And if you cannot access a system with selinux installed, here is the selinux man page from CentOS:
selinux(8) SELinux Command Line documentation selinux(8)
selinux - NSA Security-Enhanced Linux (SELinux)
NSA Security-Enhanced Linux (SELinux) is an implementation of a flexible manda-
tory access control architecture in the Linux operating system. The SELinux
architecture provides general support for the enforcement of many kinds of manda-
tory access control policies, including those based on the concepts of Type
Enforcement¬Æ, Role- Based Access Control, and Multi-Level Security. Background
information and technical documentation about SELinux can be found at
The /etc/selinux/config configuration file controls whether SELinux is enabled or
disabled, and if enabled, whether SELinux operates in permissive mode or enforc-
ing mode. The SELINUX variable may be set to any one of disabled, permissive, or
enforcing to select one of these options. The disabled option completely dis-
ables the SELinux kernel and application code, leaving the system running without
any SELinux protection. The permissive option enables the SELinux code, but
causes it to operate in a mode where accesses that would be denied by policy are
permitted but audited. The enforcing option enables the SELinux code and causes
it to enforce access denials as well as auditing them. Permissive mode may yield
a different set of denials than enforcing mode, both because enforcing mode will
prevent an operation from proceeding past the first denial and because some
application code will fall back to a less privileged mode of operation if denied
The /etc/selinux/config configuration file also controls what policy is active on
the system. SELinux allows for multiple policies to be installed on the system,
but only one policy may be active at any given time. At present, two kinds of
SELinux policy exist: targeted and strict. The targeted policy is designed as a
policy where most processes operate without restrictions, and only specific ser-
vices are placed into distinct security domains that are confined by the policy.
For example, the user would run in a completely unconfined domain while the named
daemon or apache daemon would run in a specific domain tailored to its operation.
The strict policy is designed as a policy where all processes are partitioned
into fine-grained security domains and confined by policy. It is anticipated in
the future that other policies will be created (Multi-Level Security for exam-
ple). You can define which policy you will run by setting the SELINUXTYPE envi-
ronment variable within /etc/selinux/config. The corresponding policy configura-
tion for each such policy must be installed in the /etc/selinux/SELINUXTYPE/
A given SELinux policy can be customized further based on a set of compile-time
tunable options and a set of runtime policy booleans. system-config-selinux
allows customization of these booleans and tunables.
Many domains that are protected by SELinux also include selinux man pages
explainging how to customize their policy.
All files, directories, devices ... have a security context/label associated with
them. These context are stored in the extended attributes of the file system.
Problems with SELinux often arise from the file system being mislabeled. This can
be caused by booting the machine with a non selinux kernel. If you see an error
message containing file_t, that is usually a good indicator that you have a seri-
ous problem with file system labeling.
The best way to relabel the file system is to create the flag file /.autorelabel
and reboot. system-config-selinux, also has this capability. The restorcon/fix-
files commands are also available for relabeling files.
This manual page was written by Dan Walsh .
booleans(8), setsebool(8), selinuxenabled(8), togglesebool(8), restorecon(8),
setfiles(8), ftpd_selinux(8), named_selinux(8), rsync_selinux(8),
httpd_selinux(8), nfs_selinux(8), samba_selinux(8), kerberos_selinux(8),
email@example.com 29 Apr 2005 selinux(8)