SELinux(8) — Linux manual page


selinux(8)           SELinux Command Line documentation           selinux(8)

NAME         top

       SELinux - NSA Security-Enhanced Linux (SELinux)

DESCRIPTION         top

       NSA Security-Enhanced Linux (SELinux) is an implementation of a
       flexible mandatory access control architecture in the Linux operating
       system.  The SELinux architecture provides general support for the
       enforcement of many kinds of mandatory access control policies,
       including those based on the concepts of Type Enforcement®, Role-
       Based Access Control, and Multi-Level Security.  Background
       information and technical documentation about SELinux can be found at

       The /etc/selinux/config configuration file controls whether SELinux
       is enabled or disabled, and if enabled, whether SELinux operates in
       permissive mode or enforcing mode.  The SELINUX variable may be set
       to any one of disabled, permissive, or enforcing to select one of
       these options.  The disabled option completely disables the SELinux
       kernel and application code, leaving the system running without any
       SELinux protection.  The permissive option enables the SELinux code,
       but causes it to operate in a mode where accesses that would be
       denied by policy are permitted but audited.  The enforcing option
       enables the SELinux code and causes it to enforce access denials as
       well as auditing them.  Permissive mode may yield a different set of
       denials than enforcing mode, both because enforcing mode will prevent
       an operation from proceeding past the first denial and because some
       application code will fall back to a less privileged mode of
       operation if denied access.

       The /etc/selinux/config configuration file also controls what policy
       is active on the system.  SELinux allows for multiple policies to be
       installed on the system, but only one policy may be active at any
       given time.  At present, multiple kinds of SELinux policy exist:
       targeted, mls for example.  The targeted policy is designed as a
       policy where most user processes operate without restrictions, and
       only specific services are placed into distinct security domains that
       are confined by the policy.  For example, the user would run in a
       completely unconfined domain while the named daemon or apache daemon
       would run in a specific domain tailored to its operation.  The MLS
       (Multi-Level Security) policy is designed as a policy where all
       processes are partitioned into fine-grained security domains and
       confined by policy.  MLS also supports the Bell And LaPadula model,
       where processes are not only confined by the type but also the level
       of the data.

       You can define which policy you will run by setting the SELINUXTYPE
       environment variable within /etc/selinux/config.  You must reboot and
       possibly relabel if you change the policy type to have it take effect
       on the system.  The corresponding policy configuration for each such
       policy must be installed in the /etc/selinux/{SELINUXTYPE}/

       A given SELinux policy can be customized further based on a set of
       compile-time tunable options and a set of runtime policy booleans.
       system-config-selinux allows customization of these booleans and

       Many domains that are protected by SELinux also include SELinux man
       pages explaining how to customize their policy.

FILE LABELING         top

       All files, directories, devices ... have a security context/label
       associated with them.  These context are stored in the extended
       attributes of the file system.  Problems with SELinux often arise
       from the file system being mislabeled. This can be caused by booting
       the machine with a non SELinux kernel.  If you see an error message
       containing file_t, that is usually a good indicator that you have a
       serious problem with file system labeling.

       The best way to relabel the file system is to create the flag file
       /.autorelabel and reboot.  system-config-selinux, also has this
       capability.  The restorecon/fixfiles commands are also available for
       relabeling files.

AUTHOR         top

       This manual page was written by Dan Walsh <>.

FILES         top


SEE ALSO         top

       booleans(8), setsebool(8), sepolicy(8), system-config-selinux(8),
       togglesebool(8), restorecon(8), fixfiles(8), setfiles(8),
       semanage(8), sepolicy(8)

       Every confined service on the system has a man page in the following


       For example, httpd has the httpd_selinux(8) man page.

       man -k selinux

       Will list all SELinux man pages.

COLOPHON         top

       This page is part of the selinux (Security-Enhanced Linux user-space
       libraries and tools) project.  Information about the project can be
       found at ⟨⟩.  If you
       have a bug report for this manual page, see
       ⟨⟩.  This
       page was obtained from the project's upstream Git repository
       ⟨⟩ on 2020-08-13.  (At that
       time, the date of the most recent commit that was found in the repos‐
       itory was 2020-08-11.)  If you discover any rendering problems in
       this HTML version of the page, or you believe there is a better or
       more up-to-date source for the page, or you have corrections or
       improvements to the information in this COLOPHON (which is not part
       of the original manual page), send a mail to                29 Apr 2005                      selinux(8)