The /etc/selinux/config file controls which policy is active (that is, will be loaded during boot and used by system utilities). This file also controls the default state of SELinux during boot: enforcing (normal), permissive, and disabled.
Installed policies and their support files are stored in /etc/selinux/[policyname]/. For example, the default targeted policy in FC4 is stored in /etc/selinux/targeted/. Besides the actual binary policy file, this directory contains a number of files that are used by system utilities to manage portions of the policy (for example, users) or object labeling decisions. If installed, this directory also contains the policy sources.
SELinux provides userspace interfaces to the SELinux LSM modules as a filesystem that is usually mounted on /selinux/. Most of the files in this filesystem support APIs in the libselinux library.
The SELinux generic user, user_u, provides a means to add users to an SELinux system without having to add them to the policy. user_u defines permissions and role authorization for normal, unprivileged users. To add a privileged administrator user, you must add it to the policy by editing the active policy's local.users file and reloading the policy.
SELinux produces two types of audit messages: general and AVC. General audit messages record events relating to system initialization, policy load, and Boolean value changes. AVC messages (by far the most common) record access denial and allowance events.
In general, file security context labels should not require maintenance on a running production system. However, if the policy is updated or you are using a development/experimental system, you may need to manually fix or repair object labeling. SELinux provides four commands to aide in this task: chcon(8), restorecon(8), setfiles(8), and fixfiles(8). (See Appendix D for a description of these commands.)
