selinux_config man page on Oracle

Man page or keyword search:  
man Server   33470 pages
apropos Keyword Search (all sections)
Output format
Oracle logo
[printable version]

selinux_config(5)	  SELinux configuration file	     selinux_config(5)

       config - The SELinux sub-system configuration file.

       The SELinux config file controls the state of SELinux regarding:

	      1.  The  policy  enforcement  status  - enforcing, permissive or

	      2.  The policy name or type that forms a path to the  policy  to
		  be loaded and its supporting configuration files.

	      3.  How local users and booleans will be managed when the policy
		  is loaded  (note  that  this	function  was  used  by	 older
		  releases of SELinux and is now deprecated).

	      4.  How  SELinux-aware  login  applications  should behave if no
		  valid SELinux users are configured.

	      5.  Whether the system is to be relabeled or not.

       The entries controlling these functions are described in the FILE  FOR‐
       MAT section.

       The  fully  qualified  path  name  of the SELinux configuration file is

       If the config file is missing or corrupt, then  no  SELinux  policy  is
       loaded (i.e. SELinux is disabled).

       The  sestatus  (8) command and the libselinux function selinux_path (3)
       will return the location of the config file.

       The config file supports the following parameters:

	      SELINUX = enforcing | permissive | disabled
	      SELINUXTYPE = policy_name
	      SETLOCALDEFS = 0 | 1
	      REQUIREUSERS = 0 | 1
	      AUTORELABEL = 0 | 1

	      This entry can contain one of three values:

			 SELinux security policy is enforced.

			 SELinux security policy is not enforced but logs  the
			 warnings (i.e. the action is allowed to proceed).

			 SELinux is disabled and no policy is loaded.

	      The  entry  can  be  determined using the sestatus(8) command or

	      The policy_name entry is used to identify the policy  type,  and
	      becomes  the directory name of where the policy and its configu‐
	      ration files are located.

	      The entry can be determined using	 the  sestatus(8)  command  or

	      The policy_name is relative to a path that is defined within the
	      SELinux	subsystem   that   can	 be   retrieved	   by	 using
	      selinux_path(3).	An  example entry retrieved by selinux_path(3)

	      The policy_name is then appended to this and becomes the 'policy
	      root'   location	 that	can   be   retrieved  by  selinux_pol‐
	      icy_root_path(3). An example entry retrieved is:

	      The actual binary policy is located relative to  this  directory
	      and  also	 has a policy name pre-allocated. This information can
	      be retrieved  using  selinux_binary_policy_path(3).  An  example
	      entry retrieved by selinux_binary_policy_path(3) is:

	      The binary policy name has by convention the SELinux policy ver‐
	      sion that it supports appended to it. The maximum policy version
	      supported	 by the kernel can be determined using the sestatus(8)
	      command or security_policyvers(3). An example binary policy file
	      with the version is:

	      This entry is deprecated and should be removed or set to 0.

	      If  set  to 1, then selinux_mkload_policy(3) will read the local
	      customization for booleans  (see	booleans(5))  and  users  (see

	      This  optional  entry can be used to fail a login if there is no
	      matching or default entry in  the	 seusers(5)  file  or  if  the
	      seusers file is missing.

	      It  is  checked by getseuserbyname(3) that is called by SELinux-
	      aware login applications such as PAM(8).

	      If set to 0 or the entry missing:
		     getseuserbyname(3) will return the GNU / Linux user  name
		     as the SELinux user.

	      If set to 1:
		     getseuserbyname(3) will fail.

	      The getseuserbyname(3) man page should be consulted for its use.
	      The format of the seusers file is shown in seusers(5).

	      This is an optional entry that allows  the  file	system	to  be

	      If  set to 0 and there is a file called .autorelabel in the root
	      directory, then on a reboot, the loader will  drop  to  a	 shell
	      where  a root login is required. An administrator can then manu‐
	      ally relabel the file system.

	      If set to 1 or no entry present (the default)  and  there	 is  a
	      .autorelabel  file  in  the root directory, then the file system
	      will be automatically relabeled using fixfiles -F restore

	      In both cases the /.autorelabel file will	 be  removed  so  that
	      relabeling is not done again.

       This example config file shows the minimum contents for a system to run
       SELinux in enforcing mode, with a policy_name of 'targeted':

	      SELINUX = enforcing
	      SELINUXTYPE = targeted

       selinux(8), sestatus(8), selinux_path(3),  selinux_policy_root_path(3),
       selinux_binary_policy_path(3), getseuserbyname(3), PAM(8), fixfiles(8),
       selinux_mkload_policy(3),   selinux_getpolicytype(3),	security_poli‐
       cyvers(3),    selinux_getenforcemode(3),	   seusers(5),	  booleans(5),

Security Enhanced Linux		  18 Nov 2011		     selinux_config(5)

List of man pages available for Oracle

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
Vote for polarhome
Free Shell Accounts :: the biggest list on the net