Changing file contexts
by Uday R. Sawant, William Leemans, Jonathan Hobson, Oliver Pelz
Linux: Powerful Server Administration
- Linux: Powerful Server Administration
- Table of Contents
- Linux: Powerful Server Administration
- Linux: Powerful Server Administration
- Credits
- Preface
- 1. Module 1
- 1. Managing Users and Groups
- 2. Networking
- Introduction
- Connecting to a network with a static IP
- Installing the DHCP server
- Installing the DNS server
- Hiding behind the proxy with squid
- Being on time with NTP
- Discussing load balancing with HAProxy
- Tuning the TCP stack
- Troubleshooting network connectivity
- Securing remote access with OpenVPN
- Securing a network with uncomplicated firewall
- Securing against brute force attacks
- Discussing Ubuntu security best practices
- 3. Working with Web Servers
- Introduction
- Installing and configuring the Apache web server
- Serving dynamic contents with PHP
- Hosting multiple websites with a virtual domain
- Securing web traffic with HTTPS
- Installing Nginx with PHP_FPM
- Setting Nginx as a reverse proxy
- Load balancing with Nginx
- Setting HTTPs on Nginx
- Benchmarking and performance tuning of Apache
- Securing the web server
- Troubleshooting the web server
- 4. Working with Mail Servers
- 5. Handling Databases
- Introduction
- Installing relational databases with MySQL
- Storing and retrieving data with MySQL
- Importing and exporting bulk data
- Adding users and assigning access rights
- Installing web access for MySQL
- Setting backups
- Optimizing MySQL performance – queries
- Optimizing MySQL performance – configuration
- Creating MySQL replicas for scaling and high availability
- Troubleshooting MySQL
- Installing MongoDB
- Storing and retrieving data with MongoDB
- 6. Network Storage
- 7. Cloud Computing
- 8. Working with Containers
- Introduction
- Installing LXD, the Linux container daemon
- Deploying your first container with LXD
- Managing LXD containers
- Managing LXD containers – advanced options
- Setting resource limits on LXD containers
- Networking with LXD
- Installing Docker
- Starting and managing Docker containers
- Creating images with a Dockerfile
- Understanding Docker volumes
- Deploying WordPress using a Docker network
- Monitoring Docker containers
- Securing Docker containers
- 9. Streaming with Ampache
- 10. Communication Server with XMPP
- 11. Git Hosting
- Introduction
- Installing Git
- Creating a local repository with Git CLI
- Storing file revisions with Git commit
- Synchronizing the repository with a remote server
- Receiving updates with Git pull
- Creating repository clones
- Installing GitLab, your own Git hosting
- Adding users to the GitLab server
- Creating a repository with GitLab
- Automating common tasks with Git hooks
- 12. Collaboration Tools
- 13. Performance Monitoring
- 14. Centralized Authentication Service
- 2. Module 2
- 1. Installing CentOS
- Introduction
- Downloading CentOS and confirming the checksum on Windows or OS X
- Creating USB installation media on Windows or OS X
- Performing an installation of CentOS using the graphical installer
- Running a netinstall over HTTP
- Installing CentOS 7 using a kickstart file
- Getting started and customising the boot loader
- Troubleshooting the system in rescue mode
- Updating the installation and enhancing the minimal install with additional administration and development tools
- 2. Configuring the System
- Introduction
- Navigating text files with less
- Introduction to Vim
- Speaking the right language
- Synchronizing the system clock with NTP and the chrony suite
- Setting your hostname and resolving the network
- Building a static network connection
- Becoming a superuser
- Customizing your system banners and messages
- Priming the kernel
- 3. Managing the System
- Introduction
- Knowing and managing your background services
- Troubleshooting background services
- Tracking system resources with journald
- Configuring journald to make it persistent
- Managing users and their groups
- Scheduling tasks with cron
- Synchronizing files and doing more with rsync
- Maintaining backups and taking snapshots
- Monitoring important server infrastructure
- Taking control with GIT and Subversion
- 4. Managing Packages with YUM
- 5. Administering the Filesystem
- 6. Providing Security
- 7. Building a Network
- 8. Working with FTP
- 9. Working with Domains
- 10. Working with Databases
- 11. Providing Mail Services
- 12. Providing Web Services
- 13. Operating System-Level Virtualization
- 14. Working with SELinux
- 15. Monitoring IT Infrastructure
- 1. Installing CentOS
- 3. Module 3
- 1. Working with KVM Guests
- 2. Deploying RHEL "En Masse"
- 3. Configuring Your Network
- 4. Configuring Your New System
- 5. Using SELinux
- 6. Orchestrating with Ansible
- 7. Puppet Configuration Management
- 8. Yum and Repositories
- 9. Securing RHEL 7
- 10. Monitoring and Performance Tuning
- Bibliography
- Index
Files and processes are labeled with a SELinux context, which contains additional information about a SELinux user, role type, and level. This information is provided by the SELinux kernel module to make access control decisions.
