Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

4.7. SELinux Contexts – Labeling Files

On systems running SELinux, all processes and files are labeled in a way that represents security-relevant information. This information is called the SELinux context. For files, this is viewed using the ls -Z command: 
~]$ ls -Z file1
-rw-rw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0 file1
In this example, SELinux provides a user (unconfined_u), a role (object_r), a type (user_home_t), and a level (s0). This information is used to make access control decisions. On DAC systems, access is controlled based on Linux user and group IDs. SELinux policy rules are checked after DAC rules. SELinux policy rules are not used if DAC rules deny access first.

Note

By default, newly-created files and directories inherit the SELinux type of their parent directories. For example, when creating a new file in the /etc directory that is labeled with the etc_t type, the new file inherits the same type: 
~]$ ls -dZ - /etc
drwxr-xr-x. root root system_u:object_r:etc_t:s0       /etc

~]# touch /etc/file1
~]# ls -lZ /etc/file1
-rw-r--r--. root root unconfined_u:object_r:etc_t:s0   /etc/file1
SELinux provides multiple commands for managing the file system labeling, such as chcon, semanage fcontext, restorecon, and matchpathcon.

4.7.1. Temporary Changes: chcon

The chcon command changes the SELinux context for files. However, changes made with the chcon command are not persistent across file-system relabels, or the execution of the restorecon command. SELinux policy controls whether users are able to modify the SELinux context for any given file. When using chcon, users provide all or part of the SELinux context to change. An incorrect file type is a common cause of SELinux denying access.

Quick Reference

  • Run the chcon -t type file-name command to change the file type, where type is an SELinux type, such as httpd_sys_content_t, and file-name is a file or directory name: 
    ~]$ chcon -t httpd_sys_content_t file-name
  • Run the chcon -R -t type directory-name command to change the type of the directory and its contents, where type is an SELinux type, such as httpd_sys_content_t, and directory-name is a directory name: 
    ~]$ chcon -R -t httpd_sys_content_t directory-name

Procedure 4.6. Changing a File's or Directory's Type

The following procedure demonstrates changing the type, and no other attributes of the SELinux context. The example in this section works the same for directories, for example, if file1 was a directory.
  1. Change into your home directory.
  2. Create a new file and view its SELinux context: 
    ~]$ touch file1
    ~]$ ls -Z file1
-rw-rw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0 file1
    In this example, the SELinux context for file1 includes the SELinux unconfined_u user, object_r role, user_home_t type, and the s0 level. For a description of each part of the SELinux context, see Chapter 2, SELinux Contexts.
  3. Enter the following command to change the type to samba_share_t. The -t option only changes the type. Then view the change: 
    ~]$ chcon -t samba_share_t file1
    ~]$ ls -Z file1 
-rw-rw-r--  user1 group1 unconfined_u:object_r:samba_share_t:s0 file1
  4. Use the following command to restore the SELinux context for the file1 file. Use the -v option to view what changes: 
    ~]$ restorecon -v file1
restorecon reset file1 context unconfined_u:object_r:samba_share_t:s0->system_u:object_r:user_home_t:s0
    In this example, the previous type, samba_share_t, is restored to the correct, user_home_t type. When using targeted policy (the default SELinux policy in Red Hat Enterprise Linux), the restorecon command reads the files in the /etc/selinux/targeted/contexts/files/ directory, to see which SELinux context files should have.

Procedure 4.7. Changing a Directory and its Contents Types

The following example demonstrates creating a new directory, and changing the directory's file type along with its contents to a type used by the Apache HTTP Server. The configuration in this example is used if you want Apache HTTP Server to use a different document root (instead of /var/www/html/):
  1. As the root user, create a new web/ directory and then 3 empty files (file1, file2, and file3) within this directory. The web/ directory and files in it are labeled with the default_t type: 
    ~]# mkdir /web
    ~]# touch /web/file{1,2,3}
    ~]# ls -dZ /web
drwxr-xr-x  root root unconfined_u:object_r:default_t:s0 /web

    ~]# ls -lZ /web
-rw-r--r--  root root unconfined_u:object_r:default_t:s0 file1
-rw-r--r--  root root unconfined_u:object_r:default_t:s0 file2
-rw-r--r--  root root unconfined_u:object_r:default_t:s0 file3
  2. As root, enter the following command to change the type of the web/ directory (and its contents) to httpd_sys_content_t: 
    ~]# chcon -R -t httpd_sys_content_t /web/
    ~]# ls -dZ /web/
drwxr-xr-x  root root unconfined_u:object_r:httpd_sys_content_t:s0 /web/

