Global Configuration Files
Listed in the sections that follow are the common configuration files used by SELinux and are therefore not policy specific.
If this file is missing or corrupt no SELinux policy will be loaded (i.e. SELinux is disabled). The config file controls the state of SELinux using the following parameters:
SELINUX=enforcing|permissive|disabled SELINUXTYPE=policy_name SETLOCALDEFS=0|1 REQUIREUSERS=0|1 AUTORELABEL=0|1
|SELINUX|| This can contain one of three values:
enforcing - SELinux security policy is enforced.
permissive - SELinux logs warnings (see the Audit Logs section) instead of enforcing the policy (i.e. the action is allowed to proceed).
disabled - No SELinux policy is loaded.
|SELINUXTYPE|| Where policy_name is the policy type or name that will be loaded at system boot time.
The policy MUST be located at:
|SETLOCALDEFS|| This optional field should be set to 0 (or the entry removed) as so that the policy store management infrastructure is used (semanage / semodule).
If set to 1, then init(8) and load_policy(8) will read the local customisation for booleans and users.
|REQUIRESEUSERS|| This optional field can be used to fail the login when there is no seusers file if it is set to 1.
The default action (if 0 or the entry is not present) the libselinux function getseuserbyname will use the GNU / Linux user name.
|AUTORELABEL|| This is an optional field. If set to '0' and there is a file called .autorelabel in the root directory, then on a reboot, the loader will drop to a shell where a root logon is required. An administrator can then manually relabel the file system.
If set to '1' or the parameter name is not used (the default) there is no login for manual relabeling, however should the /.autorelabel file exist, then the file system will be automatically relabeled using fixfiles -F restore.
In both cases the /.autorelabel file will be removed so the relabel is not done again.
Example config file contents are:
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=permissive # # SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # mls - Multi Level Security protection. SELINUXTYPE=targeted
The semanage.config file controls the configuration and actions of the semanage and semodule set of commands using the following parameters:
module-store = method policy-version = policy_version expand-check = 0|1 file-mode = mode save-previous = true|false save-linked = true|false disable-genhomedircon = true|false handle-unknown = allow|deny|reject bzip-blocksize = 0|1..9 bzip-small true|false [verify kernel] path = <path to policy checker> args = <args> [end]
|module-store|| The method can be one of four options:
1) directlibsemanage - will write directly to a module store. This is the default value.
2) sourcelibsemanage - manipulates a source SELinux policy.
3) /foo/bar - Write via a policy management server, whose named socket is at /foo/bar. The path must begin with a '/'.
4) foo.com:4242 - Establish a TCP connection to a remote policy management server at foo.com. If there is a colon then the remainder is interpreted as a port number; otherwise default to port 4242.
|policy-version||This optional entry can contain a policy version number, however it is normally commented out as it then defaults to that supported by the system (for F-10 this is policy version 23).|
|expand-check||This optional entry controls whether hierarchy checking on module expansion is enabled (1) or disabled (0). The default is 0.|
|file-mode||This optional entry allows the file permissions to be set on runtime policy files. The format is the same as the mode parameter of the chmod command and defaults to 0644 if not present.|
|save-previous||This optional entry controls whether the previous module directory is saved (TRUE) after a successful commit to the policy store. The default is to delete the previous version (FALSE).|
|save-linked|| This optional entry controls whether the previously linked module is saved (TRUE) after a successful commit to the policy store. Note that this option will create a base.linked file in the module policy store.
The default is to delete the previous module (FALSE).
|disable-genhomedircon||This optional entry controls whether the embedded genhomedircon function is run when using the semanage command. The default is FALSE.|
|handle-unknown|| This optional entry controls the kernel behaviour for handling permissions defined in the kernel but missing from the policy (that are declared at the start of the base.conf (loadable policy) or policy.conf (monolithic policy).
The options are: allow the permission, reject by not loading the policy or deny the permission. The default is deny. See the SELinux Filesystem section for how these are reported in /selinux.
