How to determine the SELinux context of a process

Home > Search > How-to
  by

The ps command with the -eZ option can be used to determine the SELinux context of a process. In this example, the process of the passwd command runs in the passwd_t domain. 

~]# ps -eZ
unconfined_u:unconfined_r:passwd_t:s0 pts/1 00:00:00 passwd

 

The Selinux context has 4 parts.

SELinux user : role : type : level

 

In this example, sample.file SELinux user is unconfined_u, role is object_r, type is passwd_t, and level is s0.

It is noteworthy that there is a relationship between the SELinux user and the normal Linux user account.  The semanage command can be used to see the mapping.  In the example, user John Doe is mapped to unconfined_u.

~]# semanage login -l
Login name  SELinux user
john.doe    unconfined_u

 


Confined / Targeted

When the /etc/selinux/config file has the following, SELinux will check a process context, and then do something based on the context.

SELINUX=enforcing
SELINUXTYPE=targeted

 

Nearly every network service, such as HTTP and SSH, are confined by SELinux. Similarly, many of the commands in the sbin directory are confined by SELinux.

When SELinux is enforcing and targeted, certain files will need a certain SELinux type. For example, if index.html has type unconfined_u, the web server should not be able to send the index.html file to the client, and the web browser should display some error, such as page not found. On the other hand, if index.html has type httpd_sys_content_u, the web browser should be able to send index.html to the client.

When using SELinux, it is important to ensure files have an appropriate context. 



Add a Comment




We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.




Please enter in the box below so that we can be sure you are a human.




Comments