4.7. SELinux Contexts – Labeling Files
ls -Z
command:
~]$
ls -Z file1
-rw-rw-r-- user1 group1 unconfined_u:object_r:user_home_t:s0 file1
unconfined_u
), a role (object_r
), a type (user_home_t
), and a level (s0
). This information is used to make access control decisions. On DAC systems, access is controlled based on Linux user and group IDs. SELinux policy rules are checked after DAC rules. SELinux policy rules are not used if DAC rules deny access first.
Note
/etc
directory that is labeled with the etc_t
type, the new file inherits the same type:
~]$ ls -dZ - /etc
drwxr-xr-x. root root system_u:object_r:etc_t:s0 /etc
~]# touch /etc/file1
~]# ls -lZ /etc/file1
-rw-r--r--. root root unconfined_u:object_r:etc_t:s0 /etc/file1
chcon
, semanage fcontext
, and restorecon
.
4.7.1. Temporary Changes: chcon
chcon
command changes the SELinux context for files. However, changes made with the chcon
command do not survive a file system relabel, or the execution of the restorecon
command. SELinux policy controls whether users are able to modify the SELinux context for any given file. When using chcon
, users provide all or part of the SELinux context to change. An incorrect file type is a common cause of SELinux denying access.
Quick Reference
- Run the
chcon -t type file-name
command to change the file type, where type is an SELinux type, such ashttpd_sys_content_t
, and file-name is a file or directory name:~]$
chcon -t httpd_sys_content_t file-name
- Run the
chcon -R -t type directory-name
command to change the type of the directory and its contents, where type is an SELinux type, such ashttpd_sys_content_t
, and directory-name is a directory name:~]$
chcon -R -t httpd_sys_content_t directory-name
Procedure 4.6. Changing a File's or Directory's Type
file1
was a directory.
- Change into your home directory.
- Create a new file and view its SELinux context:
~]$
touch file1
~]$
ls -Z file1
-rw-rw-r-- user1 group1 unconfined_u:object_r:user_home_t:s0 file1In this example, the SELinux context forfile1
includes the SELinuxunconfined_u
user,object_r
role,user_home_t
type, and thes0
level. For a description of each part of the SELinux context, see Chapter 2, SELinux Contexts. - Enter the following command to change the type to
samba_share_t
. The-t
option only changes the type. Then view the change:~]$
chcon -t samba_share_t file1
~]$
ls -Z file1
-rw-rw-r-- user1 group1 unconfined_u:object_r:samba_share_t:s0 file1 - Use the following command to restore the SELinux context for the
file1
file. Use the-v
option to view what changes:~]$
restorecon -v file1
restorecon reset file1 context unconfined_u:object_r:samba_share_t:s0->system_u:object_r:user_home_t:s0In this example, the previous type,samba_share_t
, is restored to the correct,user_home_t
type. When using targeted policy (the default SELinux policy in Red Hat Enterprise Linux), therestorecon
command reads the files in the/etc/selinux/targeted/contexts/files/
directory, to see which SELinux context files should have.
Procedure 4.7. Changing a Directory and its Contents Types
/var/www/html/
):
- As the root user, create a new
web/
directory and then 3 empty files (file1
,file2
, andfile3
) within this directory. Theweb/
directory and files in it are labeled with thedefault_t
type:~]#
mkdir /web
~]#
touch /web/file{1,2,3}
~]#
ls -dZ /web
drwxr-xr-x root root unconfined_u:object_r:default_t:s0 /web~]#
ls -lZ /web
-rw-r--r-- root root unconfined_u:object_r:default_t:s0 file1 -rw-r--r-- root root unconfined_u:object_r:default_t:s0 file2 -rw-r--r-- root root unconfined_u:object_r:default_t:s0 file3 - As root, enter the following command to change the type of the
web/
directory (and its contents) tohttpd_sys_content_t
:~]#
chcon -R -t httpd_sys_content_t /web/
~]#
ls -dZ /web/
drwxr-xr-x root root unconfined_u:object_r:httpd_sys_content_t:s0 /web/~]#
ls -lZ /web/
-rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 file1 -rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 file2 -rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 file3 - To restore the default SELinux contexts, use the
restorecon
utility as root:~]#
restorecon -R -v /web/
restorecon reset /web context unconfined_u:object_r:httpd_sys_content_t:s0->system_u:object_r:default_t:s0 restorecon reset /web/file2 context unconfined_u:object_r:httpd_sys_content_t:s0->system_u:object_r:default_t:s0 restorecon reset /web/file3 context unconfined_u:object_r:httpd_sys_content_t:s0->system_u:object_r:default_t:s0 restorecon reset /web/file1 context unconfined_u:object_r:httpd_sys_content_t:s0->system_u:object_r:default_t:s0
chcon
.
