Editing
SELinux
(section)
Jump to navigation
Jump to search
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
== context of a file == * https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security-enhanced_linux/sect-security-enhanced_linux-working_with_selinux-selinux_contexts_labeling_files * https://www.man7.org/linux/man-pages/man8/semanage.8.html * https://www.man7.org/linux/man-pages/man8/semanage-fcontext.8.html * http://www.freekb.net/Article?id=1418 !!!!! * https://www.gnu.org/software/coreutils/manual/html_node/chcon-invocation.html β Change SELinux context of file So far my usual approach for getting the SELinux context of a file right is: <pre> # find a file with the right context! ("FILE_WITH_RIGHT_CONTEXT") $ ll --context FILE_WITH_RIGHT_CONTEXT # rename the file, whose context isn't right, to FILE- or so! $ mv FILE FILE- # β¦ $ cp --arch FILE_WITH_RIGHT_CONTEXT FILE # β¦ cat FILE- > FILE # β¦ $ rm FILE- β¦ </pre> What "ll -Z" (resp. "ll --context") in addition to what "ll" usually displays, is called: * a SELinux_USER_CONTEXT (unconfined_u) -> "semanage fcontext --modify --seuser" * a ROLE (object_r) * a TYPE_CONTEXT (user_home_t) -> "semanage fcontext --modify --type" * a level AKA RANGE (s0) -> "semanage fcontext " CAVEAT: chcon does not work well with restorecon. restorecon effectively restores the old context. <pre> root@β¦ $ semanage fcontext --add/--modify --seuser SELinux_USER_CONTEXT --role ROLE --type TYPE_CONTEXT /usr/local/foo.txt root@β¦ $ chcon --no-dereference --user SELinux_USER_CONTEXT --role ROLE --type TYPE_CONTEXT --range RANGE /usr/local/foo.txt root@β¦ $ restorecon -vF /usr/local/foo.txt # -v for ''verbose'', -F for ''force reset'' </pre> So usually for a systemd service file you would execute these 2 resp.3 command lines: <pre> root@β¦ $ semanage fcontext --add/--modify --seuser system_u --role object_ --type systemd_unit_file_t /usr/lib/systemd/system/tomcat.service root@β¦ $ chcon --no-dereference --user system_u --role object_r --type systemd_unit_file_t --range s0 /usr/lib/systemd/system/tomcat.service root@β¦ $ restorecon -vF /usr/lib/systemd/system/tomcat.service </pre> More examples: <pre> β¦ </pre>
Summary:
Please note that all contributions to wiki may be edited, altered, or removed by other contributors. If you do not want your writing to be edited mercilessly, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource (see
Wiki:Copyrights
for details).
Do not submit copyrighted work without permission!
Cancel
Editing help
(opens in new window)
Navigation menu
Personal tools
Not logged in
Talk
Contributions
Log in
Namespaces
Page
Discussion
British English
Views
Read
Edit
View history
More
Search
Navigation
Main page
Recent changes
Random page
Help about MediaWiki
Tools
What links here
Related changes
Special pages
Page information