SELinux Context
In Linux processes and files are labeled with a
SELinux context that contains additional information, such as a selinux user,
role, type, and optionally, a level.
How
to Check selinux context in linux.
Check
the selinux context of a file and directory.
- To check the context of a file the syntax is
#ls
–Z <filename>
#ls
–Z File1
[root@linuxelearn
~]# ls
anaconda-ks.cfg file3 nrpe-2.14.tar.gz
Desktop file.hlink nrpe-3.0
dir1 file.softl nrpe-3.0.tar.gz
Documents install.log Pictures
Downloads install.log.syslog Public
epel-release-6-8.noarch.rpm Music rahul
file1 nagios-3.2.3 rahull
[root@linuxelearn
~]# ls -Z file1
-rw-r--r--.
root root system_u:object_r:admin_home_t:s0 file1
[root@linuxelearn
~]#
|
- To Check the Context of a directory the syntax is
#ls
–ldZ <Directory Name>
#ls
–ldZ dir1
[root@linuxelearn
~]# ls -ldZ dir1
drwxrwsrwt.
root rjgroup unconfined_u:object_r:admin_home_t:s0 dir1
[root@linuxelearn
~]#
|
Checking
the selinux context of a Process
- To check the context of a process running in the system, the syntax is
#ps
–efZ | grep <process name>
#ps
–efz | grep ftp
[root@linuxelearn
~]# ps -efZ | grep ftp
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
root 2262 2176 0 22:44 pts/1 00:00:00
grep ftp
[root@linuxelearn
~]#
|
Changing
the selinux context of a file or directory
- To Change the context of the file use following steps
Check the existing context of the file by
#ls
–lZ <filename>
[root@linuxelearn
~]# ls -Z file1
-rw-r--r--.
root root system_u:object_r:admin_home_t:s0 file1
[root@linuxelearn
~]#
|
Observe that the type is admin_home_t, Change it to public_content_t,
so that it will be available for all users.
- To change the context of a file or directory use following syntax
#chcon
–t <arguments> <file/directory name>
#chcon
–t public_content_t file1
[root@linuxelearn
~]# chcon -t public_content_t file1
[root@linuxelearn
~]# ls -Z file1
-rw-r--r--.
root root system_u:object_r:public_content_t:s0
file1
[root@linuxelearn
~]#
|
- To change the context for a directory and its contents
- Check the context of both directory and its contents
[root@linuxelearn
~]# ls -ldZ dir1
drwxrwsrwt.
root rjgroup unconfined_u:object_r:admin_home_t:s0 dir1
[root@linuxelearn
~]# ls -lZ dir1
-rw-r--r--.
root rjgroup unconfined_u:object_r:admin_home_t:s0 file1
-rw-r--r--.
root rjgroup unconfined_u:object_r:admin_home_t:s0 file2
-rw-r--r--.
root rjgroup unconfined_u:object_r:admin_home_t:s0 file3
-rw-r--r--.
root rjgroup unconfined_u:object_r:admin_home_t:s0 file4
-rw-r--r--.
root rjgroup unconfined_u:object_r:admin_home_t:s0 file5
[root@linuxelearn
~]#
|
To change the context for a directory and its
contents use the following syntax
#chcon
–R –t <argument> <dir name>
#chcon
–R –t public_content_t dir1
[root@linuxelearn
~]# chcon -R -t public_content_t dir1
[root@linuxelearn
~]# ls -ldZ dir1
drwxrwsrwt.
root rjgroup unconfined_u:object_r:public_content_t:s0 dir1
[root@linuxelearn
~]# ls -lZ dir1
-rw-r--r--.
root rjgroup unconfined_u:object_r:public_content_t:s0 file1
-rw-r--r--.
root rjgroup unconfined_u:object_r:public_content_t:s0 file2
-rw-r--r--.
root rjgroup unconfined_u:object_r:public_content_t:s0 file3
-rw-r--r--.
root rjgroup unconfined_u:object_r:public_content_t:s0 file4
-rw-r--r--.
root rjgroup unconfined_u:object_r:public_content_t:s0 file5
[root@linuxelearn ~]#
|
How
to restore back the modified selinux context to its default value?
To restore the modified / changed selinux context of
a file to its default form, the syntax for this
#restorecon
–v <filename>
#restorecon
–v file1
[root@linuxelearn
~]# ls -Z file1
-rw-r--r--.
root root system_u:object_r:public_content_t:s0
file1
[root@linuxelearn
~]# restorecon -v file1
restorecon
reset /root/file1 context
system_u:object_r:public_content_t:s0->system_u:object_r:admin_home_t:s0
[root@linuxelearn
~]# ls -Z file1
-rw-r--r--.
root root system_u:object_r:admin_home_t:s0
file1
[root@linuxelearn
~]#
|
To restore back the selinux context of a directory
with its contents, the syntax is
#restorecon
–Rv <dir name>
#restorecon
–Rv dir1
[root@linuxelearn
~]# ls -ldZ dir1
drwxrwsrwt.
root rjgroup unconfined_u:object_r:public_content_t:s0 dir1
[root@linuxelearn
~]# ls -lZ dir1
-rw-r--r--.
root rjgroup unconfined_u:object_r:public_content_t:s0 file1
-rw-r--r--.
root rjgroup unconfined_u:object_r:public_content_t:s0 file2
-rw-r--r--.
root rjgroup unconfined_u:object_r:public_content_t:s0 file3
-rw-r--r--.
root rjgroup unconfined_u:object_r:public_content_t:s0 file4
-rw-r--r--.
root rjgroup unconfined_u:object_r:public_content_t:s0 file5
[root@linuxelearn
~]# restorecon -Rv dir1
restorecon
reset /root/dir1 context
unconfined_u:object_r:public_content_t:s0->system_u:object_r:admin_home_t:s0
restorecon
reset /root/dir1/file4 context
unconfined_u:object_r:public_content_t:s0->system_u:object_r:admin_home_t:s0
restorecon
reset /root/dir1/file5 context
unconfined_u:object_r:public_content_t:s0->system_u:object_r:admin_home_t:s0
restorecon
reset /root/dir1/file3 context
unconfined_u:object_r:public_content_t:s0->system_u:object_r:admin_home_t:s0
restorecon
reset /root/dir1/file1 context
unconfined_u:object_r:public_content_t:s0->system_u:object_r:admin_home_t:s0
restorecon
reset /root/dir1/file2 context
unconfined_u:object_r:public_content_t:s0->system_u:object_r:admin_home_t:s0
[root@linuxelearn
~]# ls -ldZ dir1
drwxrwsrwt.
root rjgroup system_u:object_r:admin_home_t:s0 dir1
[root@linuxelearn
~]# ls -lZ dir1
-rw-r--r--.
root rjgroup system_u:object_r:admin_home_t:s0 file1
-rw-r--r--.
root rjgroup system_u:object_r:admin_home_t:s0 file2
-rw-r--r--.
root rjgroup system_u:object_r:admin_home_t:s0 file3
-rw-r--r--.
root rjgroup system_u:object_r:admin_home_t:s0 file4
-rw-r--r--.
root rjgroup system_u:object_r:admin_home_t:s0 file5
[root@linuxelearn
~]#
|
Useful
Note : For restoring the context of only the dir except
its contents do not add “R” in the linux command.
If you Like post then share and comment please And
if you have any suggestion for me do comment .
Post a Comment