Note: to activate any change, the base policy needs to be reloaded with the semodule -b command (as semodule -R does not change them).
|bzip-blocksize||This optional entry determines whether the modules are compressed or not with bzip. If the entry is 0, then no compression will be used (this is required with tools such as sechecker and apol). This can also be set to a value between 1 and 9 that will set the block size used for compression (bzip will multiply this by 100,000, so '9' is faster but uses more memory).|
|bzip-small||When this optional entry is set to TRUE the memory usage is reduced for compression and decompression (the bzip -s or --small option). If FALSE or no entry present, then does not try to reduce memory requirements.|
|[verify kernel].. [end]|| This starts an additional set of entries that can be used to validate a policy with an external application during the build process. The validation process takes place before the policy is allowed to be inserted into the store with the SELinux Project web site showing a worked example at:
The entries required for this option are as follows:
[verify kernel] path = <application_to_run> args = <arguments> [end]
Example semanage.config file contents are:
# /etc/selinux/semanage.conf module-store = direct expand-check = 0
The restorecond.conf file contains a list of files that may be created by applications with an incorrect security context. The restorecond daemon will then watch for their creation or modification and automatically correct their security context to that specified by the active policy file context configuration files(located in the /etc/selinux/<policy_name>/contexts/files directory). The daemon uses functions in libselinux such as matchpathcon(3) to manage the context updates.
Each line of the file contains the full path of a file or directory. The only different entry is one that starts with a tilde (~) as that signifies that the entries will be expanded to logged in users home directories (e.g. ~/public_html would cause the daemon to listen for changes to public_html in all logged on users home directories).
Example restorecond.conf file contents are:
# /etc/selinux/restorecond.conf /etc/services /etc/resolv.conf /etc/samba/secrets.tdb /etc/mtab /var/run/utmp /var/log/wtmp # This entry expands to listen for all files created for all # logged in users within their home directories: ~/*
This file is used by the sestatus(8) command to list files and processes whose security context should be displayed when the -v flag is used (sestatus -v).
The sestatus.conf file has the following parameters:
[files] List of files to display context [process] List of processes to display context
Example sestatus.conf file contents are:
# /etc/sestatus.conf [files] /etc/passwd /etc/shadow /bin/bash /bin/login /bin/sh /sbin/agetty /sbin/init /sbin/mingetty /usr/sbin/sshd /lib/libc.so.6 /lib/ld-linux.so.2 /lib/ld.so.1 [process] /sbin/mingetty /sbin/agetty /usr/sbin/sshd
This file is used by the pam_sepermit.so module to allow or deny a user login depending on whether SELinux is enforcing the policy or not. An example use of this facility is the Red Hat kiosk mode where a terminal can be set up with a guest user that does not require a password, but can only log in if SELinux is in enforcing mode.
The entry is added to the appropriate /etc/pam.d configuration file, with the example shown being the /etc/pam.d/gdm file:
#%PAM-1.0 auth [success=done ignore=ignore default=bad] pam_selinux_permit.so # auth required pam_succeed_if.so user != root quiet auth required pam_env.so auth substack system-auth auth optional pam_gnome_keyring.so account required pam_nologin.so account include system-auth password include system-auth session required pam_selinux.so close session required pam_loginuid.so session optional pam_console.so session required pam_selinux.so open session optional pam_keyinit.so force revoke session required pam_namespace.so session optional pam_gnome_keyring.so auto_start session include system-auth
The usage is described in the pam_sepermit man page, but the following example describes the configuration:
# /etc/security/sepermit.conf# # Each line contains either: # - an user name # - a group name, with @group syntax # - a SELinux user name, with %seuser syntax # Each line can contain optional arguments separated by : # The possible arguments are: # - exclusive - only single login session will be allowed for # the user and the user's processes will be killed on logout # An example entry for 'kiosk mode': xguest:exclusive