From SELinux Wiki
Revision as of 14:08, 12 May 2010 by RichardHaines (Talk | contribs)

Jump to: navigation, search

Global Configuration Files

Listed in the sections that follow are the common configuration files used by SELinux and are therefore not policy specific.

/etc/selinux/config File

If this file is missing or corrupt no SELinux policy will be loaded (i.e. SELinux is disabled). The config file controls the state of SELinux using the following parameters:



SELINUX This can contain one of three values:

enforcing - SELinux security policy is enforced.

permissive - SELinux logs warnings (see the Audit Logs section) instead of enforcing the policy (i.e. the action is allowed to proceed).

disabled - No SELinux policy is loaded.

SELINUXTYPE Where policy_name is the policy type or name that will be loaded at system boot time.

The policy MUST be located at:


SETLOCALDEFS This optional field should be set to 0 (or the entry removed) as so that the policy store management infrastructure is used (semanage / semodule).

If set to 1, then init(8) and load_policy(8) will read the local customisation for booleans and users.

REQUIRESEUSERS This optional field can be used to fail the login when there is no seusers file if it is set to 1.

The default action (if 0 or the entry is not present) the libselinux function getseuserbyname will use the GNU / Linux user name.

AUTORELABEL This is an optional field. If set to '0' and there is a file called .autorelabel in the root directory, then on a reboot, the loader will drop to a shell where a root logon is required. An administrator can then manually relabel the file system.

If set to '1' or the parameter name is not used (the default) there is no login for manual relabeling, however should the /.autorelabel file exist, then the file system will be automatically relabeled using fixfiles -F restore.

In both cases the /.autorelabel file will be removed so the relabel is not done again.

Example config file contents are:

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.

/etc/selinux/semanage.conf File

The semanage.config file controls the configuration and actions of the semanage and semodule set of commands using the following parameters:

module-store = method
policy-version = policy_version
expand-check = 0|1
file-mode = mode
save-previous = true|false
save-linked = true|false
disable-genhomedircon = true|false
handle-unknown = allow|deny|reject
bzip-blocksize = 0|1..9
bzip-small true|false
[verify kernel]
path = <path to policy checker>
args = <args>


module-store The method can be one of four options:

1) directlibsemanage - will write directly to a module store. This is the default value.

2) sourcelibsemanage - manipulates a source SELinux policy.

3) /foo/bar - Write via a policy management server, whose named socket is at /foo/bar. The path must begin with a '/'.

4) - Establish a TCP connection to a remote policy management server at If there is a colon then the remainder is interpreted as a port number; otherwise default to port 4242.

policy-version This optional entry can contain a policy version number, however it is normally commented out as it then defaults to that supported by the system (for F-10 this is policy version 23).
expand-check This optional entry controls whether hierarchy checking on module expansion is enabled (1) or disabled (0). The default is 0.
file-mode This optional entry allows the file permissions to be set on runtime policy files. The format is the same as the mode parameter of the chmod command and defaults to 0644 if not present.
save-previous This optional entry controls whether the previous module directory is saved (TRUE) after a successful commit to the policy store. The default is to delete the previous version (FALSE).
save-linked This optional entry controls whether the previously linked module is saved (TRUE) after a successful commit to the policy store. Note that this option will create a base.linked file in the module policy store.

The default is to delete the previous module (FALSE).

disable-genhomedircon This optional entry controls whether the embedded genhomedircon function is run when using the semanage command. The default is FALSE.
handle-unknown This optional entry controls the kernel behaviour for handling permissions defined in the kernel but missing from the policy (that are declared at the start of the base.conf (loadable policy) or policy.conf (monolithic policy).

The options are: allow the permission, reject by not loading the policy or deny the permission. The default is deny. See the SELinux Filesystem section for how these are reported in /selinux.

Note: to activate any change, the base policy needs to be reloaded with the semodule -b command (as semodule -R does not change them).

bzip-blocksize This optional entry determines whether the modules are compressed or not with bzip. If the entry is 0, then no compression will be used (this is required with tools such as sechecker and apol). This can also be set to a value between 1 and 9 that will set the block size used for compression (bzip will multiply this by 100,000, so '9' is faster but uses more memory).
bzip-small When this optional entry is set to TRUE the memory usage is reduced for compression and decompression (the bzip -s or --small option). If FALSE or no entry present, then does not try to reduce memory requirements.
[verify kernel].. [end] This starts an additional set of entries that can be used to validate a policy with an external application during the build process. The validation process takes place before the policy is allowed to be inserted into the store with the SELinux Project web site showing a worked example at:

The entries required for this option are as follows:

[verify kernel]
path = <application_to_run>
args = <arguments>

Example semanage.config file contents are:

# /etc/selinux/semanage.conf

module-store = direct
expand-check = 0

/etc/selinux/restorecond.conf File

The restorecond.conf file contains a list of files that may be created by applications with an incorrect security context. The restorecond daemon will then watch for their creation or modification and automatically correct their security context to that specified by the active policy file context configuration files(located in the /etc/selinux/<policy_name>/contexts/files directory). The daemon uses functions in libselinux such as matchpathcon(3) to manage the context updates.

Each line of the file contains the full path of a file or directory. The only different entry is one that starts with a tilde (~) as that signifies that the entries will be expanded to logged in users home directories (e.g. ~/public_html would cause the daemon to listen for changes to public_html in all logged on users home directories).

Example restorecond.conf file contents are:

# /etc/selinux/restorecond.conf


# This entry expands to listen for all files created for all 
# logged in users within their home directories:

/etc/sestatus.conf File

This file is used by the sestatus(8) command to list files and processes whose security context should be displayed when the -v flag is used (sestatus -v).

The sestatus.conf file has the following parameters:

List of files to display context

List of processes to display context

Example sestatus.conf file contents are:

# /etc/sestatus.conf



/etc/security/sepermit.conf File

This file is used by the module to allow or deny a user login depending on whether SELinux is enforcing the policy or not. An example use of this facility is the Red Hat kiosk mode where a terminal can be set up with a guest user that does not require a password, but can only log in if SELinux is in enforcing mode.

The entry is added to the appropriate /etc/pam.d configuration file, with the example shown being the /etc/pam.d/gdm file:

auth [success=done ignore=ignore default=bad]
# auth required user != root quiet
auth required
auth substack system-auth
auth optional
account required
account include system-auth
password include system-auth
session required close
session required
session optional
session required open
session optional force revoke
session required
session optional auto_start
session include system-auth

The usage is described in the pam_sepermit man page, but the following example describes the configuration:

# /etc/security/sepermit.conf#
# Each line contains either:
# - an user name
# - a group name, with @group syntax
# - a SELinux user name, with %seuser syntax
# Each line can contain optional arguments separated by :
# The possible arguments are:
# - exclusive - only single login session will be allowed for
# the user and the user's processes will be killed on logout
# An example entry for 'kiosk mode':