Editing SELinux
Jump to navigation
Jump to search
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 19: | Line 19: | ||
* https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/using_selinux/index#selinux-states-and-modes_getting-started-with-selinux | * https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/using_selinux/index#selinux-states-and-modes_getting-started-with-selinux | ||
* https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/using_selinux/index#changing-selinux-states-and-modes_using-selinux | * https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/using_selinux/index#changing-selinux-states-and-modes_using-selinux | ||
== context of a file == | == context of a file == | ||
Line 56: | Line 45: | ||
What "ll -Z" (resp. "ll --context") in addition to what "ll" usually displays, is called: | What "ll -Z" (resp. "ll --context") in addition to what "ll" usually displays, is called: | ||
* a SELinux_USER_CONTEXT (unconfined_u) -> "semanage fcontext --modify --seuser" | * a SELinux_USER_CONTEXT (unconfined_u) -> "semanage fcontext --modify --seuser" | ||
* a | * a role (object_r) | ||
* a TYPE_CONTEXT (user_home_t) -> "semanage fcontext --modify --type" | * a TYPE_CONTEXT (user_home_t) -> "semanage fcontext --modify --type" | ||
* a level AKA RANGE (s0) -> "semanage fcontext " | * a level AKA RANGE (s0) -> "semanage fcontext " | ||
<pre> | <pre> | ||
root@… $ chcon --no-dereference --user SELinux_USER_CONTEXT --role ROLE --type TYPE_CONTEXT --range RANGE /usr/local/foo.txt | root@… $ chcon --no-dereference --user SELinux_USER_CONTEXT --role ROLE --type TYPE_CONTEXT --range RANGE /usr/local/foo.txt | ||
root@… $ semanage fcontext --add/--modify --seuser SELinux_USER_CONTEXT --type TYPE_CONTEXT --range RANGE /usr/local/foo.txt | |||
root@… $ restorecon -vF /usr/local/foo.txt # -v for ''verbose'', -F for ''force reset'' | root@… $ restorecon -vF /usr/local/foo.txt # -v for ''verbose'', -F for ''force reset'' | ||
</pre> | </pre> | ||
So usually for a systemd service file you would execute these 2 | So usually for a systemd service file you would execute these 2 command lines: | ||
<pre> | <pre> | ||
root@… $ semanage fcontext --add/--modify --seuser system_u | root@… $ semanage fcontext --add/--modify --seuser system_u --type systemd_unit_file_t /usr/lib/systemd/system/tomcat.service | ||
root@… $ restorecon -vF /usr/lib/systemd/system/tomcat.service | root@… $ restorecon -vF /usr/lib/systemd/system/tomcat.service | ||
</pre> | </pre> |