Editing SELinux

Jump to navigation Jump to search
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 56: Line 56:
What "ll -Z" (resp. "ll --context") in addition to what "ll" usually displays, is called:
What "ll -Z" (resp. "ll --context") in addition to what "ll" usually displays, is called:
* a SELinux_USER_CONTEXT (unconfined_u) -> "semanage fcontext --modify --seuser"
* a SELinux_USER_CONTEXT (unconfined_u) -> "semanage fcontext --modify --seuser"
* a ROLE (object_r)
* a role (object_r)
* a TYPE_CONTEXT (user_home_t) -> "semanage fcontext --modify --type"
* a TYPE_CONTEXT (user_home_t) -> "semanage fcontext --modify --type"
* a level AKA RANGE (s0) -> "semanage fcontext "
* a level AKA RANGE (s0) -> "semanage fcontext "
CAVEAT: chcon does not work well with restorecon. restorecon effectively restores the old context.


<pre>
<pre>
root@… $ semanage fcontext --add/--modify --seuser SELinux_USER_CONTEXT --role ROLE --type TYPE_CONTEXT /usr/local/foo.txt
root@… $ chcon --no-dereference --user SELinux_USER_CONTEXT --role ROLE --type TYPE_CONTEXT --range RANGE /usr/local/foo.txt
root@… $ chcon --no-dereference --user SELinux_USER_CONTEXT --role ROLE --type TYPE_CONTEXT --range RANGE /usr/local/foo.txt
root@… $ semanage fcontext --add/--modify --seuser SELinux_USER_CONTEXT --type TYPE_CONTEXT --range RANGE /usr/local/foo.txt


root@… $ restorecon -vF /usr/local/foo.txt    # -v for ''verbose'', -F for ''force reset''
root@… $ restorecon -vF /usr/local/foo.txt    # -v for ''verbose'', -F for ''force reset''
Line 72: Line 70:


<pre>
<pre>
root@… $ semanage fcontext --add/--modify --seuser system_u --role object_ --type systemd_unit_file_t /usr/lib/systemd/system/tomcat.service
root@… $ chcon --no-dereference --user system_u --role object_r --type systemd_unit_file_t --range s0 /usr/lib/systemd/system/tomcat.service
root@… $ chcon --no-dereference --user system_u --role object_r --type systemd_unit_file_t --range s0 /usr/lib/systemd/system/tomcat.service
root@… $ semanage fcontext --add/--modify --seuser system_u --type systemd_unit_file_t --range s0 /usr/lib/systemd/system/tomcat.service


root@… $ restorecon -vF /usr/lib/systemd/system/tomcat.service
root@… $ restorecon -vF /usr/lib/systemd/system/tomcat.service
Please note that all contributions to wiki may be edited, altered, or removed by other contributors. If you do not want your writing to be edited mercilessly, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource (see Wiki:Copyrights for details). Do not submit copyrighted work without permission!
Cancel Editing help (opens in new window)
Retrieved from ‘https://wiki.jochen.hayek.name/w/index.php?title=SELinux