List And Identify Selinux File And Process Context

General Information

Viewing selinux contexts.

Three parts of a context label

• User ⇒ Ends in “_u” and is typically “system_u” on most directories. SELinux users are not the same as Linux users. (not covered on the RHCSA or RHCE exams).
• Role ⇒ Ends in “_r” and most are “object_r”. Advanced SELinux management can define specific SELinux users and what permissions they have as per their role. (not covered on the RHCSA or RHCE exams)
• Type ⇒ Ends in “_t”. There are many different context types and this part of SELinux IS covered on the RHCSA/RHCE exams.

List selinux context

ls -Z /var/www/
 
drwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 cgi-bin
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 html

• Context type is “httpd_sys_content_t” for the “html” directory.

List all selinux contexts on system

semanage fcontext -l
semanage fcontext -l | grep httpd

Identify a process context

ps auxZ | grep httpd
 
system_u:system_r:httpd_t:s0    apache    1228  0.0  0.2 213228  2880 ?        S    23:32   0:00 /usr/sbin/httpd -DFOREGROUND

• “Z” - adds a column of security data to output

While not part of an objective, being able to do this could help you on the examine if you are not sure what SELinux context to apply.

To install application specific SELinux man pages…

• Check to see how many SELinux specific man pages are available

  man -k _selinux

  • If there are only a few, you need to install them.
• sepolicy is the command needed to install, check what provides that

  yum provides */sepolicy

• Install the required package

  yum install policycoreutils-devel

• Install the SELinux man pages

  sepolicy manpage -a -p /usr/share/man/man8

• Update the man database

  mandb

• Check to ensure the new pages exist

  man -k _selinux

Seinfo is a useful tool to discover available context types (among other things).

See what package provides it

yum provides /*seinfo

Install the package

yum install setools-console

View all the context types that are nfs related

seinfo -t | grep nfs