Diskussion:Linux/SELinux/04 Arbeiten mit SELinux

Überblick

SELinux-Pakete
Installation und Aktualisierung von Paketen
verwendeten Protokolldateien
wichtigste SELinux-Konfigurationsdatei
Aktivieren und Deaktivieren von SELinux
SELinux-Modi
Konfigurieren von Booleschen Werten
vorübergehende und dauerhafte Ändern von Datei- und Verzeichnis-Labels
Überschreiben von Dateisystem-Labels mit dem Befehl mount
Einbinden von NFS-Volumes
Beibehalten von SELinux-Kontexten beim Kopieren und Archivieren von Dateien und Verzeichnissen

Working with SELinux

The following sections give a brief overview of the main SELinux packages in Red Hat Enterprise Linux; installing and updating packages; which log files are used; the main SELinux configuration file; enabling and disabling SELinux; SELinux modes; configuring Booleans; temporarily and persistently changing file and directory labels; overriding file system labels with the mount command; mounting NFS volumes; and how to preserve SELinux contexts when copying and archiving files and directories

SELinux Packages

In Red Hat Enterprise Linux full installation, the SELinux packages are installed by default unless they are manually excluded during installation

If performing a minimal installation in text mode, the policycoreutils-python and the policycoreutils-gui package are not installed by default
Also, by default, SELinux runs in enforcing mode and the SELinux targeted policy is used
The following SELinux packages are installed on your system by default
policycoreutils provides utilities such as restorecon, secon, setfiles, semodule, load_policy, and setsebool, for operating and managing SELinux
selinux-policy provides a basic directory structure, the selinux-policy.conf file, and RPM macros
selinux-policy-targeted provides the SELinux targeted policy
libselinux – provides an API for SELinux applications
libselinux-utils provides the avcstat, getenforce, getsebool, matchpathcon, selinuxconlist, selinuxdefcon, selinuxenabled, and setenforce utilities
libselinux-python provides Python bindings for developing SELinux applications

The following packages are not installed by default but can be optionally installed by running the [[yum install <package-name>]] command

selinux-policy-devel provides utilities for creating a custom SELinux policy and policy modules
selinux-policy-doc provides manual pages that describe how to configure SELinux altogether with various services
selinux-policy-mls provides the MLS (Multi-Level Security) SELinux policy
setroubleshoot-server translates denial messages, produced when access is denied by SELinux, into detailed descriptions that can be viewed with the sealert utility, also provided in this package
setools-console provides the Tresys Technology SETools distribution, a number of utilities and libraries for analyzing and querying policy, audit log monitoring and reporting, and file context management
The setools package is a meta-package for SETools
The setools-gui package provides the apol and seaudit utilities
The setools-console package provides the sechecker, sediff, seinfo, sesearch, and findcon command-line utilities
Note that setools and setools-gui packages are available only when the Red Hat Network Optional channel is enabled
For further information, see Scope of Coverage Details
mcstrans translates levels, such as s0-s0:c0.c1023, to a form that is easier to read, such as SystemLow-SystemHigh
policycoreutils-python provides utilities such as semanage, audit2allow, audit2why, and chcat, for operating and managing SELinux
policycoreutils-gui provides system-config-selinux, a graphical utility for managing SELinux

Which Log File is Used

In Red Hat Enterprise Linux, the dbus and audit packages are installed by default, unless they are removed from the default package selection

The setroubleshoot-server must be installed using Yum (use the yum install setroubleshoot-server command)

If the auditd daemon is running, an SELinux denial message, such as the following, is written to /var/log/audit/audit.log by default

type=AVC msg=audit(1223024155.684:49)
avc
denied { getattr } for pid=2000 comm="httpd" path="/var/www/html/file1" dev=dm-0 ino=399185 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:samba_share_t:s0 tclass=file

In addition, a message similar to the one below is written to the /var/log/message file

May 7 18:55:56 localhost setroubleshoot

SELinux is preventing httpd (httpd_t) "getattr" to /var/www/html/file1 (samba_share_t)

For complete SELinux messages

run sealert -l de7e30d6-5488-466d-a606-92c9f40d316d

In Red Hat Enterprise Linux 7, setroubleshootd no longer constantly runs as a service

