Chapter 5. Working with SELinux

The following sections give a brief overview of the main SELinux packages in Red Hat Enterprise Linux; installing and updating packages; which log files are used; the main SELinux configuration file; enabling and disabling SELinux; SELinux modes; configuring Booleans; temporarily and persistently changing file and directory labels; overriding file system labels with the mount command; mounting NFS file systems; and how to preserve SELinux contexts when copying and archiving files and directories.

5.1. SELinux Packages

In Red Hat Enterprise Linux, the SELinux packages are installed by default, in a full installation, unless they are manually excluded during installation. If performing a minimal installation in text mode, the policycoreutils-python package will not be installed by default. Also, by default, SELinux targeted policy is used, and SELinux runs in enforcing mode. The following is a brief description of the main SELinux packages:

policycoreutils-python: provides utilities such as semanage, audit2allow, audit2why and chcat, for operating and managing SELinux.

policycoreutils: provides utilities such as restorecon, secon, setfiles, semodule, load_policy, and setsebool, for operating and managing SELinux.

policycoreutils-gui: provides system-config-selinux, a graphical tool for managing SELinux.

selinux-policy: provides the SELinux Reference Policy. The SELinux Reference Policy is a complete SELinux policy, and is used as a basis for other policies, such as the SELinux targeted policy. Refer to the Tresys Technology SELinux Reference Policy page for further information. The selinux-policy-devel package provides development tools, such as /usr/share/selinux/devel/policygentool and /usr/share/selinux/devel/policyhelp, as well as example policy files.

selinux-policy-policy: provides SELinux policies. For targeted policy, install selinux-policy-targeted. For MLS, install selinux-policy-mls.

setroubleshoot-server: translates denial messages, produced when access is denied by SELinux, into detailed descriptions that are viewed with sealert (which is provided by this package).

setools-console: this package provides the Tresys Technology SETools distribution, a number of tools and libraries for analyzing and querying policy, audit log monitoring and reporting, and file context management^[8]. The setools package is a meta-package for SETools. The setools-gui package provides the apol, seaudit, and sediffx tools. The setools-console package provides the seaudit-report, sechecker, sediff, seinfo, sesearch, findcon, replcon, and indexcon command line tools. Refer to the Tresys Technology SETools page for information about these tools.

libselinux-utils: provides the avcstat, getenforce, getsebool, matchpathcon, selinuxconlist, selinuxdefcon, selinuxenabled, setenforce, togglesebool tools.

mcstrans: translates levels, such as s0-s0:c0.c1023, to an easier to read form, such as SystemLow-SystemHigh. This package is not installed by default.

To install packages in Red Hat Enterprise Linux, as the Linux root user, run the yum install package-name command. For example, to install the mcstrans package, run the yum install mcstrans command. To upgrade all installed packages in Red Hat Enterprise Linux, run the yum update command.

^[8] Brindle, Joshua. "Re: blurb for fedora setools packages" Email to Murray McAllister. 1 November 2008. Any edits or changes in this version were done by Murray McAllister.