This is an old revision of the document!
List And Identify Selinux File And Process Context
General Information
About this page/how-to/script.
Three parts of a context label
- User ⇒ Ends in “_u” and is typically “system_u” on most directories. SELinux users are not the same as Linux users. (not covered on the RHCSA or RHCE exams).
- Role ⇒ Ends in “_r” and most are “object_r”. Advanced SELinux management can define specific SELinux users and what permissions they have as per their role. (not covered on the RHCSA or RHCE exams)
- Type ⇒ Ends in “_t”. There are many different context types and this part of SELinux IS covered on the RHCSA/RHCE exams.
List selinux context
ls -Z /var/www/ drwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 cgi-bin drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 html
- Context type is “httpd_sys_content_t” for the “html” directory.
List all selinux contexts on system
semanage fcontext -l semanage fcontext -l | grep httpd
Identify a process context
ps auxZ | grep httpd system_u:system_r:httpd_t:s0 apache 1228 0.0 0.2 213228 2880 ? S 23:32 0:00 /usr/sbin/httpd -DFOREGROUND
- “Z” - adds a column of security data to output