However, it is still used to analyze the AVC messages
Two new programs act as a method to start setroubleshoot when needed
The sedispatch utility runs as a part of the audit subsystem
When an AVC denial message is returned, sedispatch sends a message using dbus
These messages go straight to setroubleshootd if it is already running
If it is not running, sedispatch starts it automatically
The seapplet utility runs in the system toolbar, waiting for dbus messages in setroubleshootd
It launches the notification bubble, allowing the user to review AVC messages

Starting Daemons Automatically

To configure the auditd and rsyslog daemons to automatically start at boot, enter the following commands as the root user

sudo systemctl enable auditd.service
sudo systemctl enable rsyslog.service

To ensure that the daemons are enabled, type the following commands at the shell prompt

systemctl is-enabled auditd
enabled
systemctl is-enabled rsyslog
enabled

Alternatively, use the systemctl status ''service-name''.service command and search for the keyword enabled in the command output, for example

systemctl status auditd.service | grep enabled
auditd.service - Security Auditing Service
Loaded
loaded (/usr/lib/systemd/system/auditd.service; enabled)

To learn more on how the systemd daemon manages system services, see the Managing System Services chapter in the System Administrator's Guide

Main Configuration File

The /etc/selinux/config file is the main SELinux configuration file

It controls whether SELinux is enabled or disabled and which SELinux mode and SELinux policy is used

# This file controls the state of SELinux on the system
# SELINUX= can take one of these three values
# enforcing - SELinux security policy is enforced
# permissive - SELinux prints warnings instead of enforcing
# disabled - No SELinux policy is loaded
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection
SELINUXTYPE=targeted

[[SELINUX=]]

The [[SELINUX]] option sets whether SELinux is disabled or enabled and in which mode - enforcing or permissive - it is running

When using SELINUX=enforcing, SELinux policy is enforced, and SELinux denies access based on SELinux policy rules
Denial messages are logged
When using SELINUX=permissive, SELinux policy is not enforced
SELinux does not deny access, but denials are logged for actions that would have been denied if running SELinux in enforcing mode
When using SELINUX=disabled, SELinux is disabled, the SELinux module is not registered with the Linux kernel, and only DAC rules are used

[[SELINUXTYPE=]]

The SELINUXTYPE option sets the SELinux policy to use

Targeted policy is the default policy
Only change this option if you want to use the MLS policy
For information on how to enable the MLS policy, see Section “Enabling MLS in SELinux”

Permanent Changes in SELinux States and Modes

SELinux can be enabled or disabled

When enabled, SELinux has two modes: enforcing and permissive

Use the getenforce or sestatus commands to check in which mode SELinux is running

The getenforce command returns Enforcing, Permissive, or Disabled

The sestatus command returns the SELinux status and the SELinux policy being used

sestatus
SELinux status
 enabled
SELinuxfs mount
 /sys/fs/selinux
SELinux root directory
 /etc/selinux
Loaded policy name
 targeted
Current mode
 enforcing
Mode from config file
 enforcing
Policy MLS status
 enabled
Policy deny_unknown status
 allowed
Max kernel policy version
 30

Note: When systems run SELinux in permissive mode, users are able to label files incorrectly

Files created while SELinux is disabled are not labeled at all
This behavior causes problems when changing to enforcing mode because files are labeled incorrectly or are not labeled at all
To prevent incorrectly labeled and unlabeled files from causing problems, file systems are automatically relabeled when changing from the disabled state to permissive or enforcing mode

Enabling SELinux

When enabled, SELinux can run in one of two modes: enforcing or permissive

The following sections show how to permanently change into these modes

While enabling SELinux on systems that previously had it disabled, to avoid problems, such as systems unable to boot or process failures, Red Hat recommends to follow this procedure

Enable SELinux in permissive mode

For more information, see Section “Permissive Mode”

Reboot your system
Check for SELinux denial messages

For more information, see Section “Searching For and Viewing Denials”

If there are no denials, switch to enforcing mode

For more information, see Section “Enforcing Mode”

To run custom applications with SELinux in enforcing mode, choose one of the following scenarios

