List And Identify Selinux File And Process Context
General Information
Viewing selinux contexts.
About Context Labels
Three parts of a context label
- User ⇒ Ends in “_u” and is typically “system_u” on most directories. SELinux users are not the same as Linux users. (not covered on the RHCSA or RHCE exams).
- Role ⇒ Ends in “_r” and most are “object_r”. Advanced SELinux management can define specific SELinux users and what permissions they have as per their role. (not covered on the RHCSA or RHCE exams)
- Type ⇒ Ends in “_t”. There are many different context types and this part of SELinux IS covered on the RHCSA/RHCE exams.
Viewing Context Labels
List selinux context
ls -Z /var/www/ drwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 cgi-bin drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 html
- Context type is “httpd_sys_content_t” for the “html” directory.
List all selinux contexts on system
semanage fcontext -l semanage fcontext -l | grep httpd
Identify a process context
ps auxZ | grep httpd system_u:system_r:httpd_t:s0 apache 1228 0.0 0.2 213228 2880 ? S 23:32 0:00 /usr/sbin/httpd -DFOREGROUND
- “Z” - adds a column of security data to output
Install SELinux Man Pages
While not part of an objective, being able to do this could help you on the examine if you are not sure what SELinux context to apply.
To install application specific SELinux man pages…
- Check to see how many SELinux specific man pages are available
man -k _selinux
- If there are only a few, you need to install them.
- sepolicy is the command needed to install, check what provides that
yum provides */sepolicy
- Install the required package
yum install policycoreutils-devel
- Install the SELinux man pages
sepolicy manpage -a -p /usr/share/man/man8
- Update the man database
mandb
- Check to ensure the new pages exist
man -k _selinux
Install SEInfo Utility
Seinfo is a useful tool to discover available context types (among other things).
See what package provides it
yum provides /*seinfo
Install the package
yum install setools-console
View all the context types that are nfs related
seinfo -t | grep nfs