Product SiteDocumentation Site

Chapter 4. Working with SELinux

4.1. SELinux Packages
4.2. Which Log File is Used
4.3. Main Configuration File
4.4. Permanent Changes in SELinux States and Modes
4.4.1. Enabling SELinux
4.4.2. Permissive Mode
4.5. Disabling SELinux
4.6. Booleans
4.6.1. Listing Booleans
4.6.2. Configuring Booleans
4.6.3. Shell Auto-Completion
4.7. SELinux Contexts – Labeling Files
4.7.1. Temporary Changes: chcon
4.7.2. Persistent Changes: semanage fcontext
4.8. The file_t and default_t Types
4.9. Mounting File Systems
4.9.1. Context Mounts
4.9.2. Changing the Default Context
4.9.3. Mounting an NFS Volume
4.9.4. Multiple NFS Mounts
4.9.5. Making Context Mounts Persistent
4.10. Maintaining SELinux Labels
4.10.1. Copying Files and Directories
4.10.2. Moving Files and Directories
4.10.3. Checking the Default SELinux Context
4.10.4. Archiving Files with tar
4.10.5. Archiving Files with star
4.11. Information Gathering Tools
4.12. Multi-Level Security (MLS)
4.12.1. MLS and System Privileges
4.12.2. Enabling MLS in SELinux
4.12.3. Creating a User With a Specific MLS Range
4.12.4. Setting Up Polyinstantiated Directories
4.13. File Name Transition
4.14. Disable ptrace()
4.15. Thumbnail Protection
The following sections give a brief overview of the main SELinux packages in Fedora; installing and updating packages; which log files are used; the main SELinux configuration file; enabling and disabling SELinux; SELinux modes; configuring Booleans; temporarily and persistently changing file and directory labels; overriding file system labels with the mount command; mounting NFS volumes; and how to preserve SELinux contexts when copying and archiving files and directories.

4.1. SELinux Packages

In Fedora full installation, the SELinux packages are installed by default unless they are manually excluded during installation. If performing a minimal installation in text mode, the policycoreutils-python and the policycoreutils-gui package are not installed by default. Also, by default, SELinux runs in enforcing mode and the SELinux targeted policy is used. The following SELinux packages are installed on your system by default:
  • policycoreutils provides utilities such as restorecon, secon, setfiles, semodule, load_policy, and setsebool, for operating and managing SELinux.
  • selinux-policy provides configuration for the SELinux Reference policy. The SELinux Reference Policy is a complete SELinux policy, and is used as a basis for other policies, such as the SELinux targeted policy; see the Tresys Technology SELinux Reference Policy page for further information. This package contains the selinux-policy.conf file and RPM macros.
  • selinux-policy-targeted provides the SELinux targeted policy.
  • libselinux – provides an API for SELinux applications.
  • libselinux-utils provides the avcstat, getenforce, getsebool, matchpathcon, selinuxconlist, selinuxdefcon, selinuxenabled, and setenforce utilities.
  • libselinux-python provides Python bindings for developing SELinux applications.
The following packages are not installed by default but can be optionally installed by running the dnf install <package-name> command:
  • selinux-policy-devel provides utilities for creating a custom SELinux policy and policy modules. It also contains manual pages that describe how to configure SELinux altogether with various services.
  • selinux-policy-mls provides the MLS (Multi-Level Security) SELinux policy.
  • setroubleshoot-server translates denial messages, produced when access is denied by SELinux, into detailed descriptions that can be viewed with the sealert utility, also provided in this package.
  • setools-console provides the Tresys Technology SETools distribution, a number of utilities and libraries for analyzing and querying policy, audit log monitoring and reporting, and file context management. The setools package is a meta-package for SETools. The setools-gui package provides the apol and seaudit utilities. The setools-console package provides the sechecker, sediff, seinfo, sesearch, and findcon command-line utilities. See the Tresys Technology SETools page for information about these utilities.
  • mcstrans translates levels, such as s0-s0:c0.c1023, to a form that is easier to read, such as SystemLow-SystemHigh.
  • policycoreutils-python provides utilities such as semanage, audit2allow, audit2why, and chcat, for operating and managing SELinux.
  • policycoreutils-gui provides system-config-selinux, a graphical utility for managing SELinux.