Types 21.3. Booleans 21.4. Configuration Examples Expand section "21.4. Configuration Examples" Collapse section "21.4. Configuration Examples" 21.4.1. PostgreSQL Changing Database Location 22. rsync Expand section "22. rsync" Collapse section "22. rsync" 22.1. rsync and SELinux 22.2. Types 22.3. Booleans 22.4. Configuration Examples Expand section "22.4. Configuration Examples" Collapse section "22.4. Configuration Examples" 22.4.1. Rsync as a daemon 23. Postfix Expand section "23. Postfix" Collapse section "23. Postfix" 23.1. Postfix and SELinux 23.2. Types 23.3. Booleans 23.4. Configuration Examples Expand section "23.4. Configuration Examples" Collapse section "23.4. Configuration Examples" 23.4.1. SpamAssassin and Postfix 24. DHCP Expand section "24. DHCP" Collapse section "24. DHCP" 24.1. DHCP and SELinux 24.2. Types 25. OpenShift by Red Hat Expand section "25. OpenShift by Red Hat" Collapse section "25. OpenShift by Red Hat" 25.1. OpenShift and SELinux 25.2. Types 25.3. Booleans 25.4. Configuration Examples Expand section "25.4. Configuration Examples" Collapse section "25.4. Configuration Examples" 25.4.1. Changing the Default OpenShift Directory 26. Identity Management Expand section "26. Identity Management" Collapse section "26. Identity Management" 26.1. Identity Management and SELinux Expand section "26.1. Identity Management and SELinux" Collapse section "26.1. Identity Management and SELinux" 26.1.1. Trust to Active Directory Domains 26.2. Configuration Examples Expand section "26.2. Configuration Examples" Collapse section "26.2. Configuration Examples" 26.2.1. Mapping SELinux users to IdM users 27. Red Hat Gluster Storage Expand section "27. Red Hat Gluster Storage" Collapse section "27. Red Hat Gluster Storage" 27.1. Red Hat Gluster Storage and SELinux 27.2. Types 27.3. Booleans 27.4. Configuration Examples Expand section "27.4. Configuration Examples" Collapse section "27.4. Configuration Examples" 27.4.1. Labeling Gluster Bricks 28. References A. Revision History Legal Notice Settings Close Language: 한국어 日本語 简体中文 English Language: 한국어 日本語 简体中文 English Format: Multi-page Single-page PDF Format: Multi-page Single-page PDF Language and Page Formatting Options Language: 한국어 日本語 简体中文 English Language: 한국어 日本語 简体中文 English Format: Multi-page Single-page PDF Format: Multi-page Single-page PDF Red Hat Training A Red Hat training course is available for Red Hat Enterprise Linux Part I. SELinux This documentation part describes the basics and principles upon which Security Enhanced Linux (SELinux) functions. Previous Next