SELinux: Difference between revisions

From wiki
Jump to navigation Jump to search
No edit summary
No edit summary
Line 3: Line 3:
* http://www.freekb.net/Article?id=1418 – SELinux - Change context of a file or directory (chcon restorecon semanage) !!!!!
* http://www.freekb.net/Article?id=1418 – SELinux - Change context of a file or directory (chcon restorecon semanage) !!!!!
* http://www.freekb.net/Article?id=1169 – SELinux - Determine context of a file or directory
* http://www.freekb.net/Article?id=1169 – SELinux - Determine context of a file or directory
* https://www.man7.org/linux/man-pages/man8/semanage.8.html
* https://www.man7.org/linux/man-pages/man8/semanage-fcontext.8.html
* https://www.man7.org/linux/man-pages/man8/restorecon.8.html


learning.oreilly.com :
learning.oreilly.com :
Line 34: Line 38:


What "ll -Z" in addition to what "ll" usually displays, is called:
What "ll -Z" in addition to what "ll" usually displays, is called:
* a USER_CONTEXT (unconfined_u)
* a SELinux_USER_CONTEXT (unconfined_u) -> --seuser
* a role (object_r)
* a role (object_r)
* a TYPE_CONTEXT (user_home_t)
* a TYPE_CONTEXT (user_home_t) -> --type
* a level (s0)
* a level (s0)


<pre>
<pre>
root@… $ semanage fcontext -a -s USER_CONTEXT -t TYPE_CONTEXT /usr/local/foo.txt
root@… $ semanage fcontext --add/--modify --seuser SELinux_USER_CONTEXT --type TYPE_CONTEXT /usr/local/foo.txt
root@… $ restorecon -vF /usr/local/foo.txt
root@… $ restorecon -vF /usr/local/foo.txt
</pre>
</pre>


So usually for a systemd service file you would execute these 2 command lines:
So usually for a systemd service file you would execute these 2 command lines
(derived from http://www.freekb.net/Article?id=1418):


<pre>
<pre>
root@… $ semanage fcontext -a -s system_u -t systemd_unit_file_t /usr/lib/systemd/system/tomcat.service
root@… $ semanage fcontext --add/--modify --seuser system_u --type systemd_unit_file_t /usr/lib/systemd/system/tomcat.service
root@… $ restorecon -vF /usr/lib/systemd/system/tomcat.service
root@… $ restorecon -vF /usr/lib/systemd/system/tomcat.service     # -v for ''verbose'', -F for ''force reset''
</pre>
</pre>


Revision as of 14:34, 7 September 2022

learning.oreilly.com :

access.redhat.com :

So far my usual approach for getting the SELinux context of a file right is: 

# find a file with the right context! ("FILE_WITH_RIGHT_CONTEXT")
$ ll -Z FILE_WITH_RIGHT_CONTEXT
# rename the file, whose context isn't right, to FILE- or so!
$ mv FILE FILE-
# …
$ cp --arch FILE_WITH_RIGHT_CONTEXT FILE
# …
cat FILE- > FILE
# …
$ rm FILE-
…

What "ll -Z" in addition to what "ll" usually displays, is called:

  • a SELinux_USER_CONTEXT (unconfined_u) -> --seuser
  • a role (object_r)
  • a TYPE_CONTEXT (user_home_t) -> --type
  • a level (s0)
root@… $ semanage fcontext --add/--modify --seuser SELinux_USER_CONTEXT --type TYPE_CONTEXT /usr/local/foo.txt
root@… $ restorecon -vF /usr/local/foo.txt

So usually for a systemd service file you would execute these 2 command lines (derived from http://www.freekb.net/Article?id=1418): 

root@… $ semanage fcontext --add/--modify --seuser system_u --type systemd_unit_file_t /usr/lib/systemd/system/tomcat.service
root@… $ restorecon -vF /usr/lib/systemd/system/tomcat.service     # -v for ''verbose'', -F for ''force reset''

More examples:

Retrieved from ‘https://wiki.jochen.hayek.name/w/index.php?title=SELinux&oldid=1997