4.10. Maintaining SELinux Labels

These sections describe what happens to SELinux contexts when copying, moving, and archiving files and directories. Also, it explains how to preserve contexts when copying and archiving.

4.10.1. Copying Files and Directories

When a file or directory is copied, a new file or directory is created if it does not exist. That new file or directory's context is based on default-labeling rules, not the original file or directory's context unless options were used to preserve the original context. For example, files created in user home directories are labeled with the user_home_t type: 
~]$ touch file1
~]$ ls -Z file1
-rw-rw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0 file1
If such a file is copied to another directory, such as /etc, the new file is created in accordance to default-labeling rules for /etc. Copying a file without additional options may not preserve the original context: 
~]$ ls -Z file1
-rw-rw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0 file1

~]# cp file1 /etc/
~]$ ls -Z /etc/file1
-rw-r--r--  root root unconfined_u:object_r:etc_t:s0   /etc/file1
When file1 is copied to /etc, if /etc/file1 does not exist, /etc/file1 is created as a new file. As shown in the example above, /etc/file1 is labeled with the etc_t type, in accordance to default-labeling rules.
When a file is copied over an existing file, the existing file's context is preserved, unless the user specified cp options to preserve the context of the original file, such as --preserve=context. SELinux policy may prevent contexts from being preserved during copies.

Procedure 4.11. Copying Without Preserving SELinux Contexts

This procedure shows that when copying a file with the cp command, if no options are given, the type is inherited from the targeted, parent directory.
  1. Create a file in a user's home directory. The file is labeled with the user_home_t type: 
    ~]$ touch file1
    ~]$ ls -Z file1
-rw-rw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0 file1
  2. The /var/www/html/ directory is labeled with the httpd_sys_content_t type, as shown with the following command: 
    ~]$ ls -dZ /var/www/html/
drwxr-xr-x  root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/
  3. When file1 is copied to /var/www/html/, it inherits the httpd_sys_content_t type: 
    ~]# cp file1 /var/www/html/
    ~]$ ls -Z /var/www/html/file1
-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/file1

Procedure 4.12. Preserving SELinux Contexts When Copying

This procedure shows how to use the --preserve=context option to preserve contexts when copying.
  1. Create a file in a user's home directory. The file is labeled with the user_home_t type: 
    ~]$ touch file1
    ~]$ ls -Z file1
-rw-rw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0 file1
  2. The /var/www/html/ directory is labeled with the httpd_sys_content_t type, as shown with the following command: 
    ~]$ ls -dZ /var/www/html/
drwxr-xr-x  root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/
  3. Using the --preserve=context option preserves SELinux contexts during copy operations. As shown below, the user_home_t type of file1 was preserved when the file was copied to /var/www/html/: 
    ~]# cp --preserve=context file1 /var/www/html/
    ~]$ ls -Z /var/www/html/file1
-rw-r--r--  root root unconfined_u:object_r:user_home_t:s0 /var/www/html/file1

Procedure 4.13. Copying and Changing the Context

This procedure show how to use the --context option to change the destination copy's context. The following example is performed in the user's home directory:
  1. Create a file in a user's home directory. The file is labeled with the user_home_t type: 
    ~]$ touch file1
    ~]$ ls -Z file1
-rw-rw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0 file1
  2. Use the --context option to define the SELinux context: 
    ~]$ cp --context=system_u:object_r:samba_share_t:s0 file1 file2
  3. Without --context, file2 would be labeled with the unconfined_u:object_r:user_home_t context: 
    ~]$ ls -Z file1 file2
-rw-rw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0 file1
-rw-rw-r--  user1 group1 system_u:object_r:samba_share_t:s0 file2

Procedure 4.14. Copying a File Over an Existing File

This procedure shows that when a file is copied over an existing file, the existing file's context is preserved unless an option is used to preserve contexts.
  1. As root, create a new file, file1 in the /etc directory. As shown below, the file is labeled with the etc_t type: 
    ~]# touch /etc/file1
    ~]$ ls -Z /etc/file1
-rw-r--r--  root root unconfined_u:object_r:etc_t:s0   /etc/file1
  2. Create another file, file2, in the /tmp directory. As shown below, the file is labeled with the user_tmp_t type: 
    ~]$ touch /tmp/file2
    ~$ ls -Z /tmp/file2
-rw-r--r--  root root unconfined_u:object_r:user_tmp_t:s0 /tmp/file2
  3. Overwrite file1 with file2: 
    ~]# cp /tmp/file2 /etc/file1
  4. After copying, the following command shows file1 labeled with the etc_t type, not the user_tmp_t type from /tmp/file2 that replaced /etc/file1: 
    ~]$ ls -Z /etc/file1
-rw-r--r--  root root unconfined_u:object_r:etc_t:s0   /etc/file1

Important

Copy files and directories, rather than moving them. This helps ensure they are labeled with the correct SELinux contexts. Incorrect SELinux contexts can prevent processes from accessing such files and directories.