    ~]# ls -lZ /web/
-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file1
-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file2
-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file3
  3. To restore the default SELinux contexts, use the restorecon utility as root: 
    ~]# restorecon -R -v /web/
restorecon reset /web context unconfined_u:object_r:httpd_sys_content_t:s0->system_u:object_r:default_t:s0
restorecon reset /web/file2 context unconfined_u:object_r:httpd_sys_content_t:s0->system_u:object_r:default_t:s0
restorecon reset /web/file3 context unconfined_u:object_r:httpd_sys_content_t:s0->system_u:object_r:default_t:s0
restorecon reset /web/file1 context unconfined_u:object_r:httpd_sys_content_t:s0->system_u:object_r:default_t:s0
See the chcon(1) manual page for further information about chcon.

Note

Type Enforcement is the main permission control used in SELinux targeted policy. For the most part, SELinux users and roles can be ignored.

4.7.2. Persistent Changes: semanage fcontext

The semanage fcontext command is used to change the SELinux context of files. To show contexts to newly created files and directories, enter the following command as root: 
~]# semanage fcontext -C -l
Changes made by semanage fcontext are used by the following utilities. The setfiles utility is used when a file system is relabeled and the restorecon utility restores the default SELinux contexts. This means that changes made by semanage fcontext are persistent, even if the file system is relabeled. SELinux policy controls whether users are able to modify the SELinux context for any given file.

Quick Reference

To make SELinux context changes that survive a file system relabel:
  1. Enter the following command, remembering to use the full path to the file or directory: 
    ~]# semanage fcontext -a options file-name|directory-name
  2. Use the restorecon utility to apply the context changes: 
    ~]# restorecon -v file-name|directory-name

Use of regular expressions with semanage fcontext

For the semanage fcontext command to work correctly, you can use either a fully qualified path or Perl-compatible regular expressions (PCRE). The only PCRE flag in use is PCRE2_DOTALL, which causes the . wildcard to match anything, including a new line. Strings representing paths are processed as bytes, meaning that non-ASCII characters are not matched by a single wildcard.
Note that file-context definitions specified using semanage fcontext are evaluated in reverse order to how they were defined: the latest entry is evaluated first regardless of the stem length. Local file context modifications stored in file_contexts.local have a higher priority than those specified in policy modules. This means that whenever a match for a given file path is found in file_contexts.local, no other file-context definitions are considered.

Important

File-context definitions specified using the semanage fcontext command effectively override all other file-context definitions. All regular expressions should therefore be as specific as possible to avoid unintentionally impacting other parts of the file system.
For more information on a type of regular expression used in file-context definitions and flags in effect, see the semanage-fcontext(8) man page.

Procedure 4.8. Changing a File's or Directory 's Type

The following example demonstrates changing a file's type, and no other attributes of the SELinux context. This example works the same for directories, for instance if file1 was a directory.
  1. As the root user, create a new file in the /etc directory. By default, newly-created files in /etc are labeled with the etc_t type: 
    ~]# touch /etc/file1
    ~]$ ls -Z /etc/file1
-rw-r--r--  root root unconfined_u:object_r:etc_t:s0       /etc/file1
    To list information about a directory, use the following command: 
    ~]$ ls -dZ directory_name
  2. As root, enter the following command to change the file1 type to samba_share_t. The -a option adds a new record, and the -t option defines a type (samba_share_t). Note that running this command does not directly change the type; file1 is still labeled with the etc_t type: 
    ~]# semanage fcontext -a -t samba_share_t /etc/file1
    ~]# ls -Z /etc/file1
-rw-r--r--  root root unconfined_u:object_r:etc_t:s0       /etc/file1

    ~]$ semanage fcontext -C -l
/etc/file1    unconfined_u:object_r:samba_share_t:s0
  3. As root, use the restorecon utility to change the type. Because semanage added an entry to file_contexts.local for /etc/file1, restorecon changes the type to samba_share_t: 
    ~]# restorecon -v /etc/file1
restorecon reset /etc/file1 context unconfined_u:object_r:etc_t:s0->system_u:object_r:samba_share_t:s0

