The ls -Z command can be used to view the SELinux context of a file or directory. In this example, the SELinux context of sample.file is displayed.
[root@server1 ~]# ls -Z sample.file -rw-r--r--. root root unconfined_u:object_r:usr_t:s0 sample.file
The Selinux context has 4 parts.
SELinux user : role : type : level
In this example, sample.file SELinux user is unconfined_u, role is object_r, type is usr_t, and level is s0.
It is noteworthy that there is a relationship between the SELinux user and the normal Linux user account. The semanage command can be used to see the mapping. In the example, user John Doe is mapped to unconfined_u.
~]# semanage login -l Login name SELinux user john.doe unconfined_u
Create new directory
When a new directory is created, the default SELinux context of the directory is determined by the rules of the /etc/selinux/targeted/contexts/files/file_contexts files. For example, when the /home/JohnDoe/.ssh directory is created, the directory will have ssh_home_t context.
~]# mkdir /home/JohnDoe/.ssh ~]# ls -Z /home/JohnDoe drwxrwxr-x. JohnDoe JohnDoe unconfined_u:object_r:ssh_home_t:s0 .ssh
The context of the .ssh directory is ssh_home_t because the /etc/selinux/targeted/contexts/files/file_contexts.homedirs file contain the following rule, which sets the .ssh directory to ssh_home_t.
Create new file
When a new file is created, the file will inherit the SELinux type of the parent directory. For example, if the /srv/samba/share directory has type samba_share_t, files created in the /srv/samba/share directory will also have type samba_share_t.
Copy or move file
Problems can occur when copying or moving files. For example, a file created in the /etc directory will probably have type etc_t. If the file is copied or moved to /srv/samba/share, the file may retain type etc_t. SELinux will detect that the file does not have the appropriate type for Samba. When attempting to interact with the file, some error will be displayed. There are a few ways to address this challenge.
Confined / Targeted
When the /etc/selinux/config file has the following, SELinux will check a files context, and then do something based on the context.
Nearly every network service, such as HTTP and SSH, are confined by SELinux. Similarly, many of the commands in the sbin directory are confined by SELinux.
When SELinux is enforcing and targeted, certain files will need a certain SELinux type. For example, if index.html has type unconfined_u, the web server should not be able to send the index.html file to the client, and the web browser should display some error, such as page not found. On the other hand, if index.html has type httpd_sys_content_u, the web browser should be able to send index.html to the client.
When using SELinux, it is important to ensure files have an appropriate context.