Next

Red Hat Enterprise Linux 6

Security-Enhanced Linux

User Guide

Edition 2.0

Red Hat Engineering Content Services

Legal Notice

Copyright © 2010 Red Hat, Inc.

The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.

Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.

Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, MetaMatrix, Fedora, the Infinity Logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.

Linux® is the registered trademark of Linus Torvalds in the United States and other countries.

Java® is a registered trademark of Oracle and/or its affiliates.

XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.

MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.

All other trademarks are the property of their respective owners.

1801 Varsity Drive
Raleigh, NC 27606-2072 USA
Phone: +1 919 754 3700
Phone: 888 733 4281
Fax: +1 919 754 3701

Abstract

The SELinux User Guide assists users and administrators in managing and using Security-Enhanced Linux®.

1. Document Conventions

1.1. Typographic Conventions
1.2. Pull-quote Conventions
1.3. Notes and Warnings

2. We Need Feedback!

1. Trademark Information

2. Introduction

2.1. Benefits of running SELinux
2.2. Examples
2.3. SELinux Architecture
2.4. SELinux on Other Operating Systems

3. SELinux Contexts

3.1. Domain Transitions
3.2. SELinux Contexts for Processes
3.3. SELinux Contexts for Users

4. Targeted Policy

4.1. Confined Processes
4.2. Unconfined Processes
4.3. Confined and Unconfined Users

5. Working with SELinux

5.1. SELinux Packages

5.2. Which Log File is Used

5.3. Main Configuration File

5.4. Enabling and Disabling SELinux

5.4.1. Enabling SELinux
5.4.2. Disabling SELinux

5.5. SELinux Modes

5.6. Booleans

5.6.1. Listing Booleans
5.6.2. Configuring Booleans
5.6.3. Booleans for NFS and CIFS

5.7. SELinux Contexts - Labeling Files

5.7.1. Temporary Changes: chcon
5.7.2. Persistent Changes: semanage fcontext

5.8. The file_t and default_t Types

5.9. Mounting File Systems

5.9.1. Context Mounts
5.9.2. Changing the Default Context
5.9.3. Mounting an NFS File System
5.9.4. Multiple NFS Mounts
5.9.5. Making Context Mounts Persistent

5.10. Maintaining SELinux Labels

5.10.1. Copying Files and Directories
5.10.2. Moving Files and Directories
5.10.3. Checking the Default SELinux Context
5.10.4. Archiving Files with tar
5.10.5. Archiving Files with star

5.11. Information Gathering Tools

6. Confining Users

6.1. Linux and SELinux User Mappings
6.2. Confining New Linux Users: useradd
6.3. Confining Existing Linux Users: semanage login
6.4. Changing the Default Mapping
6.5. xguest: Kiosk Mode
6.6. Booleans for Users Executing Applications

7.1. Security and Virtualization
7.2. sVirt Labelling

8. Troubleshooting

8.1. What Happens when Access is Denied

8.2. Top Three Causes of Problems

8.2.1. Labeling Problems
8.2.2. How are Confined Services Running?
8.2.3. Evolving Rules and Broken Applications

8.3. Fixing Problems

8.3.1. Linux Permissions
8.3.2. Possible Causes of Silent Denials
8.3.3. Manual Pages for Services
8.3.4. Permissive Domains
8.3.5. Searching For and Viewing Denials
8.3.6. Raw Audit Messages
8.3.7. sealert Messages
8.3.8. Allowing Access: audit2allow

9. Further Information

9.1. Contributors
9.2. Other Resources

A. Revision History

NextPreface