selinux_config(5) — Linux manual page


selinux_config(5)      SELinux configuration file      selinux_config(5)

NAME         top

       config - The SELinux sub-system configuration file.

DESCRIPTION         top

       The SELinux config file controls the state of SELinux regarding:

              1.  The policy enforcement status - enforcing, permissive
                  or disabled.

              2.  The policy name or type that forms a path to the
                  policy to be loaded and its supporting configuration

              3.  How SELinux-aware login applications should behave if
                  no valid SELinux users are configured.

              4.  Whether the system is to be relabeled or not.

       The entries controlling these functions are described in the FILE
       FORMAT section.

       The fully qualified path name of the SELinux configuration file
       is /etc/selinux/config.

       If the config file is missing or corrupt, then no SELinux policy
       is loaded (i.e. SELinux is disabled).

       The sestatus (8) command and the libselinux function selinux_path
       (3) will return the location of the config file.

FILE FORMAT         top

       The config file supports the following parameters:

              SELINUX = enforcing | permissive | disabled
              SELINUXTYPE = policy_name
              REQUIRESEUSERS = 0 | 1
              AUTORELABEL = 0 | 1

              This entry can contain one of three values:

                         SELinux security policy is enforced.

                         SELinux security policy is not enforced but
                         logs the warnings (i.e. the action is allowed
                         to proceed).

                         No SELinux policy is loaded.  This option was
                         used to disable SELinux completely, which is
                         now deprecated.  Use the selinux=0 kernel boot
                         option instead (see selinux(8)).

              The entry can be determined using the sestatus(8) command
              or selinux_getenforcemode(3).

              The policy_name entry is used to identify the policy type,
              and becomes the directory name of where the policy and its
              configuration files are located.

              The entry can be determined using the sestatus(8) command
              or selinux_getpolicytype(3).

              The policy_name is relative to a path that is defined
              within the SELinux subsystem that can be retrieved by
              using selinux_path(3). An example entry retrieved by
              selinux_path(3) is:

              The policy_name is then appended to this and becomes the
              'policy root' location that can be retrieved by
              selinux_policy_root_path(3). An example entry retrieved

              The actual binary policy is located relative to this
              directory and also has a policy name pre-allocated. This
              information can be retrieved using
              selinux_binary_policy_path(3). An example entry retrieved
              by selinux_binary_policy_path(3) is:

              The binary policy name has by convention the SELinux
              policy version that it supports appended to it. The
              maximum policy version supported by the kernel can be
              determined using the sestatus(8) command or
              security_policyvers(3). An example binary policy file with
              the version is:

              This optional entry can be used to fail a login if there
              is no matching or default entry in the seusers(5) file or
              if the seusers file is missing.

              It is checked by getseuserbyname(3) that is called by
              SELinux-aware login applications such as PAM(8).

              If set to 0 or the entry missing:
                     getseuserbyname(3) will return the GNU / Linux user
                     name as the SELinux user.

              If set to 1:
                     getseuserbyname(3) will fail.

              The getseuserbyname(3) man page should be consulted for
              its use. The format of the seusers file is shown in

              This is an optional entry that allows the file system to
              be relabeled.

              If set to 0 and there is a file called .autorelabel in the
              root directory, then on a reboot, the loader will drop to
              a shell where a root login is required. An administrator
              can then manually relabel the file system.

              If set to 1 or no entry present (the default) and there is
              a .autorelabel file in the root directory, then the file
              system will be automatically relabeled using fixfiles -F

              In both cases the /.autorelabel file will be removed so
              that relabeling is not done again.

EXAMPLE         top

       This example config file shows the minimum contents for a system
       to run SELinux in enforcing mode, with a policy_name of

              SELINUX = enforcing
              SELINUXTYPE = targeted

SEE ALSO         top

       selinux(8), sestatus(8), selinux_path(3),
       selinux_policy_root_path(3), selinux_binary_policy_path(3),
       getseuserbyname(3), PAM(8), fixfiles(8),
       selinux_mkload_policy(3), selinux_getpolicytype(3),
       security_policyvers(3), selinux_getenforcemode(3), seusers(5)

COLOPHON         top

       This page is part of the selinux (Security-Enhanced Linux user-
       space libraries and tools) project.  Information about the
       project can be found at 
       ⟨⟩.  If you have a
       bug report for this manual page, see
       This page was obtained from the project's upstream Git repository
       ⟨⟩ on 2023-12-22.  (At
       that time, the date of the most recent commit that was found in
       the repository was 2023-05-11.)  If you discover any rendering
       problems in this HTML version of the page, or you believe there
       is a better or more up-to-date source for the page, or you have
       corrections or improvements to the information in this COLOPHON
       (which is not part of the original manual page), send a mail to

Security Enhanced Linux        18 Nov 2011             selinux_config(5)

Pages that refer to this page: selinux_colors_path(3)customizable_types(5)default_contexts(5)default_type(5)failsafe_context(5)removable_context(5)securetty_types(5)selabel_db(5)selabel_file(5)selabel_media(5)selabel_x(5)service_seusers(5)seusers(5)user_contexts(5)virtual_domain_context(5)virtual_image_context(5)