SELinux Contexs

SELinux depends on a group of labels to make access decisions. So when you have your system installed with SELinux, the whole file system is labeled with a context and every file/object has a SELinux context described as the 4-uplet:

(user,role,type,range)

So every file, directory, stream, port … within your system has its own context and SELinux rules know which user should access which role to access which type.

When using targeted policy, you only need to understand the user and type in the 4-uplet context.

SELinux users are not the same as users you connect with, many linux users may have the same selinux user within their context.

Let’s have our hands on SELinux contexts:

  • Check SELinux context

The Z switch displays SELinux context of your file,port…

For example:

To check selinux context of a file,directory, use:

ls -lZ

 

lslz

 

To check selinux context of currently running process, for example apache:

Ps –efZ | grep [h]ttpd

 

psezf

 

Semanage wonderful command:

I use the semanage command to view and manage SELinux contexts. As I’m working with CentOS 6, I wasn’t it already installed:

Check which package provides the semanage command:

[root@sar ~]# yum provides *bin/semanage
updates | 3.4 kB 00:00
updates/primary_db | 3.5 MB 00:30
updates/filelists_db | 2.2 MB 00:05
policycoreutils-python-2.0.83-19.39.el6.i686 : SELinux policy core python
: utilities
Repo : base
Matched from:
Filename : /usr/sbin/semanage

 

Install it with:

[root@sar ~]# yum –y install policycoreutils-python

 

Now let’s try some of semanage options:

Discover the mapping between linux users and SELinux users:

# semanage login -l

semanagelogin

Context of a port, for example http ports:

# semanage port -l | grep http

semport

To list context of some files, use semanage as follows and grep on the name of your files:

#semanage fcontext -l | grep drupal

semfcont

 

  • Change and modify SELinux contexts:

 

Commands like chcon and semanage allow you to alter SELinux contexts easily.

If you are just testing a new update, use chcon for temporary changes. With t for type, u for user… man chcon will do for the rest 🙂 :

#chcon –t  httpd_user_content_t /home/setuto/www

Updates using chcon are not persistent, if you relabel your file system or you run restorecon, you will lose the new configuration.

 

If you want to go for persistent changes, use semanage command instead. This command adds your new updates to SELinux configuration files saving them forever.

For example, use semanage fcontext wih appropriate switch like a to add and d to delete in order to change file’s context.

Here we change the type context of the directory /home/setuto/www from user_home_t to httpd_user_content :

#semanage fcontext -a -t httpd_user_content_t /home/setuto/www

semfcon-restre

Observe that semanage fcontext doesn’t change the context unless you run restorecon.

The restorecon command is very useful and you can use it to restore contexts modified by chcon command, restorecon returns back to last modification saved into selinux configuration files.

To compare current contexts with the default one, use matchpathcon command with filename.

Example:

matchpathcon

For further details, man command will do 😉

 

Advertisements
Post a comment or leave a trackback: Trackback URL.

Trackbacks

  • By Hands on SELinux | A diary of a sys admin. on July 26, 2014 at 10:01 am

    […] Like Loading… By Cosmic Birth, on July 26, 2014 at 12:00 am, under linux. Tags: ACL, apache, audit, audit2allow, boolean, centos, chcon, contexts, fcontext, getenforce, getsebool, httpd, labels, linux security, matchpathcon, mode, restorecon, SELinux, semanage, sestatus, setenforce, yum provides. No Comments Post a comment or leave a trackback: Trackback URL. « Study Case: Apache and SELinux SELinux Contexs » […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s