Note
4.7.2. Persistent Changes: semanage fcontext
semanage fcontext
command is used to change the SELinux context of files. To show contexts to newly created files and directories, enter the following command as root:
~]# semanage fcontext -C -l
semanage fcontext
are used by the following utilities. The setfiles
utility is used when a file system is relabeled and the restorecon
utility restores the default SELinux contexts. This means that changes made by semanage fcontext
are persistent, even if the file system is relabeled. SELinux policy controls whether users are able to modify the SELinux context for any given file.
Quick Reference
- Enter the following command, remembering to use the full path to the file or directory:
~]#
semanage fcontext -a options file-name|directory-name
- Use the
restorecon
utility to apply the context changes:~]#
restorecon -v file-name|directory-name
Procedure 4.8. Changing a File's or Directory 's Type
file1
was a directory.
- As the root user, create a new file in the
/etc
directory. By default, newly-created files in/etc
are labeled with theetc_t
type:~]#
touch /etc/file1
~]$
ls -Z /etc/file1
-rw-r--r-- root root unconfined_u:object_r:etc_t:s0 /etc/file1To list information about a directory, use the following command:~]$
ls -dZ directory_name
- As root, enter the following command to change the
file1
type tosamba_share_t
. The-a
option adds a new record, and the-t
option defines a type (samba_share_t
). Note that running this command does not directly change the type;file1
is still labeled with theetc_t
type:~]#
semanage fcontext -a -t samba_share_t /etc/file1
~]#
ls -Z /etc/file1
-rw-r--r-- root root unconfined_u:object_r:etc_t:s0 /etc/file1~]$
semanage fcontext -C -l
/etc/file1 unconfined_u:object_r:samba_share_t:s0 - As root, use the
restorecon
utility to change the type. Becausesemanage
added an entry tofile_contexts.local
for/etc/file1
,restorecon
changes the type tosamba_share_t
:~]#
restorecon -v /etc/file1
restorecon reset /etc/file1 context unconfined_u:object_r:etc_t:s0->system_u:object_r:samba_share_t:s0
Procedure 4.9. Changing a Directory and its Contents Types
/var/www/html/
:
- As the root user, create a new
web/
directory and then 3 empty files (file1
,file2
, andfile3
) within this directory. Theweb/
directory and files in it are labeled with thedefault_t
type:~]#
mkdir /web
~]#
touch /web/file{1,2,3}
~]#
ls -dZ /web
drwxr-xr-x root root unconfined_u:object_r:default_t:s0 /web~]#
ls -lZ /web
-rw-r--r-- root root unconfined_u:object_r:default_t:s0 file1 -rw-r--r-- root root unconfined_u:object_r:default_t:s0 file2 -rw-r--r-- root root unconfined_u:object_r:default_t:s0 file3 - As root, enter the following command to change the type of the
web/
directory and the files in it, tohttpd_sys_content_t
. The-a
option adds a new record, and the-t
option defines a type (httpd_sys_content_t
). The"/web(/.*)?"
regular expression causessemanage
to apply changes toweb/
, as well as the files in it. Note that running this command does not directly change the type;web/
and files in it are still labeled with thedefault_t
type:~]#
semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
~]$
ls -dZ /web
drwxr-xr-x root root unconfined_u:object_r:default_t:s0 /web~]$
ls -lZ /web
-rw-r--r-- root root unconfined_u:object_r:default_t:s0 file1 -rw-r--r-- root root unconfined_u:object_r:default_t:s0 file2 -rw-r--r-- root root unconfined_u:object_r:default_t:s0 file3Thesemanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
command adds the following entry to/etc/selinux/targeted/contexts/files/file_contexts.local
:/web(/.*)? system_u:object_r:httpd_sys_content_t:s0
- As root, use the
restorecon
utility to change the type ofweb/
, as well as all files in it. The-R
is for recursive, which means all files and directories underweb/
are labeled with thehttpd_sys_content_t
type. Sincesemanage
added an entry tofile.contexts.local
for/web(/.*)?
,restorecon
changes the types tohttpd_sys_content_t
:~]#
restorecon -R -v /web
restorecon reset /web context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0 restorecon reset /web/file2 context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0 restorecon reset /web/file3 context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0 restorecon reset /web/file1 context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0Note that by default, newly-created files and directories inherit the SELinux type of their parent directories.
Procedure 4.10. Deleting an added Context
/web(/.*)?
, use quotation marks around the regular expression:
~]#
semanage fcontext -d "/web(/.*)?"
- To remove the context, as root, enter the following command, where file-name|directory-name is the first part in
file_contexts.local
:~]#
semanage fcontext -d file-name|directory-name
The following is an example of a context infile_contexts.local
:/test system_u:object_r:httpd_sys_content_t:s0
With the first part beingtest
. To prevent thetest/
directory from being labeled with thehttpd_sys_content_t
after runningrestorecon
, or after a file system relabel, enter the following command as root to delete the context fromfile_contexts.local
:~]#
semanage fcontext -d /test
- As root, use the
restorecon
utility to restore the default SELinux context.
semanage
.
Important
semanage fcontext -a
, use the full path to the file or directory to avoid files being mislabeled after a file system relabel, or after the restorecon
command is run.