Editing SELinux
Jump to navigation
Jump to search
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 19: | Line 19: | ||
* https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/using_selinux/index#selinux-states-and-modes_getting-started-with-selinux | * https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/using_selinux/index#selinux-states-and-modes_getting-started-with-selinux | ||
* https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/using_selinux/index#changing-selinux-states-and-modes_using-selinux | * https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/using_selinux/index#changing-selinux-states-and-modes_using-selinux | ||
So far my usual approach for getting the SELinux context of a file right is: | So far my usual approach for getting the SELinux context of a file right is: | ||
<pre> | <pre> | ||
# find a file with the right context! ("FILE_WITH_RIGHT_CONTEXT") | # find a file with the right context! ("FILE_WITH_RIGHT_CONTEXT") | ||
$ ll - | $ ll -Z FILE_WITH_RIGHT_CONTEXT | ||
# rename the file, whose context isn't right, to FILE- or so! | # rename the file, whose context isn't right, to FILE- or so! | ||
$ mv FILE FILE- | $ mv FILE FILE- | ||
Line 54: | Line 35: | ||
</pre> | </pre> | ||
* https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security-enhanced_linux/sect-security-enhanced_linux-working_with_selinux-selinux_contexts_labeling_files | |||
What "ll -Z" in addition to what "ll" usually displays, is called: | |||
* a SELinux_USER_CONTEXT (unconfined_u) -> --seuser | |||
* a role (object_r) | |||
* a TYPE_CONTEXT (user_home_t) -> --type | |||
* a level (s0) | |||
<pre> | <pre> | ||
root@… $ semanage fcontext --add/--modify --seuser SELinux_USER_CONTEXT | root@… $ semanage fcontext --add/--modify --seuser SELinux_USER_CONTEXT --type TYPE_CONTEXT /usr/local/foo.txt | ||
root@… $ restorecon -vF /usr/local/foo.txt | |||
root@… $ restorecon -vF /usr/local/foo.txt | |||
</pre> | </pre> | ||
So usually for a systemd service file you would execute these 2 | So usually for a systemd service file you would execute these 2 command lines | ||
(derived from http://www.freekb.net/Article?id=1418): | |||
<pre> | <pre> | ||
root@… $ semanage fcontext --add/--modify --seuser system_u | root@… $ semanage fcontext --add/--modify --seuser system_u --type systemd_unit_file_t /usr/lib/systemd/system/tomcat.service | ||
root@… $ restorecon -vF /usr/lib/systemd/system/tomcat.service # -v for ''verbose'', -F for ''force reset'' | |||
root@… $ restorecon -vF /usr/lib/systemd/system/tomcat.service | |||
</pre> | </pre> | ||