linux_wiki:list_and_identify_selinux_file_and_process_context

List And Identify Selinux File And Process Context

General Information

Viewing selinux contexts.


Three parts of a context label

  • User ⇒ Ends in “_u” and is typically “system_u” on most directories. SELinux users are not the same as Linux users. (not covered on the RHCSA or RHCE exams).
  • Role ⇒ Ends in “_r” and most are “object_r”. Advanced SELinux management can define specific SELinux users and what permissions they have as per their role. (not covered on the RHCSA or RHCE exams)
  • Type ⇒ Ends in “_t”. There are many different context types and this part of SELinux IS covered on the RHCSA/RHCE exams.

List selinux context

ls -Z /var/www/
 
drwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 cgi-bin
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 html
  • Context type is “httpd_sys_content_t” for the “html” directory.


List all selinux contexts on system

semanage fcontext -l
semanage fcontext -l | grep httpd


Identify a process context

ps auxZ | grep httpd
 
system_u:system_r:httpd_t:s0    apache    1228  0.0  0.2 213228  2880 ?        S    23:32   0:00 /usr/sbin/httpd -DFOREGROUND
  • “Z” - adds a column of security data to output

While not part of an objective, being able to do this could help you on the examine if you are not sure what SELinux context to apply.


To install application specific SELinux man pages…

  • Check to see how many SELinux specific man pages are available
    man -k _selinux
    • If there are only a few, you need to install them.
  • sepolicy is the command needed to install, check what provides that
    yum provides */sepolicy
  • Install the required package
    yum install policycoreutils-devel
  • Install the SELinux man pages
    sepolicy manpage -a -p /usr/share/man/man8
  • Update the man database
    mandb
  • Check to ensure the new pages exist
    man -k _selinux

Seinfo is a useful tool to discover available context types (among other things).


See what package provides it

yum provides /*seinfo


Install the package

yum install setools-console


View all the context types that are nfs related

seinfo -t | grep nfs

  • linux_wiki/list_and_identify_selinux_file_and_process_context.txt
  • Last modified: 2019/05/25 23:50
  • (external edit)