selinux_config(5)        SELinux configuration file        selinux_config(5)

NAME         top

       config - The SELinux sub-system configuration file.

DESCRIPTION         top

       The SELinux config file controls the state of SELinux regarding:

              1.  The policy enforcement status - enforcing, permissive or

              2.  The policy name or type that forms a path to the policy to
                  be loaded and its supporting configuration files.

              3.  How local users and booleans will be managed when the
                  policy is loaded (note that this function was used by
                  older releases of SELinux and is now deprecated).

              4.  How SELinux-aware login applications should behave if no
                  valid SELinux users are configured.

              5.  Whether the system is to be relabeled or not.

       The entries controlling these functions are described in the FILE
       FORMAT section.

       The fully qualified path name of the SELinux configuration file is

       If the config file is missing or corrupt, then no SELinux policy is
       loaded (i.e. SELinux is disabled).

       The sestatus (8) command and the libselinux function selinux_path (3)
       will return the location of the config file.

FILE FORMAT         top

       The config file supports the following parameters:

              SELINUX = enforcing | permissive | disabled
              SELINUXTYPE = policy_name
              SETLOCALDEFS = 0 | 1
              REQUIREUSERS = 0 | 1
              AUTORELABEL = 0 | 1

              This entry can contain one of three values:

                         SELinux security policy is enforced.

                         SELinux security policy is not enforced but logs
                         the warnings (i.e. the action is allowed to

                         SELinux is disabled and no policy is loaded.

              The entry can be determined using the sestatus(8) command or

              The policy_name entry is used to identify the policy type, and
              becomes the directory name of where the policy and its
              configuration files are located.

              The entry can be determined using the sestatus(8) command or

              The policy_name is relative to a path that is defined within
              the SELinux subsystem that can be retrieved by using
              selinux_path(3). An example entry retrieved by selinux_path(3)

              The policy_name is then appended to this and becomes the
              'policy root' location that can be retrieved by
              selinux_policy_root_path(3). An example entry retrieved is:

              The actual binary policy is located relative to this directory
              and also has a policy name pre-allocated. This information can
              be retrieved using selinux_binary_policy_path(3). An example
              entry retrieved by selinux_binary_policy_path(3) is:

              The binary policy name has by convention the SELinux policy
              version that it supports appended to it. The maximum policy
              version supported by the kernel can be determined using the
              sestatus(8) command or security_policyvers(3). An example
              binary policy file with the version is:

              This entry is deprecated and should be removed or set to 0.

              If set to 1, then selinux_mkload_policy(3) will read the local
              customization for booleans (see booleans(5)) and users (see

              This optional entry can be used to fail a login if there is no
              matching or default entry in the seusers(5) file or if the
              seusers file is missing.

              It is checked by getseuserbyname(3) that is called by SELinux-
              aware login applications such as PAM(8).

              If set to 0 or the entry missing:
                     getseuserbyname(3) will return the GNU / Linux user
                     name as the SELinux user.

              If set to 1:
                     getseuserbyname(3) will fail.

              The getseuserbyname(3) man page should be consulted for its
              use. The format of the seusers file is shown in seusers(5).

              This is an optional entry that allows the file system to be

              If set to 0 and there is a file called .autorelabel in the
              root directory, then on a reboot, the loader will drop to a
              shell where a root login is required. An administrator can
              then manually relabel the file system.

              If set to 1 or no entry present (the default) and there is a
              .autorelabel file in the root directory, then the file system
              will be automatically relabeled using fixfiles -F restore

              In both cases the /.autorelabel file will be removed so that
              relabeling is not done again.

EXAMPLE         top

       This example config file shows the minimum contents for a system to
       run SELinux in enforcing mode, with a policy_name of 'targeted':

              SELINUX = enforcing
              SELINUXTYPE = targeted

SEE ALSO         top

       selinux(8), sestatus(8), selinux_path(3),
       selinux_policy_root_path(3), selinux_binary_policy_path(3),
       getseuserbyname(3), PAM(8), fixfiles(8), selinux_mkload_policy(3),
       selinux_getpolicytype(3), security_policyvers(3),
       selinux_getenforcemode(3), seusers(5), booleans(5), local.users(5)

COLOPHON         top

       This page is part of the selinux (Security-Enhanced Linux user-space
       libraries and tools) project.  Information about the project can be
       found at ⟨⟩.  If you
       have a bug report for this manual page, see 
       ⟨⟩.  This
       page was obtained from the project's upstream Git repository 
       ⟨⟩ on 2017-03-13.  If you
       discover any rendering problems in this HTML version of the page, or
       you believe there is a better or more up-to-date source for the page,
       or you have corrections or improvements to the information in this
       COLOPHON (which is not part of the original manual page), send a mail

Security Enhanced Linux          18 Nov 2011               selinux_config(5)