Procedure 4.9. Changing a Directory and its Contents Types

The following example demonstrates creating a new directory, and changing the directory's file type along with its contents to a type used by Apache HTTP Server. The configuration in this example is used if you want Apache HTTP Server to use a different document root instead of /var/www/html/:
  1. As the root user, create a new web/ directory and then 3 empty files (file1, file2, and file3) within this directory. The web/ directory and files in it are labeled with the default_t type: 
    ~]# mkdir /web
    ~]# touch /web/file{1,2,3}
    ~]# ls -dZ /web
drwxr-xr-x  root root unconfined_u:object_r:default_t:s0 /web

    ~]# ls -lZ /web
-rw-r--r--  root root unconfined_u:object_r:default_t:s0 file1
-rw-r--r--  root root unconfined_u:object_r:default_t:s0 file2
-rw-r--r--  root root unconfined_u:object_r:default_t:s0 file3
  2. As root, enter the following command to change the type of the web/ directory and the files in it, to httpd_sys_content_t. The -a option adds a new record, and the -t option defines a type (httpd_sys_content_t). The "/web(/.*)?" regular expression causes semanage to apply changes to web/, as well as the files in it. Note that running this command does not directly change the type; web/ and files in it are still labeled with the default_t type: 
    ~]# semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
    ~]$ ls -dZ /web
drwxr-xr-x  root root unconfined_u:object_r:default_t:s0 /web

    ~]$ ls -lZ /web
-rw-r--r--  root root unconfined_u:object_r:default_t:s0 file1
-rw-r--r--  root root unconfined_u:object_r:default_t:s0 file2
-rw-r--r--  root root unconfined_u:object_r:default_t:s0 file3
    The semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?" command adds the following entry to /etc/selinux/targeted/contexts/files/file_contexts.local: 
    /web(/.*)?    system_u:object_r:httpd_sys_content_t:s0
  3. As root, use the restorecon utility to change the type of web/, as well as all files in it. The -R is for recursive, which means all files and directories under web/ are labeled with the httpd_sys_content_t type. Since semanage added an entry to file.contexts.local for /web(/.*)?, restorecon changes the types to httpd_sys_content_t: 
    ~]# restorecon -R -v /web
restorecon reset /web context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /web/file2 context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /web/file3 context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /web/file1 context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
    Note that by default, newly-created files and directories inherit the SELinux type of their parent directories.

Procedure 4.10. Deleting an added Context

The following example demonstrates adding and removing an SELinux context. If the context is part of a regular expression, for example, /web(/.*)?, use quotation marks around the regular expression: 
~]# semanage fcontext -d "/web(/.*)?"
  1. To remove the context, as root, enter the following command, where file-name|directory-name is the first part in file_contexts.local: 
    ~]# semanage fcontext -d file-name|directory-name
    The following is an example of a context in file_contexts.local: 
    /test    system_u:object_r:httpd_sys_content_t:s0
    With the first part being test. To prevent the test/ directory from being labeled with the httpd_sys_content_t after running restorecon, or after a file system relabel, enter the following command as root to delete the context from file_contexts.local: 
    ~]# semanage fcontext -d /test
  2. As root, use the restorecon utility to restore the default SELinux context.
For further information about semanage, see the semanage(8) and semanage-fcontext(8) manual pages.

Important

When changing the SELinux context with semanage fcontext -a, use the full path to the file or directory to avoid files being mislabeled after a file system relabel, or after the restorecon command is run.

4.7.3. How File Context is Determined

Determining file context is based on file-context definitions, which are specified in the system security policy (the .fc files). Based on the system policy, semanage generates file_contexts.homedirs and file_contexts files.
System administrators can customize file-context definitions using the semanage fcontext command. Such customizations are stored in the file_contexts.local file.
When a labeling utility, such as matchpathcon or restorecon, is determining the proper label for a given path, it searches for local changes first (file_contexts.local). If the utility does not find a matching pattern, it searches the file_contexts.homedirs file and finally the file_contexts file. However, whenever a match for a given file path is found, the search ends, the utility does look for any additional file-context definitions. This means that home directory-related file contexts have higher priority than the rest, and local customizations override the system policy.
File-context definitions specified by system policy (contents of file_contexts.homedirs and file_contexts files) are sorted by the length of the stem (prefix of the path before any wildcard) before evaluation. This means that the most specific path is chosen. However, file-context definitions specified using semanage fcontext are evaluated in reverse order to how they were defined: the latest entry is evaluated first regardless of the stem length.
For more information on: