From SELinux Wiki
Revision as of 13:58, 12 May 2010 by RichardHaines (Talk | contribs)

Jump to: navigation, search

SELinux Configuration Files

This section explains each SELinux configuration file with its format, example content and where applicable, any supporting SELinux command or library API function names where the appropriate man(3) pages should be consulted regarding their use).

Note: Configuration file names and content have changed over the various releases of SELinux, this section defines those seen in the Fedora 12 release when building custom and Reference Policy policies.

This Section classifies the types of configuration file used in SELinux as follows:

  • Global Configuration files that affect the active policy and their supporting SELinux-aware applications, utilities or commands. These can be located in /etc/selinux or other places depending on the application.
  • Files specific to a named policy configuration that are located at /etc/selinux/<policy_name>, where <policy_name> is the name given in the SELINUXTYPE= entry of the /etc/selinux/config file. The files in this area are split into two main sections:
    • The Policy Store Configuration files that are 'private'[1] and managed by the semanage(8) and semodule(8) commands[2]. These are located in the /etc/selinux/<policy_name>/module set of directories. These are used to build the majority of the Policy Configuration files.
    • The Policy Configuration files that are used when the policy is activated[3]. The majority of these files are now managed via the Policy Store and should not be edited directly, however others are specific to SELinux-aware applications and have no configuration utilities (e.g. debus and X-Windows context files).
  • SELinux Kernel Configuration files that are located under the /selinux directory and reflect the current configuration of SELinux and the active policy. This area is used extensively by the libselinux library for user space object managers and other SELinux-aware applications. These files and directories should not be updated by users (the majority are read only anyway), however they can be read to check various configuration parameters. ToDO - Put in link to these when I've done them.

Whenever possible the appropriate SELinux application should be used to manage all of these configuration files.

When these configuration files are used to configure a security context when the policy supports MCS / MLS, then the appropriate level or range should be added (generally an object like a file has a level, and a user or process (a subject) has a level and range, although directories can have a range if they support polyinstantiation).

Global Configuration Files

  • The following files are described in the Global Configuration Files section:
    • /etc/selinux/config File
    • /etc/selinux/semanage.conf File
    • /etc/selinux/restorecond.conf File
    • /etc/sestatus.conf File
    • /etc/security/sepermit.conf File

Policy Store Configuration Files

  • The following files are described in the Policy Store Configuration Files section:
    • base.pp File
    • base.linked File
    • commit_num File
    • file_contexts.template File
    • file_contexts File
    • homedir_template File
    • file_contexts.homedirs File
    • netfilter_contexts & netfilter.local File
    • policy.kern File
    • and seusers Files
    • users_extra, users_extra.local and users.local Files
    • booleans.local File
    • file_contexts.local File
    • interfaces.local File
    • nodes.local File
    • ports.local File
    • modules Directory Contents

Policy Configuration Files

  • The following files are described in the Policy Configuration Files section:
    • seusers File
    • setrans.conf File
    • secolor.conf File
    • policy/policy[ver] File
    • contexts/customizable_types File
    • contexts/default_contexts File
    • contexts/debus_contexts File
    • contexts/default_type File
    • contexts/failsafe_context File
    • contexts/initrc_context File
    • contexts/netfilter_contexts File
    • contexts/removable_contexts File
    • contexts/securetty_types File
    • contexts/userhelper_context File
    • contexts/virtual_domain_context File
    • contexts/virtual_image_context File
    • contexts/x_contexts File
    • contexts/files/file_contexts File
    • contexts/files/file_contexts.local File
    • contexts/files/file_contexts.homedirs File
    • contexts/files/media File
    • contexts/users/[seuser_id] File
  1. They should NOT be edited as together they describe the 'policy'.
  2. The system-config-selinux GUI (supplied in the polycoreutils-gui rpm) can also be used to manage users, booleans and the general configuration of SELinux as it calls semanage, however it does not manage all that the semanage command can (it also gets bitter & twisted if there are no MCS/MLS labels on some operations).
  3. The 'active policy' is pointed to by an entry in the /etc/selinux/config file discussed in the /etc/selinux/config file section.