Files and processes are labeled with a SELinux context, which contains additional information about a SELinux user, role type, and level. This information is provided by the SELinux kernel module to make access control decisions.
The SELinux user, a unique identity known by the SELinux policy, is authorized for a number of roles.
SELinux roles, as we already alluded to before, are attributes of SELinux users and part of the RBAC SELinux policy. SELinux roles are authorized for SELinux domains.
SELinux types define the type for files and domain for processes. SELinux policies define access between types and other files and processes. By default, if there is no specific rule in the SELinux policy, access is denied.
The SELinux level is only used when the SELinux type is set to MLS and should be avoided altogether on anything other than servers. This set of policies doesn't cover the same domains as defined by the default Red Hat SELinux policy. The SELinux level is an attribute of MLS and multi-category security (MCS).
All files and processes on a system are labeled to represent security-relevant information. This information is called the SELinux context. To view the contexts of files (and directories), execute the following:
~# ls -Z -rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 file ~#
You can temporarily change the context of a file (or files) or permanently change their context. The first option allows easy troubleshooting if you need to figure out whether changing the context solves your problem. Persistent changes are mostly used when your applications refer to data that is not in the standard location—for example, if your web server serves data from /srv/www
.
Temporary SELinux context changes remain until the file, or the filesystem that the file resides on, is relabeled.
To change the SELinux user of a file, execute the following:
~# chcon --user <SELinux user> <filename>
To change the SELinux role of a file, execute the following:
~# chcon --role <SELinux role> <filename>
To change the SELinux type of a file, execute the following:
~# chcon --type <SELinux typs> <filename>
Changing the application data location doesn't automatically modify SELinux contexts to allow your application to access this data.
To permanently relabel files or directories, perform the following:
~# semanage fcontext -a --seuser <SELinux user> <filename|dirname>
~# semanage fcontext -a --type <SELinux type> <filename|dirname>
files/directories
:~# restorecon <filename|dirname>
To show all the available SELinux users, execute the following:
~# semanage user -l
Alternatively, you can install the setools-console
package and run the following:
~# seinfo -u
To show all the available SELinux types, install the setools-console
package and run the following:
~# seinfo -t
To show the available SELinux roles, install the setools-console
package and run the following:
~# seinfo -r
The semanage
tool doesn't have an option to include all files recursively, but there is a solution to this. The filename or dirname you specify is actually a regular expression filter. So, for example, if you want to recursively include all the files in /srv/www
, you could specify "/srv/www(/.*)?"
.
Here's a wrong SELinux context example of an AVC denial report found in the audit.log
file:
type=AVC msg=audit(1438884962.645:86): avc: denied { open } for pid=1283 comm="httpd" path="/var/www/html/index.html" dev="dm-5" ino=1089 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=file
This command can be explained as follows:
Commands |
Description |
---|---|
|
This is the log type |
|
This is the log entry timestamp |
|
This is a repetition of the log type |
|
This states whether enforcing is enabled |
|
This is a permission that causes AVC denial |
| |
|
This is the process command |
|
This is the path that is accessed |
|
This blocks the device that the preceding file is located on |
|
This is the inode of the preceding file |
|
This is the source SELinux context |
|
This is the target SELinux context |
|
This is the target SELinux class |