Product SiteDocumentation Site

Fedora 11

Security-Enhanced Linux

User Guide

Edition 1.3

Fedora Documentation Project

Murray McAllister

Red Hat Engineering Content Services

Daniel Walsh

Red Hat Security Engineering

Dominick Grift

Technical editor for the Introduction, SELinux Contexts, Targeted Policy, Working with SELinux, Confining Users, and Troubleshooting chapters. 

Eric Paris

Technical editor for the Mounting File Systems and Raw Audit Messages sections. 
Red Hat Security Engineering

James Morris

Technical editor for the Introduction and Targeted Policy chapters. 
Red Hat Security Engineering

Scott Radvan

Red Hat Engineering Content Services

Legal Notice

Copyright © 2009 Red Hat, Inc. and others.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at The original authors of this document, and Red Hat, designate the Fedora Project as the "Attribution Party" for purposes of CC-BY-SA. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, MetaMatrix, Fedora, the Infinity Logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
For guidelines on the permitted uses of the Fedora trademarks, refer to
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
All other trademarks are the property of their respective owners.
This book is about managing and using Security-Enhanced Linux®.

1. Document Conventions
1.1. Typographic Conventions
1.2. Pull-quote Conventions
1.3. Notes and Warnings
2. We Need Feedback!
1. Trademark Information
1.1. Source Code
2. Introduction
2.1. Benefits of running SELinux
2.2. Examples
2.3. SELinux Architecture
2.4. SELinux on Other Operating Systems
3. SELinux Contexts
3.1. Domain Transitions
3.2. SELinux Contexts for Processes
3.3. SELinux Contexts for Users
4. Targeted Policy
4.1. Confined Processes
4.2. Unconfined Processes
4.3. Confined and Unconfined Users
5. Working with SELinux
5.1. SELinux Packages
5.2. Which Log File is Used
5.3. Main Configuration File
5.4. Enabling and Disabling SELinux
5.4.1. Enabling SELinux
5.4.2. Disabling SELinux
5.5. SELinux Modes
5.6. Booleans
5.6.1. Listing Booleans
5.6.2. Configuring Booleans
5.6.3. Booleans for NFS and CIFS
5.7. SELinux Contexts - Labeling Files
5.7.1. Temporary Changes: chcon
5.7.2. Persistent Changes: semanage fcontext
5.8. The file_t and default_t Types
5.9. Mounting File Systems
5.9.1. Context Mounts
5.9.2. Changing the Default Context
5.9.3. Mounting an NFS File System
5.9.4. Multiple NFS Mounts
5.9.5. Making Context Mounts Persistent
5.10. Maintaining SELinux Labels
5.10.1. Copying Files and Directories
5.10.2. Moving Files and Directories
5.10.3. Checking the Default SELinux Context
5.10.4. Archiving Files with tar
5.10.5. Archiving Files with star
6. Confining Users
6.1. Linux and SELinux User Mappings
6.2. Confining New Linux Users: useradd
6.3. Confining Existing Linux Users: semanage login
6.4. Changing the Default Mapping
6.5. xguest: Kiosk Mode
6.6. Booleans for Users Executing Applications
7. Troubleshooting
7.1. What Happens when Access is Denied
7.2. Top Three Causes of Problems
7.2.1. Labeling Problems
7.2.2. How are Confined Services Running?
7.2.3. Evolving Rules and Broken Applications
7.3. Fixing Problems
7.3.1. Linux Permissions
7.3.2. Possible Causes of Silent Denials
7.3.3. Manual Pages for Services
7.3.4. Permissive Domains
7.3.5. Searching For and Viewing Denials
7.3.6. Raw Audit Messages
7.3.7. sealert Messages
7.3.8. Allowing Access: audit2allow
8. Further Information
8.1. Contributors
8.2. Other Resources
A. Revision History