Chapter 4. Working with SELinux
The following sections give a brief overview of the main SELinux packages in Red Hat Enterprise Linux; installing and updating packages; which log files are used; the main SELinux configuration file; enabling and disabling SELinux; SELinux modes; configuring Booleans; temporarily and persistently changing file and directory labels; overriding file system labels with the
mount
command; mounting NFS volumes; and how to preserve SELinux contexts when copying and archiving files and directories.
4.1. SELinux Packages
In Red Hat Enterprise Linux full installation, the SELinux packages are installed by default unless they are manually excluded during installation. If performing a minimal installation in text mode, the policycoreutils-python and the policycoreutils-gui package are not installed by default. Also, by default, SELinux runs in enforcing mode and the SELinux targeted policy is used. The following SELinux packages are installed on your system by default:
- policycoreutils provides utilities such as
restorecon
,secon
,setfiles
,semodule
,load_policy
, andsetsebool
, for operating and managing SELinux. - selinux-policy provides a basic directory structure, the
selinux-policy.conf
file, and RPM macros. - selinux-policy-targeted provides the SELinux targeted policy.
- libselinux – provides an API for SELinux applications.
- libselinux-utils provides the
avcstat
,getenforce
,getsebool
,matchpathcon
,selinuxconlist
,selinuxdefcon
,selinuxenabled
, andsetenforce
utilities. - libselinux-python provides Python bindings for developing SELinux applications.
The following packages are not installed by default but can be optionally installed by running the
yum install <package-name>
command:
- selinux-policy-devel provides utilities for creating a custom SELinux policy and policy modules.
- selinux-policy-doc provides manual pages that describe how to configure SELinux altogether with various services.
- selinux-policy-mls provides the MLS (Multi-Level Security) SELinux policy.
- setroubleshoot-server translates denial messages, produced when access is denied by SELinux, into detailed descriptions that can be viewed with the
sealert
utility, also provided in this package. - setools-console provides the Tresys Technology SETools distribution, a number of utilities and libraries for analyzing and querying policy, audit log monitoring and reporting, and file context management. The setools package is a meta-package for SETools. The setools-gui package provides the
apol
andseaudit
utilities. The setools-console package provides thesechecker
,sediff
,seinfo
,sesearch
, andfindcon
command-line utilities. Note that setools and setools-gui packages are available only when the Red Hat Network Optional channel is enabled. For further information, see Scope of Coverage Details. - mcstrans translates levels, such as
s0-s0:c0.c1023
, to a form that is easier to read, such asSystemLow-SystemHigh
. - policycoreutils-python provides utilities such as
semanage
,audit2allow
,audit2why
, andchcat
, for operating and managing SELinux. - policycoreutils-gui provides
system-config-selinux
, a graphical utility for managing SELinux.