SELinux: Difference between revisions

From wiki
Jump to navigation Jump to search
(Created page with "* https://en.wikipedia.org/wiki/Security-Enhanced_Linux * https://people.redhat.com/duffy/selinux/selinux-coloring-book_A4-Stapled.pdf learning.oreilly.com : * https://learni...")
 
No edit summary
Line 1: Line 1:
* https://en.wikipedia.org/wiki/Security-Enhanced_Linux
* https://en.wikipedia.org/wiki/Security-Enhanced_Linux
* https://people.redhat.com/duffy/selinux/selinux-coloring-book_A4-Stapled.pdf
* https://people.redhat.com/duffy/selinux/selinux-coloring-book_A4-Stapled.pdf
* http://www.freekb.net/Article?id=1418 – SELinux - Change context of a file or directory (chcon restorecon semanage) !!!!!
* http://www.freekb.net/Article?id=1169 – SELinux - Determine context of a file or directory


learning.oreilly.com :
learning.oreilly.com :
Line 13: Line 15:
* https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/using_selinux/index#selinux-states-and-modes_getting-started-with-selinux
* https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/using_selinux/index#selinux-states-and-modes_getting-started-with-selinux
* https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/using_selinux/index#changing-selinux-states-and-modes_using-selinux
* https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/using_selinux/index#changing-selinux-states-and-modes_using-selinux
So far my usual approach for getting the SELinux context of a file right is:
<pre>
# find a file with the right context! ("FILE_WITH_RIGHT_CONTEXT")
$ ll -Z FILE_WITH_RIGHT_CONTEXT
# rename the file, whose context isn't right, to FILE- or so!
$ mv FILE FILE-
# …
$ cp --arch FILE_WITH_RIGHT_CONTEXT FILE
# …
cat FILE- > FILE
# …
$ rm FILE-
</pre>
* https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security-enhanced_linux/sect-security-enhanced_linux-working_with_selinux-selinux_contexts_labeling_files
What "ll -Z" in addition to what "ll" usually displays, is called:
* a USER_CONTEXT (unconfined_u)
* a role (object_r)
* a TYPE_CONTEXT (user_home_t)
* a level (s0)
<pre>
root@… $ semanage fcontext -a -s USER_CONTEXT -t TYPE_CONTEXT /usr/local/foo.txt
root@… $ restorecon -vF /usr/local/foo.txt
</pre>
So usually for a systemd service file you would execute these 2 command lines:
<pre>
root@… $ semanage fcontext -a -s system_u -t systemd_unit_file_t /usr/lib/systemd/system/tomcat.service
root@… $ restorecon -vF /usr/lib/systemd/system/tomcat.service
</pre>
More examples:
<pre>
</pre>

Revision as of 13:59, 7 September 2022

learning.oreilly.com :

access.redhat.com :

So far my usual approach for getting the SELinux context of a file right is:

# find a file with the right context! ("FILE_WITH_RIGHT_CONTEXT")
$ ll -Z FILE_WITH_RIGHT_CONTEXT
# rename the file, whose context isn't right, to FILE- or so!
$ mv FILE FILE-
# …
$ cp --arch FILE_WITH_RIGHT_CONTEXT FILE
# …
cat FILE- > FILE
# …
$ rm FILE-
…

What "ll -Z" in addition to what "ll" usually displays, is called:

  • a USER_CONTEXT (unconfined_u)
  • a role (object_r)
  • a TYPE_CONTEXT (user_home_t)
  • a level (s0)
root@… $ semanage fcontext -a -s USER_CONTEXT -t TYPE_CONTEXT /usr/local/foo.txt
root@… $ restorecon -vF /usr/local/foo.txt

So usually for a systemd service file you would execute these 2 command lines:

root@… $ semanage fcontext -a -s system_u -t systemd_unit_file_t /usr/lib/systemd/system/tomcat.service
root@… $ restorecon -vF /usr/lib/systemd/system/tomcat.service

More examples: