The ps command with the -eZ option can be used to determine the SELinux context of a process. In this example, the process of the passwd command runs in the passwd_t domain.
~]# ps -eZ
unconfined_u:unconfined_r:passwd_t:s0 pts/1 00:00:00 passwd
The Selinux context has 4 parts.
SELinux user : role : type : level
In this example, sample.file SELinux user is unconfined_u, role is object_r, type is passwd_t, and level is s0.
It is noteworthy that there is a relationship between the SELinux user and the normal Linux user account. The semanage command can be used to see the mapping. In the example, user John Doe is mapped to unconfined_u.
~]# semanage login -l
Login name SELinux user
john.doe unconfined_u
Confined / Targeted
When the /etc/selinux/config file has the following, SELinux will check a process context, and then do something based on the context.
SELINUX=enforcing
SELINUXTYPE=targeted
Nearly every network service, such as HTTP and SSH, are confined by SELinux. Similarly, many of the commands in the sbin directory are confined by SELinux.
When SELinux is enforcing and targeted, certain files will need a certain SELinux type. For example, if index.html has type unconfined_u, the web server should not be able to send the index.html file to the client, and the web browser should display some error, such as page not found. On the other hand, if index.html has type httpd_sys_content_u, the web browser should be able to send index.html to the client.
When using SELinux, it is important to ensure files have an appropriate context.
Did you find this article helpful?
If so, consider buying me a coffee over at