Editing SELinux

Jump to navigation Jump to search
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 19: Line 19:
* https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/using_selinux/index#selinux-states-and-modes_getting-started-with-selinux
* https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/using_selinux/index#selinux-states-and-modes_getting-started-with-selinux
* https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/using_selinux/index#changing-selinux-states-and-modes_using-selinux
* https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/using_selinux/index#changing-selinux-states-and-modes_using-selinux
== setenforce / getenforce ==
* https://www.man7.org/linux/man-pages/man8/setenforce.8.html
* https://www.man7.org/linux/man-pages/man8/getenforce.8.html
<pre>
root@… $ setenforce [Enforcing|Permissive|1|0]
root@… $ getenforce
root@… $ sestatus
</pre>
== context of a file ==
* https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security-enhanced_linux/sect-security-enhanced_linux-working_with_selinux-selinux_contexts_labeling_files
* https://www.man7.org/linux/man-pages/man8/semanage.8.html
* https://www.man7.org/linux/man-pages/man8/semanage-fcontext.8.html
* http://www.freekb.net/Article?id=1418 !!!!!
* https://www.gnu.org/software/coreutils/manual/html_node/chcon-invocation.html – Change SELinux context of file


So far my usual approach for getting the SELinux context of a file right is:
So far my usual approach for getting the SELinux context of a file right is:
<pre>
<pre>
# find a file with the right context! ("FILE_WITH_RIGHT_CONTEXT")
# find a file with the right context! ("FILE_WITH_RIGHT_CONTEXT")
$ ll --context FILE_WITH_RIGHT_CONTEXT
$ ll -Z FILE_WITH_RIGHT_CONTEXT
# rename the file, whose context isn't right, to FILE- or so!
# rename the file, whose context isn't right, to FILE- or so!
$ mv FILE FILE-
$ mv FILE FILE-
Line 54: Line 35:
</pre>
</pre>


What "ll -Z" (resp. "ll --context") in addition to what "ll" usually displays, is called:
* https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security-enhanced_linux/sect-security-enhanced_linux-working_with_selinux-selinux_contexts_labeling_files
* a SELinux_USER_CONTEXT (unconfined_u) -> "semanage fcontext --modify --seuser"
* a ROLE (object_r)
* a TYPE_CONTEXT (user_home_t) -> "semanage fcontext --modify --type"
* a level AKA RANGE (s0) -> "semanage fcontext "


CAVEAT: chcon does not work well with restorecon. restorecon effectively restores the old context.
What "ll -Z" in addition to what "ll" usually displays, is called:
* a SELinux_USER_CONTEXT (unconfined_u) -> --seuser
* a role (object_r)
* a TYPE_CONTEXT (user_home_t) -> --type
* a level (s0)


<pre>
<pre>
root@… $ semanage fcontext --add/--modify --seuser SELinux_USER_CONTEXT --role ROLE --type TYPE_CONTEXT /usr/local/foo.txt
root@… $ semanage fcontext --add/--modify --seuser SELinux_USER_CONTEXT --type TYPE_CONTEXT /usr/local/foo.txt
root@… $ chcon --no-dereference --user SELinux_USER_CONTEXT --role ROLE --type TYPE_CONTEXT --range RANGE /usr/local/foo.txt
root@… $ restorecon -vF /usr/local/foo.txt
 
root@… $ restorecon -vF /usr/local/foo.txt     # -v for ''verbose'', -F for ''force reset''
</pre>
</pre>


So usually for a systemd service file you would execute these 2 resp.3 command lines:
So usually for a systemd service file you would execute these 2 command lines
(derived from http://www.freekb.net/Article?id=1418):


<pre>
<pre>
root@… $ semanage fcontext --add/--modify --seuser system_u --role object_ --type systemd_unit_file_t /usr/lib/systemd/system/tomcat.service
root@… $ semanage fcontext --add/--modify --seuser system_u --type systemd_unit_file_t /usr/lib/systemd/system/tomcat.service
root@… $ chcon --no-dereference --user system_u --role object_r --type systemd_unit_file_t --range s0 /usr/lib/systemd/system/tomcat.service
root@… $ restorecon -vF /usr/lib/systemd/system/tomcat.service     # -v for ''verbose'', -F for ''force reset''
 
root@… $ restorecon -vF /usr/lib/systemd/system/tomcat.service
</pre>
</pre>


Please note that all contributions to wiki may be edited, altered, or removed by other contributors. If you do not want your writing to be edited mercilessly, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource (see Wiki:Copyrights for details). Do not submit copyrighted work without permission!
Cancel Editing help (opens in new window)
Retrieved from ‘https://wiki.jochen.hayek.name/w/index.php?title=SELinux