4.10.2. Moving Files and Directories

Files and directories keep their current SELinux context when they are moved. In many cases, this is incorrect for the location they are being moved to. The following example demonstrates moving a file from a user's home directory to the /var/www/html/ directory, which is used by the Apache HTTP Server. Since the file is moved, it does not inherit the correct SELinux context:

Procedure 4.15. Moving Files and Directories

  1. Change into your home directory and create file in it. The file is labeled with the user_home_t type: 
    ~]$ touch file1
    ~]$ ls -Z file1
-rw-rw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0 file1
  2. Enter the following command to view the SELinux context of the /var/www/html/ directory: 
    ~]$ ls -dZ /var/www/html/
drwxr-xr-x  root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/
    By default, /var/www/html/ is labeled with the httpd_sys_content_t type. Files and directories created under /var/www/html/ inherit this type, and as such, they are labeled with this type.
  3. As root, move file1 to /var/www/html/. Since this file is moved, it keeps its current user_home_t type: 
    ~]# mv file1 /var/www/html/
    ~]# ls -Z /var/www/html/file1
-rw-rw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0 /var/www/html/file1
By default, the Apache HTTP Server cannot read files that are labeled with the user_home_t type. If all files comprising a web page are labeled with the user_home_t type, or another type that the Apache HTTP Server cannot read, permission is denied when attempting to access them using web browsers, such as Mozilla Firefox.

Important

Moving files and directories with the mv command may result in the incorrect SELinux context, preventing processes, such as the Apache HTTP Server and Samba, from accessing such files and directories.

4.10.3. Checking the Default SELinux Context

Use the matchpathcon utility to check if files and directories have the correct SELinux context. This utility queries the system policy and then provides the default security context associated with the file path.[6] The following example demonstrates using matchpathcon to verify that files in /var/www/html/ directory are labeled correctly:

Procedure 4.16. Checking the Default SELinux Conxtext with matchpathcon

  1. As the root user, create three files (file1, file2, and file3) in the /var/www/html/ directory. These files inherit the httpd_sys_content_t type from /var/www/html/: 
    ~]# touch /var/www/html/file{1,2,3}
    ~]# ls -Z /var/www/html/
-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file1
-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file2
-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file3
  2. As root, change the file1 type to samba_share_t. Note that the Apache HTTP Server cannot read files or directories labeled with the samba_share_t type. 
    ~]# chcon -t samba_share_t /var/www/html/file1
  3. The matchpathcon -V option compares the current SELinux context to the correct, default context in SELinux policy. Enter the following command to check all files in the /var/www/html/ directory: 
    ~]$ matchpathcon -V /var/www/html/*
/var/www/html/file1 has context unconfined_u:object_r:samba_share_t:s0, should be system_u:object_r:httpd_sys_content_t:s0
/var/www/html/file2 verified.
/var/www/html/file3 verified.
The following output from the matchpathcon command explains that file1 is labeled with the samba_share_t type, but should be labeled with the httpd_sys_content_t type: 
/var/www/html/file1 has context unconfined_u:object_r:samba_share_t:s0, should be system_u:object_r:httpd_sys_content_t:s0
To resolve the label problem and allow the Apache HTTP Server access to file1, as root, use the restorecon utility: 
~]# restorecon -v /var/www/html/file1
restorecon reset /var/www/html/file1 context unconfined_u:object_r:samba_share_t:s0->system_u:object_r:httpd_sys_content_t:s0

4.10.4. Archiving Files with tar

The tar utility does not retain extended attributes by default. Since SELinux contexts are stored in extended attributes, contexts can be lost when archiving files. Use the tar --selinux command to create archives that retain contexts and to restore files from the archives. If a tar archive contains files without extended attributes, or if you want the extended attributes to match the system defaults, use the restorecon utility: 
~]$ tar -xvf archive.tar | restorecon -f -
Note that depending on the directory, you may need to be the root user to run the restorecon.
The following example demonstrates creating a tar archive that retains SELinux contexts:

Procedure 4.17. Creating a tar Archive

  1. Change to the /var/www/html/ directory and view its SELinux context: 
    ~]$ cd /var/www/html/
    html]$ ls -dZ /var/www/html/
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 .
  2. As root, create three files (file1, file2, and file3) in /var/www/html/. These files inherit the httpd_sys_content_t type from /var/www/html/: 
    html]# touch file{1,2,3}
    html]$ ls -Z /var/www/html/
-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file1
-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file2
-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file3
  3. As root, enter the following command to create a tar archive named test.tar. Use the --selinux to retain the SELinux context: 
    html]# tar --selinux -cf test.tar file{1,2,3}
  4. As root, create a new directory named test/, and then allow all users full access to it: 
    ~]# mkdir /test
    ~]# chmod 777 /test/
  5. Copy the test.tar file into test/: 
    ~]$ cp /var/www/html/test.tar /test/
  6. Change into test/ directory. Once in this directory, enter the following command to extract the tar archive. Specify the --selinux option again otherwise the SELinux context will be changed to default_t: 
    ~]$ cd /test/
    test]$ tar --selinux -xvf test.tar
  7. View the SELinux contexts. The httpd_sys_content_t type has been retained, rather than being changed to default_t, which would have happened had the --selinux not been used: 
    test]$ ls -lZ /test/
-rw-r--r--  user1 group1 unconfined_u:object_r:httpd_sys_content_t:s0 file1
-rw-r--r--  user1 group1 unconfined_u:object_r:httpd_sys_content_t:s0 file2
-rw-r--r--  user1 group1 unconfined_u:object_r:httpd_sys_content_t:s0 file3
-rw-r--r--  user1 group1 unconfined_u:object_r:default_t:s0 test.tar
  8. If the test/ directory is no longer required, as root, enter the following command to remove it, as well as all files in it: 
    ~]# rm -ri /test/
See the tar(1) manual page for further information about tar, such as the --xattrs option that retains all extended attributes.

4.10.5. Archiving Files with star

The star utility does not retain extended attributes by default. Since SELinux contexts are stored in extended attributes, contexts can be lost when archiving files. Use the star -xattr -H=exustar command to create archives that retain contexts. The star package is not installed by default. To install star, run the yum install star command as the root user.
The following example demonstrates creating a star archive that retains SELinux contexts:

Procedure 4.18. Creating a star Archive

  1. As root, create three files (file1, file2, and file3) in the /var/www/html/. These files inherit the httpd_sys_content_t type from /var/www/html/: 
    ~]# touch /var/www/html/file{1,2,3}
    ~]# ls -Z /var/www/html/
-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file1
-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file2
-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file3
  2. Change into /var/www/html/ directory. Once in this directory, as root, enter the following command to create a star archive named test.star: 
    ~]$ cd /var/www/html
    html]# star -xattr -H=exustar -c -f=test.star file{1,2,3}
star: 1 blocks + 0 bytes (total of 10240 bytes = 10.00k).
  3. As root, create a new directory named test/, and then allow all users full access to it: 
    ~]# mkdir /test
    ~]# chmod 777 /test/
  4. Enter the following command to copy the test.star file into test/: 
    ~]$ cp /var/www/html/test.star /test/
  5. Change into test/. Once in this directory, enter the following command to extract the star archive: 
    ~]$ cd /test/
    test]$ star -x -f=test.star 
star: 1 blocks + 0 bytes (total of 10240 bytes = 10.00k).
  6. View the SELinux contexts. The httpd_sys_content_t type has been retained, rather than being changed to default_t, which would have happened had the -xattr -H=exustar option not been used: 
    ~]$ ls -lZ /test/
-rw-r--r--  user1 group1 unconfined_u:object_r:httpd_sys_content_t:s0 file1
-rw-r--r--  user1 group1 unconfined_u:object_r:httpd_sys_content_t:s0 file2
-rw-r--r--  user1 group1 unconfined_u:object_r:httpd_sys_content_t:s0 file3
-rw-r--r--  user1 group1 unconfined_u:object_r:default_t:s0 test.star
  7. If the test/ directory is no longer required, as root, enter the following command to remove it, as well as all files in it: 
    ~]# rm -ri /test/
  8. If star is no longer required, as root, remove the package: 
    ~]# yum remove star
See the star(1) manual page for further information about star.

[6] See the matchpathcon(8) manual page for further information about matchpathcon.