FreeKB - SELinux Determine context of a file or directory
SELinux - Determine context of a file or directory

The ls -Z command can be used to view the SELinux context of a file or directory. In this example, the SELinux context of files in the /var/www/html directory are displayed. The SELinux context of index.php is unconfined_u:object_r:httpd_sys_content_t:s0. 

~]# ls -Z /var/www/html
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0  index.php


The Selinux context has 4 parts - SELinux user : role : type : level. Following is the context of index.php in this example.


Confined / Targeted

When SELinux is enforcing and targeted, SELinux will check a files context, and then do something based on the context. The sestatus command can be used to determine if SELinux is enforcing and targeted.

~]# sestatus
Loaded policy name: targeted
Current mode:       enforcing


Nearly every network service, such as HTTP and SSH, are confined by SELinux. Similarly, many of the commands in the sbin directory are confined by SELinux.

When SELinux is enforcing and targeted, certain files will need a certain SELinux type. For example, if index.php does not have type httpd_sys_content_t, the web server should not be able to send the index.php file to the client, and the web browser should display some error, such as page not found. On the other hand, if index.php has type httpd_sys_content_u, the web browser should be able to send index.php to the client.

When using SELinux, it is important to ensure files have an appropriate context. 


SELinux user

It is noteworthy that there is a relationship between the SELinux user and the normal Linux user account.  The semanage command can be used to see the mapping.  In the example, user John Doe is mapped to unconfined_u.

~]# semanage login -l
Login name  SELinux user
john.doe    unconfined_u


Create new directory

When a new directory is created, the default SELinux context of the directory is determined by the rules of the /etc/selinux/targeted/contexts/files/file_contexts files. For example, when the /home/JohnDoe/.ssh directory is created, the directory will have ssh_home_t context.

~]# mkdir /home/JohnDoe/.ssh
~]# ls -Z /home/JohnDoe
drwxrwxr-x. JohnDoe JohnDoe unconfined_u:object_r:ssh_home_t:s0 .ssh


The context of the .ssh directory is ssh_home_t because the /etc/selinux/targeted/contexts/files/file_contexts.homedirs file contain the following rule, which sets the .ssh directory to ssh_home_t.

/home/[^/]+/\.ssh(/.*)? unconfined_t:object_r:ssh_home_t:s0


Create new file

When a new file is created, the file will inherit the SELinux type of the parent directory. For example, if the /srv/samba/share directory has type samba_share_t, files created in the /srv/samba/share directory will also have type samba_share_t.

Copy or move file

Problems can occur when copying or moving files. For example, a file created in the /etc directory will probably have type etc_t. If the file is copied or moved to /srv/samba/share, the file may retain type etc_t. SELinux will detect that the file does not have the appropriate type for Samba. When attempting to interact with the file, some error will be displayed. There are a few ways to address this challenge.


Add a Comment

We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.

Please enter 88966 in the box below so that we can be sure you are a human.


Web design by yours truely - me, myself, and I   |   |