Editing SELinux
Jump to navigation
Jump to search
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 3: | Line 3: | ||
* http://www.freekb.net/Article?id=1418 – SELinux - Change context of a file or directory (chcon restorecon semanage) !!!!! | * http://www.freekb.net/Article?id=1418 – SELinux - Change context of a file or directory (chcon restorecon semanage) !!!!! | ||
* http://www.freekb.net/Article?id=1169 – SELinux - Determine context of a file or directory | * http://www.freekb.net/Article?id=1169 – SELinux - Determine context of a file or directory | ||
learning.oreilly.com : | learning.oreilly.com : | ||
Line 19: | Line 15: | ||
* https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/using_selinux/index#selinux-states-and-modes_getting-started-with-selinux | * https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/using_selinux/index#selinux-states-and-modes_getting-started-with-selinux | ||
* https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/using_selinux/index#changing-selinux-states-and-modes_using-selinux | * https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/using_selinux/index#changing-selinux-states-and-modes_using-selinux | ||
So far my usual approach for getting the SELinux context of a file right is: | So far my usual approach for getting the SELinux context of a file right is: | ||
<pre> | <pre> | ||
# find a file with the right context! ("FILE_WITH_RIGHT_CONTEXT") | # find a file with the right context! ("FILE_WITH_RIGHT_CONTEXT") | ||
$ ll - | $ ll -Z FILE_WITH_RIGHT_CONTEXT | ||
# rename the file, whose context isn't right, to FILE- or so! | # rename the file, whose context isn't right, to FILE- or so! | ||
$ mv FILE FILE- | $ mv FILE FILE- | ||
Line 54: | Line 31: | ||
</pre> | </pre> | ||
* https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security-enhanced_linux/sect-security-enhanced_linux-working_with_selinux-selinux_contexts_labeling_files | |||
What "ll -Z" in addition to what "ll" usually displays, is called: | |||
* a USER_CONTEXT (unconfined_u) | |||
* a role (object_r) | |||
* a TYPE_CONTEXT (user_home_t) | |||
* a level (s0) | |||
<pre> | <pre> | ||
root@… $ semanage fcontext -- | root@… $ semanage fcontext -a -s USER_CONTEXT -t TYPE_CONTEXT /usr/local/foo.txt | ||
root@… $ restorecon -vF /usr/local/foo.txt | |||
root@… $ restorecon -vF /usr/local/foo.txt | |||
</pre> | </pre> | ||
So usually for a systemd service file you would execute these 2 | So usually for a systemd service file you would execute these 2 command lines: | ||
<pre> | <pre> | ||
root@… $ semanage fcontext -- | root@… $ semanage fcontext -a -s system_u -t systemd_unit_file_t /usr/lib/systemd/system/tomcat.service | ||
root@… $ restorecon -vF /usr/lib/systemd/system/tomcat.service | root@… $ restorecon -vF /usr/lib/systemd/system/tomcat.service | ||
</pre> | </pre> |