The SELinux user, a unique identity known by the SELinux policy, is authorized for a number of roles.
SELinux roles, as we already alluded to before, are attributes of SELinux users and part of the RBAC SELinux policy. SELinux roles are authorized for SELinux domains.
SELinux types define the type for files and domain for processes. SELinux policies define access between types and other files and processes. By default, if there is no specific rule in the SELinux policy, access is denied.
The SELinux level is only used when the SELinux type is set to MLS and should be avoided altogether on anything other than servers. This set of policies doesn't cover the same domains as defined by the default Red Hat SELinux policy. The SELinux level is an attribute of MLS and multi-category security (MCS).
All files and processes on a system are labeled to represent security-relevant information. This information is called the SELinux context. To view the contexts of files (and directories), execute the following:
~# ls -Z -rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 file ~#
You can temporarily change the context of a file (or files) or permanently change their context. The first option allows easy troubleshooting if you need to figure out whether changing the context solves your problem. Persistent changes are mostly used when your applications refer to data that is not in the standard location—for example, if your web server serves data from /srv/www.
Temporary SELinux context changes remain until the file, or the filesystem that the file resides on, is relabeled.
To change the SELinux user of a file, execute the following:
~# chcon --user <SELinux user> <filename>
To change the SELinux role of a file, execute the following:
~# chcon --role <SELinux role> <filename>
To change the SELinux type of a file, execute the following:
~# chcon --type <SELinux typs> <filename>
Changing the application data location doesn't automatically modify SELinux contexts to allow your application to access this data.
To permanently relabel files or directories, perform the following:
- Change the SELinux user for your files or directories via this command:
~# semanage fcontext -a --seuser <SELinux user> <filename|dirname> - Change the SELinux type of your files or directories by running the following:
~# semanage fcontext -a --type <SELinux type> <filename|dirname> - Finish with this command line by applying the directive to the
files/directories:~# restorecon <filename|dirname>
To show all the available SELinux users, execute the following:
~# semanage user -l
Alternatively, you can install the setools-console package and run the following:
~# seinfo -u
To show all the available SELinux types, install the setools-console package and run the following:
~# seinfo -t
To show the available SELinux roles, install the setools-console package and run the following:
~# seinfo -r
The semanage tool doesn't have an option to include all files recursively, but there is a solution to this. The filename or dirname you specify is actually a regular expression filter. So, for example, if you want to recursively include all the files in /srv/www, you could specify "/srv/www(/.*)?".
Here's a wrong SELinux context example of an AVC denial report found in the audit.log file:
type=AVC msg=audit(1438884962.645:86): avc: denied { open } for pid=1283 comm="httpd" path="/var/www/html/index.html" dev="dm-5" ino=1089 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=fileThis command can be explained as follows:
|
Commands |
Description |
|---|---|
|
|
This is the log type |
|
|
This is the log entry timestamp |
|
|
This is a repetition of the log type |
|
|
This states whether enforcing is enabled |
|
|
This is a permission that causes AVC denial |
|
| |
|
|
This is the process command |
|
|
This is the path that is accessed |
|
|
This blocks the device that the preceding file is located on |
|
|
This is the inode of the preceding file |
|
|
This is the source SELinux context |
|
|
This is the target SELinux context |
|
|
This is the target SELinux class |
-
No Comment