SELinux

• https://en.wikipedia.org/wiki/Security-Enhanced_Linux
• https://people.redhat.com/duffy/selinux/selinux-coloring-book_A4-Stapled.pdf
• http://www.freekb.net/Article?id=1418 – SELinux - Change context of a file or directory (chcon restorecon semanage) !!!!!
• http://www.freekb.net/Article?id=1169 – SELinux - Determine context of a file or directory

• https://www.man7.org/linux/man-pages/man8/semanage.8.html
• https://www.man7.org/linux/man-pages/man8/semanage-fcontext.8.html
• https://www.man7.org/linux/man-pages/man8/restorecon.8.html

learning.oreilly.com :

• https://learning.oreilly.com/topics/selinux/
• https://learning.oreilly.com/library/view/selinux-system-administration/9781800201477/
• https://learning.oreilly.com/library/view/selinux-cookbook/9781783989669/

access.redhat.com :

• https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/
• https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/changing-selinux-states-and-modes_using-selinux
• https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/using_selinux/index
• https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/using_selinux/index#selinux-states-and-modes_getting-started-with-selinux
• https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/using_selinux/index#changing-selinux-states-and-modes_using-selinux

So far my usual approach for getting the SELinux context of a file right is:

# find a file with the right context! ("FILE_WITH_RIGHT_CONTEXT")
$ ll -Z FILE_WITH_RIGHT_CONTEXT
# rename the file, whose context isn't right, to FILE- or so!
$ mv FILE FILE-
# …
$ cp --arch FILE_WITH_RIGHT_CONTEXT FILE
# …
cat FILE- > FILE
# …
$ rm FILE-
…

• https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security-enhanced_linux/sect-security-enhanced_linux-working_with_selinux-selinux_contexts_labeling_files

What "ll -Z" in addition to what "ll" usually displays, is called:

• a SELinux_USER_CONTEXT (unconfined_u) -> --seuser
• a role (object_r)
• a TYPE_CONTEXT (user_home_t) -> --type
• a level (s0)

root@… $ semanage fcontext --add/--modify --seuser SELinux_USER_CONTEXT --type TYPE_CONTEXT /usr/local/foo.txt
root@… $ restorecon -vF /usr/local/foo.txt

So usually for a systemd service file you would execute these 2 command lines (derived from http://www.freekb.net/Article?id=1418):

root@… $ semanage fcontext --add/--modify --seuser system_u --type systemd_unit_file_t /usr/lib/systemd/system/tomcat.service
root@… $ restorecon -vF /usr/lib/systemd/system/tomcat.service     # -v for ''verbose'', -F for ''force reset''

More examples:

…