Notes on SElinux: configuration

In fedora the SElinux set-up and configuration files are in /etc/selinux. Most of these are created/modified using SElinux administration tools such as "semanage" (we will look at these tools later). In addition to the configuration files governing the overall SElinux set-up, the policy rules can also be tweaked without needing to even look at the policy rules themselves. This is done through booleans, on-off switches that modify how a particular rule or set of rules in the active policy work.

Configuration files

  • /etc/selinux/config The main configuration file where the key SElinux set-up is specified. The system and SElinux programs access this configuration through the main SElinux library (libselinux). Key variables in this file:
    • SELINUX - can be set to "Enforcing" where SElinux is in full operation and unpermitted operations are blocked, "Permissive" where all actions are allowed, but the ones that should have been blocked are simply logged, "Disabled" SElinux checking is turned off.
    • SELINUXTYPE - what policy to use (default in desktop fedora is targeted)
  • /etc/selinux/[policy] The directories that specify specific policies, e.g. "targeted" is the default policy in desktop fedora.

Within the /etc/selinux/targeted directory (where the targeted policy is specified):

  • seusers The file that maps the linux users to SElinux identities. Generally there is a default identity (that all users pick up), a root identity (that maps to the linux root user) and a system_u identity that is the default identity for processes started during the boot process.
  • setrans.conf The file that translates security categories to human readable forms. The default SElinux policy in fedora actually runs a Multi-Category Security (MCS) model on top of the MAC.
  • policy The directory containing the actual policy (a single file with an extension indicating the version of the policy language). You can see what the current policy version is supported by the kernel using the command:
    #cat /selinux/policyvers 21
  • contexts The directory containing all the default "contexts" on the system (see below)
  • modules The directory containing the active (and previous) modular policies that make up the current policy. Older versions of SElinux had a monolithic policy source that needed to be compiled whenever part of it was changed or modified. Newer versions are modular and the complete policy is made up of a number of smaller compiled sub-policies called modules. We will look into modules more in later notes.

Within the /etc/selinux/targeted/contexts directory (were all the security contexts for the targeted policy are defined):

  • customizable_types This file contains a list of all types for files/resources that can be arbitrarily applied/used to customise the system. For example, web files are labelled with the type httpd_sys_content_t, automatically allowing the web server access to them. Suppose I want /var/html to be used as the default html location for my web documents rather than /var/www (the default on fedora). After creating /var/html, this can be done with:
    #chcon -R -t httpd_sys_content_t /var/html
    This would make /var/html and all is subdirectories and files have the type httpd_sys_content_t that allows access to the web server processes
  • files The directory containing the information for default security context labelling of the entire standard fedora system (file_contexts), default labelling for homedirs (file_contexts.homedirs - generated from the program genhomedircon using the homedir_template; genhomedircon locates homedirs on the system), and default security context labelling of media (cdrom etc).


The on-off boolean switches that tweak aspects of the active policy not only allow certain policy changes to be made on the fly, but also means a good number of administrators may never need to play with policy rules directly. The easiest way to see and change the boolean tweaks for the active policy is using the graphical interface program system-config-securitylevel (it can be run from the fedora/gnome panel menu "System→Administration→Security level and firewall"). But we will get our hands dirty with some command line tools. To see all the booleans available we can use the command getsebool with the -a option:

#getsebool -a allow_cvs_read_shadow --> off allow_daemons_dump_core --> on ...

There are quite a few booleans and their names are not necessarily intuitive. Fortunately their names do contain the service they relate to, so you can look at all the boolean switches belonging to a single service using the standard command line tool grep:

#getsebool -a | grep httpd allow_httpd_anon_write --> off allow_httpd_bugzilla_script_anon_write --> off ...

Also, there are some useful man pages about appropriately setting booleans for a particular service. The command "man -k _selinux" lists a number of useful man pages to look at (e.g. ftpd_selinux, httpd_selinux, samba_selinux etc.).

Booleans can be set using the command setsebool. Changes can be made to the current running system so that on reboot things return to the way they were, or with the -P option booleans settings can be made persistent across reboots.