Chapter 5. Working with SELinux
The following sections give a brief overview of the main SELinux packages in Red Hat Enterprise Linux; installing and updating packages; which log files are used; the main SELinux configuration file; enabling and disabling SELinux; SELinux modes; configuring Booleans; temporarily and persistently changing file and directory labels; overriding file system labels with the
mount
command; mounting NFS volumes; and how to preserve SELinux contexts when copying and archiving files and directories.
5.1. SELinux Packages
In Red Hat Enterprise Linux, the SELinux packages are installed by default, in a full installation, unless they are manually excluded during installation. If performing a minimal installation in text mode, the policycoreutils-python and the policycoreutils-gui package are not installed by default. Also, by default, SELinux targeted policy is used, and SELinux runs in enforcing mode. The following is a brief description of the SELinux packages that are installed on your system by default:
- policycoreutils provides utilities such as
restorecon
,secon
,setfiles
,semodule
,load_policy
, andsetsebool
, for operating and managing SELinux. - selinux-policy provides the SELinux Reference Policy. The SELinux Reference Policy is a complete SELinux policy, and is used as a basis for other policies, such as the SELinux targeted policy; refer to the Tresys Technology SELinux Reference Policy page for further information. This package also provides the
/usr/share/selinux/devel/policygentool
development utility, as well as example policy files. - selinux-policy-targeted provides the SELinux targeted policy.
- libselinux – provides an API for SELinux applications.
- libselinux-utils provides the
avcstat
,getenforce
,getsebool
,matchpathcon
,selinuxconlist
,selinuxdefcon
,selinuxenabled
,setenforce
, andtogglesebool
utilities. - libselinux-python provides Python bindings for developing SELinux applications.
The following is a brief description of the main optional packages, which have to be installed via the
yum install <package-name>
command:
- selinux-policy-mls provides the MLS SELinux policy.
- setroubleshoot-server translates denial messages, produced when access is denied by SELinux, into detailed descriptions that are viewed with the
sealert
utility, also provided by this package. - setools-console – this package provides the Tresys Technology SETools distribution, a number of tools and libraries for analyzing and querying policy, audit log monitoring and reporting, and file context management[6]. The setools package is a meta-package for SETools. The setools-gui package provides the
apol
,seaudit
, andsediffx
tools. The setools-console package provides theseaudit-report
,sechecker
,sediff
,seinfo
,sesearch
,findcon
,replcon
, andindexcon
command-line tools. Refer to the Tresys Technology SETools page for information about these tools. - mcstrans translates levels, such as
s0-s0:c0.c1023
, to an easier to read form, such asSystemLow-SystemHigh
. This package is not installed by default. - policycoreutils-python provides utilities such as
semanage
,audit2allow
,audit2why
, andchcat
, for operating and managing SELinux. - policycoreutils-gui provides
system-config-selinux
, a graphical tool for managing SELinux.
[6]
Brindle, Joshua. "Re: blurb for fedora setools packages" Email to Murray McAllister. 1 November 2008. Any edits or changes in this version were done by Murray McAllister.