How to determine the SELinux context of a file or directory

Home > Search > How-to
  by

The ls -Z command can be used to view the SELinux context of a file or directory. In this example, the SELinux context of sample.file is displayed.

[root@server1 ~]# ls -Z sample.file
-rw-r--r--. root root unconfined_u:object_r:usr_t:s0  sample.file

 

The Selinux context has 4 parts.

SELinux user : role : type : level

 

In this example, sample.file SELinux user is unconfined_u, role is object_r, type is usr_t, and level is s0.

It is noteworthy that there is a relationship between the SELinux user and the normal Linux user account.  The semanage command can be used to see the mapping.  In the example, user John Doe is mapped to unconfined_u.

~]# semanage login -l
Login name  SELinux user
john.doe    unconfined_u

 


Create new directory

When a new directory is created, the default SELinux context of the directory is determined by the rules of the /etc/selinux/targeted/contexts/files/file_contexts files. For example, when the /home/JohnDoe/.ssh directory is created, the directory will have ssh_home_t context.

~]# mkdir /home/JohnDoe/.ssh
~]# ls -Z /home/JohnDoe
drwxrwxr-x. JohnDoe JohnDoe unconfined_u:object_r:ssh_home_t:s0 .ssh

 

The context of the .ssh directory is ssh_home_t because the /etc/selinux/targeted/contexts/files/file_contexts.homedirs file contain the following rule, which sets the .ssh directory to ssh_home_t.

/home/[^/]+/\.ssh(/.*)? unconfined_t:object_r:ssh_home_t:s0

 


Create new file

When a new file is created, the file will inherit the SELinux type of the parent directory. For example, if the /srv/samba/share directory has type samba_share_t, files created in the /srv/samba/share directory will also have type samba_share_t.


Copy or move file

Problems can occur when copying or moving files. For example, a file created in the /etc directory will probably have type etc_t. If the file is copied or moved to /srv/samba/share, the file may retain type etc_t. SELinux will detect that the file does not have the appropriate type for Samba. When attempting to interact with the file, some error will be displayed. There are a few ways to address this challenge.


Confined / Targeted

When the /etc/selinux/config file has the following, SELinux will check a files context, and then do something based on the context.

SELINUX=enforcing
SELINUXTYPE=targeted

 

Nearly every network service, such as HTTP and SSH, are confined by SELinux. Similarly, many of the commands in the sbin directory are confined by SELinux.

When SELinux is enforcing and targeted, certain files will need a certain SELinux type. For example, if index.html has type unconfined_u, the web server should not be able to send the index.html file to the client, and the web browser should display some error, such as page not found. On the other hand, if index.html has type httpd_sys_content_u, the web browser should be able to send index.html to the client.

When using SELinux, it is important to ensure files have an appropriate context. 



Add a Comment




We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.




Please enter in the box below so that we can be sure you are a human.




Comments