Difference between revisions of "Guide/Contexts"
From SELinux Wiki
m |
(→Contexts: linking selinux contexts) |
||
(2 intermediate revisions by one other user not shown) | |||
Line 1: | Line 1: | ||
== Contexts == | == Contexts == | ||
+ | |||
+ | [[SELinux contexts]] are composed of 4 pieces: selinux user, role, type, and range. | ||
+ | |||
+ | <pre> | ||
+ | unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c255 | ||
+ | user : role : type : range | ||
+ | </pre> | ||
+ | |||
+ | The selinux range is composed of a low and high level: | ||
+ | |||
+ | <pre> | ||
+ | s0-s0:c0.c255 | ||
+ | low-high | ||
+ | </pre> | ||
+ | |||
+ | Each level is composed a MLS sensitivity and a set of categories: | ||
+ | |||
+ | <pre> | ||
+ | s0:c0.c255 | ||
+ | sensitivity:categories | ||
+ | </pre> | ||
+ | |||
+ | Categories are can be specified individually: | ||
+ | |||
+ | <pre> | ||
+ | c0,c5,c10 | ||
+ | </pre> | ||
+ | |||
+ | Or treated as an ordered set: | ||
+ | |||
+ | <pre> | ||
+ | c0.c10 | ||
+ | </pre> | ||
+ | |||
+ | Where this would mean all categories between c0 and c10 (inclusive). | ||
=== Displaying Contexts === | === Displaying Contexts === | ||
Line 41: | Line 76: | ||
$ ls -Z /tmp/myfile | $ ls -Z /tmp/myfile | ||
unconfined_u:object_r:user_home_t:s0 /tmp/myfile | unconfined_u:object_r:user_home_t:s0 /tmp/myfile | ||
+ | </pre> | ||
+ | |||
+ | ... a file (persistently across relabels): | ||
+ | |||
+ | <pre> | ||
+ | # touch /var/cache/myfile | ||
+ | # ls -Z /var/cache/myfile | ||
+ | unconfined_u:object_r:var_t:s0 /var/cache/myfile | ||
+ | # semanage fcontext -a -t user_home_t /var/cache/myfile | ||
+ | # restorecon /var/cache/myfile | ||
+ | # ls -Z /var/cache/myfile | ||
+ | system_u:object_r:user_home_t:s0 /var/cache/myfile | ||
</pre> | </pre> | ||
Line 60: | Line 107: | ||
$ id -Z | $ id -Z | ||
system_u:system_r:crond_t:s0:c0.c255 | system_u:system_r:crond_t:s0:c0.c255 | ||
+ | </pre> | ||
+ | |||
+ | === Resetting Contexts === | ||
+ | |||
+ | Reset the context of... | ||
+ | |||
+ | ... a file: | ||
+ | |||
+ | <pre> | ||
+ | $ restorecon /tmp/myfile | ||
</pre> | </pre> |
Latest revision as of 23:26, 13 September 2010
Contexts
SELinux contexts are composed of 4 pieces: selinux user, role, type, and range.
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c255 user : role : type : range
The selinux range is composed of a low and high level:
s0-s0:c0.c255 low-high
Each level is composed a MLS sensitivity and a set of categories:
s0:c0.c255 sensitivity:categories
Categories are can be specified individually:
c0,c5,c10
Or treated as an ordered set:
c0.c10
Where this would mean all categories between c0 and c10 (inclusive).
Displaying Contexts
Display the context of...
... your shell:
$ id -Z unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c255
... a file:
$ ls -Z /bin/bash system_u:object_r:shell_exec_t:s0 /bin/bash
... a process:
$ ps -Z LABEL PID TTY TIME CMD unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c255 23912 pts/3 00:00:00 bash unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c255 25101 pts/3 00:00:00 ps
Changing Contexts
Change the context of...
... a file:
$ touch /tmp/myfile $ ls -Z /tmp/myfile unconfined_u:object_r:user_tmp_t:s0 /tmp/myfile $ chcon -t user_home_t /tmp/myfile $ ls -Z /tmp/myfile unconfined_u:object_r:user_home_t:s0 /tmp/myfile
... a file (persistently across relabels):
# touch /var/cache/myfile # ls -Z /var/cache/myfile unconfined_u:object_r:var_t:s0 /var/cache/myfile # semanage fcontext -a -t user_home_t /var/cache/myfile # restorecon /var/cache/myfile # ls -Z /var/cache/myfile system_u:object_r:user_home_t:s0 /var/cache/myfile
... your shell:
$ id -Z unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c255 $ newrole -r system_r -t unconfined_t Password: $ id -Z unconfined_u:system_r:unconfined_t:s0-s0:c0.c255
... a program when started (temporary):
$ runcon system_u:system_r:crond_t:s0:c0.c255 /bin/bash $ id -Z system_u:system_r:crond_t:s0:c0.c255
Resetting Contexts
Reset the context of...
... a file:
$ restorecon /tmp/myfile