Chapter 5. Working with SELinux
The following sections give a brief overview of the main SELinux packages in Fedora 10; installing and updating packages; which log files are used; the main SELinux configuration file; enabling and disabling SELinux; SELinux modes; configuring Booleans; temporarily and persistently changing file and directory labels; overriding file system labels with the mount
command; mounting NFS file systems; and how to preserve SELinux contexts when copying and archiving files and directories.
In Fedora 10, the SELinux packages are installed by default unless they are manually excluded during installation. By default, SELinux targeted policy is used, and SELinux runs in enforcing mode. The following is a brief description of the main SELinux packages:
policycoreutils: provides utilities, such as semanage
, restorecon
, audit2allow
, semodule
, load_policy
, and setsebool
, for operating and managing SELinux.
policycoreutils-gui: provides system-config-selinux
, a graphical tool for managing SELinux.
selinux-policy: provides the SELinux Reference Policy. The SELinux Reference Policy is a complete SELinux policy, and is used as a basis for other policies, such as the SELinux targeted policy. Refer to the Tresys Technology SELinux Reference Policy page for further information. The selinux-policy-devel package provides development tools, such as /usr/share/selinux/devel/policygentool
and /usr/share/selinux/devel/policyhelp
, as well as example policy files. This package was merged into the selinux-policy package.
selinux-policy-policy
: provides SELinux policies. For targeted policy, install selinux-policy-targeted. For MLS, install selinux-policy-mls. In Fedora 8, the strict policy was merged into targeted policy, allowing confined and unconfined users to co-exist on the same system.
setroubleshoot-server: translates denial messages, produced when access is denied by SELinux, into detailed descriptions that are viewed with sealert
(which is provided by this package).
setroubleshoot: a graphical user interface for viewing denials that are translated by setroubleshoot-server.
setools, setools-gui, and setools-console: these packages provide the Tresys Technology SETools distribution, a number of tools and libraries for analyzing and querying policy, audit log monitoring and reporting, and file context management[8]. The setools package is a meta-package for SETools. The setools-gui package provides the apol
, seaudit
, and sediffx
tools. The setools-console package provides the seaudit-report
, sechecker
, sediff
, seinfo
, sesearch
, findcon
, replcon
, and indexcon
command line tools. Refer to the Tresys Technology SETools page for information about these tools.
libselinux-utils: provides the avcstat
, getenforce
, getsebool
, matchpathcon
, selinuxconlist
, selinuxdefcon
, selinuxenabled
, setenforce
, togglesebool
tools.
mcstrans: translates levels, such as s0-s0:c0.c1023
, to an easier to read form, such as SystemLow-SystemHigh
. This package is not installed by default.
To install packages in Fedora 10, as the Linux root user, run the yum install
command. For example, to install the mcstrans package, run the package-name
yum install mcstrans
command. To upgrade all installed packages in Fedora 10, run the yum update
command.
Refer to Managing Software with yum[9] for further information about using yum
to manage packages.
In previous versions of Fedora, the selinux-policy-devel package is required when making a local policy module with audit2allow -M
.