While the kernel changes to Linux are the basis of SELinux, there are afew userspace packages that are specific to SELinux and there are a fewsystem applications that must be modified to properly set SELinux securitycontexts. A number of additional applications can provide additionalsecurity or help maintain a SELinux system if modified to take advantageof the SELinux kernel features.

The userspace packages that are specific to SELinux are included in theuserspace SELinux releases.

• libsepol is the binary policy manipulation library. It doesn'tdepend upon or use any of the other components.

• checkpolicy is the SELinux policy compiler (for the original SELinuxpolicy.conf language). It uses libsepol to generate the binary policy.checkpolicy uses the static libsepol since it deals with low level detailsof the policy that have not been encapsulated/abstracted by a proper sharedlibrary interface.

• secilc is the SELinux Common Intermediate Language (CIL) compiler. Likecheckpolicy, it uses libsepol to generate the binary policy, but unlikecheckpolicy, it can use the shared library.

• libselinux is the runtime SELinux library that provides interfaces(e.g. library functions for the SELinux kernel APIs like getcon(),other support functions like getseuserbyname()) to SELinux-awareapplications. libselinux may use the shared libsepol to manipulatethe binary policy if necessary (e.g. to downgrade the policy formatto an older version supported by the kernel) when loading policy.

• libsemanage is the policy management library. It uses libsepol forbinary policy manipulation and libselinux for interacting with theSELinux system. It also exec's helper programs for loading policyand for checking whether the file_contexts configuration is valid(load_policy and setfiles, respectively, from policycoreutils).

• sepolgen is a python module/library that forms the core of theaudit2allow and sepolicy programs.

• policycoreutils is a collection of policy utilities (originally the"core" set of utilities needed to use SELinux, although it has growna bit over time), which have different dependencies. sestatus,secon, run_init, and newrole only use libselinux. load_policy andsetfiles only use libselinux and libsepol. semodule and semanage uselibsemanage (and thus bring in dependencies on libsepol andlibselinux as well). setsebool uses libselinux to makenon-persistent boolean changes (via the kernel interface) and useslibsemanage to make persistent boolean changes.

• The python-based modules and utilities deemed non-essential to base SELinux operationwere later migrated from policycoreutils to a separate selinux-python packageupstream, with some distributions like Fedora instead splitting them up intopython3-policycoreutils, policycoreutils-python-utils, and policycoreutils-develdepending on the particular component.

• The set of semodule utility programs that are only required on developmentsystems were likewise later migrated to a separate semodule-utils packageupstream, with some distributions like Fedora leaving them in policycoreutils.

• mcstrans is a label translation daemon to support MLS systems, originally contributed by Joe Nall.It links with the static libsepol in order to leverage private data structures andfunctions for efficient mapping of category sets. mcstrans is only required when oneneeds to translate between the internal SELinux MCS/MLS labels and human-readable labels.

• selinux-gui provides a GUI for managing SELinux, originally contributed by Red Hat. This is generallyunnecessary since one can use semanage and other command-line utilities or can use cockpit-selinuxfor management. Fedora packages this as policycoreutils-gui.

• selinux-dbus provides a D-Bus-based service and configuration for managing SELinux,likewise originally contributed by Red Hat. This is also generally unnecessary.Fedora packages this as policycoreutils-dbus.

• selinux-sandbox provides a SELinux-based sandbox originally contributed by Red Hat. Thisis optional. Fedora packages this as policycoreutils-sandbox.

You can use your favorite package manager to query for all the packages that depend on libselinux as an approximation of which ones have been modified for SELinux. For example, on Fedora, you can run the following command:

sudo dnf repoquery --disablerepo=\* --enablerepo=fedora --whatrequires='libselinux.so.1()(64bit)' --qf '%{sourcerpm}\n'

A historical list of userspace packages modified for SELinux is below, but this list is quite out of date so it mostly serves to document why specific programs were modified for SELinux originally. Use a command like the one above to check for an up-to-date list.

• SysVinit, systemd, or other init programs - load initial policy, set enforcing mode
• pam - set security context for user sessions, check SELinux permissions for privileged operations
• util-linux - preserve security contexts on /etc/shadow, check SELinux permissions
• openssh - set security context for user sessions
• cron - set security context for cron jobs, check SELinux permissions
• sudo - set security context
• shadow-utils - preserve security context on /etc/shadow
• libuser - preserve security context on /etc/shadow, check permission
• passwd - preserve security context on /etc/shadow, check permission
• logrotate - preserve security context on logs
• coreutils - get and set process and file security contexts
• findutils - find files with specific security contexts or display them
• procps - display process contexts
• psmisc - display process contexts