Show pageOld revisionsBacklinksBack to top This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong. ====== List And Identify Selinux File And Process Context ====== **General Information** Viewing selinux contexts. ---- ===== About Context Labels ===== Three parts of a context label * **User** => Ends in "_u" and is typically "system_u" on most directories. SELinux users are not the same as Linux users. (**not covered** on the RHCSA or RHCE exams). * **Role** => Ends in "_r" and most are "object_r". Advanced SELinux management can define specific SELinux users and what permissions they have as per their role. (**not covered** on the RHCSA or RHCE exams) * **Type** => Ends in "_t". There are many different context types and this part of SELinux **IS covered** on the RHCSA/RHCE exams. ---- ===== Viewing Context Labels ===== List selinux context <code bash> ls -Z /var/www/ drwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 cgi-bin drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 html </code> * Context type is "httpd_sys_content_t" for the "html" directory. \\ List all selinux contexts on system <code bash> semanage fcontext -l semanage fcontext -l | grep httpd </code> \\ Identify a process context <code bash> ps auxZ | grep httpd system_u:system_r:httpd_t:s0 apache 1228 0.0 0.2 213228 2880 ? S 23:32 0:00 /usr/sbin/httpd -DFOREGROUND </code> * "Z" - adds a column of security data to output ---- ===== Install SELinux Man Pages ===== While not part of an objective, being able to do this could help you on the examine if you are not sure what SELinux context to apply. \\ To install application specific SELinux man pages... * Check to see how many SELinux specific man pages are available<code bash>man -k _selinux</code> * If there are only a few, you need to install them. * sepolicy is the command needed to install, check what provides that<code bash>yum provides */sepolicy</code> * Install the required package<code bash>yum install policycoreutils-devel</code> * Install the SELinux man pages<code bash>sepolicy manpage -a -p /usr/share/man/man8</code> * Update the man database<code bash>mandb</code> * Check to ensure the new pages exist<code bash>man -k _selinux</code> ---- ===== Install SEInfo Utility ===== Seinfo is a useful tool to discover available context types (among other things). \\ See what package provides it<code bash>yum provides /*seinfo</code> \\ Install the package<code bash>yum install setools-console</code> \\ View all the context types that are nfs related<code bash>seinfo -t | grep nfs</code> ---- linux_wiki/list_and_identify_selinux_file_and_process_context.txt Last modified: 2019/05/25 23:50(external edit)