Product SiteDocumentation Site

Fedora 25

SELinux User's and Administrator's Guide

Basic and advanced configuration of Security-Enhanced Linux (SELinux)

Edition 1

Mirek Jahoda

Red Hat Customer Content Services

Barbora Ančincová

Red Hat Customer Content Services

Murray McAllister

Red Hat Product Security

Scott Radvan

Red Hat Customer Content Services

Daniel Walsh

Red Hat Security Engineering

Dominick Grift

Technical editor for the Introduction, SELinux Contexts, Targeted Policy, Working with SELinux, Confining Users, and Troubleshooting chapters. 

Eric Paris

Technical editor for the Mounting File Systems and Raw Audit Messages sections. 
Red Hat Security Engineering

James Morris

Technical editor for the Introduction and Targeted Policy chapters. 
Red Hat Security Engineering

Legal Notice

Copyright © 2016 Red Hat, Inc.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at The original authors of this document, and Red Hat, designate the Fedora Project as the "Attribution Party" for purposes of CC-BY-SA. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, MetaMatrix, Fedora, the Infinity Logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
For guidelines on the permitted uses of the Fedora trademarks, refer to
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
All other trademarks are the property of their respective owners.
This book consists of two parts: SELinux and Managing Confined Services. The former describes the basics and principles upon which SELinux functions, the latter is more focused on practical tasks to set up and configure various services.

1. Document Conventions
1.1. Typographic Conventions
1.2. Pull-quote Conventions
1.3. Notes and Warnings
2. We Need Feedback!
I. SELinux
1. Introduction
1.1. Benefits of running SELinux
1.2. Examples
1.3. SELinux Architecture
1.4. SELinux States and Modes
2. SELinux Contexts
2.1. Domain Transitions
2.2. SELinux Contexts for Processes
2.3. SELinux Contexts for Users
3. Targeted Policy
3.1. Confined Processes
3.2. Unconfined Processes
3.3. Confined and Unconfined Users
3.3.1. The sudo Transition and SELinux Roles
4. Working with SELinux
4.1. SELinux Packages
4.2. Which Log File is Used
4.3. Main Configuration File
4.4. Permanent Changes in SELinux States and Modes
4.4.1. Enabling SELinux
4.4.2. Permissive Mode
4.5. Disabling SELinux
4.6. Booleans
4.6.1. Listing Booleans
4.6.2. Configuring Booleans
4.6.3. Shell Auto-Completion
4.7. SELinux Contexts – Labeling Files
4.7.1. Temporary Changes: chcon
4.7.2. Persistent Changes: semanage fcontext
4.8. The file_t and default_t Types
4.9. Mounting File Systems
4.9.1. Context Mounts
4.9.2. Changing the Default Context
4.9.3. Mounting an NFS Volume
4.9.4. Multiple NFS Mounts
4.9.5. Making Context Mounts Persistent
4.10. Maintaining SELinux Labels
4.10.1. Copying Files and Directories
4.10.2. Moving Files and Directories
4.10.3. Checking the Default SELinux Context
4.10.4. Archiving Files with tar
4.10.5. Archiving Files with star
4.11. Information Gathering Tools
4.12. Multi-Level Security (MLS)
4.12.1. MLS and System Privileges
4.12.2. Enabling MLS in SELinux
4.12.3. Creating a User With a Specific MLS Range
4.12.4. Setting Up Polyinstantiated Directories
4.13. File Name Transition
4.14. Disable ptrace()
4.15. Thumbnail Protection
5. The sepolicy Suite
5.1. The sepolicy Python Bindings
5.2. Generating SELinux Policy Modules: sepolicy generate
5.3. Prioritizing SELinux Policy Modules
5.4. Understanding Domain Transitions: sepolicy transition
5.5. Generating Manual Pages: sepolicy manpage
6. Confining Users
6.1. Linux and SELinux User Mappings
6.2. Confining New Linux Users: useradd
6.3. Confining Existing Linux Users: semanage login
6.4. Changing the Default Mapping
6.5. xguest: Kiosk Mode
6.6. Booleans for Users Executing Applications
7. sVirt
7.1. Security and Virtualization
7.2. sVirt Labeling
8. Secure Linux Containers
9. SELinux systemd Access Control
9.1. SELinux Access Permissions for Services
9.2. SELinux and journald
10. Troubleshooting
10.1. What Happens when Access is Denied
10.2. Top Three Causes of Problems
10.2.1. Labeling Problems
10.2.2. How are Confined Services Running?
10.2.3. Evolving Rules and Broken Applications
10.3. Fixing Problems
10.3.1. Linux Permissions
10.3.2. Possible Causes of Silent Denials
10.3.3. Manual Pages for Services
10.3.4. Permissive Domains
10.3.5. Searching For and Viewing Denials
10.3.6. Raw Audit Messages
10.3.7. sealert Messages
10.3.8. Allowing Access: audit2allow
11. Further Information
11.1. Contributors
11.2. Other Resources
II. Managing Confined Services
12. Introduction
13. The Apache HTTP Server
13.1. The Apache HTTP Server and SELinux
13.2. Types
13.3. Booleans
13.4. Configuration examples
13.4.1. Running a static site
13.4.2. Sharing NFS and CIFS volumes
13.4.3. Sharing files between services
13.4.4. Changing port numbers
14. Samba
14.1. Samba and SELinux
14.2. Types
14.3. Booleans
14.4. Configuration examples
14.4.1. Sharing directories you create
14.4.2. Sharing a website
15. File Transfer Protocol
15.1. FTP and SELinux
15.2. Types
15.3. Booleans
15.4. Configuration Examples
15.4.1. Uploading to an FTP site
16. Network File System
16.1. NFS and SELinux
16.2. Types
16.3. Booleans
16.4. Configuration Examples
16.4.1. Enabling SELinux Labeled NFS Support
17. Berkeley Internet Name Domain
17.1. BIND and SELinux
17.2. Types
17.3. Booleans
17.4. Configuration Examples
17.4.1. Dynamic DNS
18. Concurrent Versioning System
18.1. CVS and SELinux
18.2. Types
18.3. Booleans
18.4. Configuration Examples
18.4.1. Setting up CVS
19. Squid Caching Proxy
19.1. Squid Caching Proxy and SELinux
19.2. Types
19.3. Booleans
19.4. Configuration Examples
19.4.1. Squid Connecting to Non-Standard Ports
20. MariaDB (a replacement for MySQL)
20.1. MariaDB and SELinux
20.2. Types
20.3. Booleans
20.4. Configuration Examples
20.4.1. MariaDB Changing Database Location
21. PostgreSQL
21.1. PostgreSQL and SELinux
21.2. Types
21.3. Booleans
21.4. Configuration Examples
21.4.1. PostgreSQL Changing Database Location
22. rsync
22.1. rsync and SELinux
22.2. Types
22.3. Booleans
22.4. Configuration Examples
22.4.1. Rsync as a daemon
23. Postfix
23.1. Postfix and SELinux
23.2. Types
23.3. Booleans
23.4. Configuration Examples
23.4.1. SpamAssassin and Postfix
24. DHCP
24.1. DHCP and SELinux
24.2. Types
25. References
A. Revision History