Section 9.17. SELinux Options


9.17. SELinux Options

These options change some fundamental aspects of SELinux startup.


Set the initial checkreqprot flag value.


checkreqprot=[0|1]

Set the initial checkreqprot flag value. 0 means that the check protection will be applied by the kernel and will include any implied execute protection. 1 means that the check protection is requested by the application. The default value is set by a kernel configuration option.

The value can be changed at runtime via the /selinux/checkreqprot file.


Set the initial enforcing status.


enforcing=[0|1]

Specify whether SELinux enforces its rules upon boot. 0 means that SELinux will just log policy violations but will not deny access to anything. 1 means that the enforcement will be fully enabled with denials as well as logging. The default value is 0.

The value can be changed at runtime via the /selinux/enforce file.


Enable or disable SELinux at boot time.


selinux=[0|1]

This option allows SELinux to be enabled (1) or disabled (0) to boot time. The default value is set by a kernel configuration option.

If SELinux is enabled at boot time, the /selinux/disable file can be used later to disable it prior to the initial policy load.


Set the network control model.


selinux_compat_net=[0|1]

Set the initial value for the SELinux network control model. 0 uses the new secmark-based packet controls, and 1 uses the legacy packet controls. 0 is the default and preferred value.

This value can be changed at runtime via the /selinux/compat_net file.



Linux Kernel in a Nutshell
Linux Kernel in a Nutshell (In a Nutshell (OReilly))
ISBN: 0596100795
EAN: 2147483647
Year: 2004
Pages: 113

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net