FreeKB - SELinux Determine context of a process
SELinux - Determine context of a process

The ps command with the -eZ option can be used to determine the SELinux context of a process. In this example, the process of the passwd command runs in the passwd_t domain. 

~]# ps -eZ
unconfined_u:unconfined_r:passwd_t:s0 pts/1 00:00:00 passwd


The Selinux context has 4 parts.

SELinux user : role : type : level


In this example, sample.file SELinux user is unconfined_u, role is object_r, type is passwd_t, and level is s0.

It is noteworthy that there is a relationship between the SELinux user and the normal Linux user account.  The semanage command can be used to see the mapping.  In the example, user John Doe is mapped to unconfined_u.

~]# semanage login -l
Login name  SELinux user
john.doe    unconfined_u


Confined / Targeted

When the /etc/selinux/config file has the following, SELinux will check a process context, and then do something based on the context.



Nearly every network service, such as HTTP and SSH, are confined by SELinux. Similarly, many of the commands in the sbin directory are confined by SELinux.

When SELinux is enforcing and targeted, certain files will need a certain SELinux type. For example, if index.html has type unconfined_u, the web server should not be able to send the index.html file to the client, and the web browser should display some error, such as page not found. On the other hand, if index.html has type httpd_sys_content_u, the web browser should be able to send index.html to the client.

When using SELinux, it is important to ensure files have an appropriate context. 

Add a Comment

We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.

Please enter 26b7a in the box below so that we can be sure you are a human.


Web design by yours truely - me, myself, and I   |   |