Run your application in the unconfined_service_t domain
See Section “Unconfined Processes” for more information
Write a new policy for your application
See the Writing Custom SELinux Policy Knowledgebase article for more information

Permissive Mode

When SELinux is running in permissive mode, SELinux policy is not enforced

The system remains operational and SELinux does not deny any operations but only logs AVC messages, which can be then used for troubleshooting, debugging, and SELinux policy improvements
Each AVC is logged only once in this case

To permanently change mode to permissive, follow the procedure below

Changing to Permissive Mode

Edit the /etc/selinux/config file as follows

# This file controls the state of SELinux on the system
# SELINUX= can take one of these three values
# enforcing - SELinux security policy is enforced
# permissive - SELinux prints warnings instead of enforcing
# disabled - No SELinux policy is loaded
SELINUX=permissive
# SELINUXTYPE= can take one of these two values
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection
SELINUXTYPE=targeted

Reboot the system

sudo reboot

Enforcing Mode

When SELinux is running in enforcing mode, it enforces the SELinux policy and denies access based on SELinux policy rules

In Red Hat Enterprise Linux, enforcing mode is enabled by default when the system was initially installed with SELinux

If SELinux was disabled, follow the procedure below to change mode to enforcing again

Changing to Enforcing Mode

This procedure assumes that the selinux-policy-targeted, selinux-policy, libselinux, libselinux-python, libselinux-utils, policycoreutils, and policycoreutils-python packages are installed

To verify that the packages are installed, use the following command

rpm -q package_name

Edit the /etc/selinux/config file as follows

# This file controls the state of SELinux on the system
# SELINUX= can take one of these three values
# enforcing - SELinux security policy is enforced
# permissive - SELinux prints warnings instead of enforcing
# disabled - No SELinux policy is loaded
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection
SELINUXTYPE=targeted

Reboot the system

sudo reboot

On the next boot, SELinux relabels all the files and directories within the system and adds SELinux context for files and directories that were created when SELinux was disabled

Note: After changing to enforcing mode, SELinux may deny some actions because of incorrect or missing SELinux policy rules

To view what actions SELinux denies, enter the following command as root

sudo ausearch -m AVC,USER_AVC,SELINUX_ERR -ts today

Alternatively, with the setroubleshoot-server package installed, enter the following command as root

sudo grep "SELinux is preventing" /var/log/messages

If SELinux denies some actions, see Chapter 11, Troubleshooting for information about troubleshooting

Temporary changes in modes are covered in Section “SELinux States and Modes”

Disabling SELinux

When SELinux is disabled, SELinux policy is not loaded at all; it is not enforced and AVC messages are not logged

Therefore, all benefits of running SELinux listed in Section 1.1, “Benefits of running SELinux” are lost

Important: Red Hat strongly recommends to use permissive mode instead of permanently disabling SELinux

See Section “Permissive Mode” for more information about permissive mode

To permanently disable SELinux, follow the procedure below

Disabling SELinux

Configure SELINUX=disabled in the /etc/selinux/config file

# This file controls the state of SELinux on the system
# SELINUX= can take one of these three values
# enforcing - SELinux security policy is enforced
# permissive - SELinux prints warnings instead of enforcing
# disabled - No SELinux policy is loaded
SELINUX=disabled
# SELINUXTYPE= can take one of these two values
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection
SELINUXTYPE=targeted

Reboot your system

After reboot, confirm that the getenforce command returns Disabled

getenforce
Disabled

Changing SELinux Modes at Boot Time

On boot, you can set several kernel parameters to change the way SELinux runs

enforcing=0

Setting this parameter causes the system to start in permissive mode, which is useful when troubleshooting issues

Using permissive mode might be the only option to detect a problem if your file system is too corrupted
Moreover, in permissive mode, the system continues to create the labels correctly
The AVC messages that are created in this mode can be different than in enforcing mode

In permissive mode, only the first denial from a series of the same denials is reported

However, in enforcing mode, you might get a denial related to reading a directory, and an application stops
In permissive mode, you get the same AVC message, but the application continues reading files in the directory and you get an AVC for each denial in addition

selinux=0

This parameter causes the kernel to not load any part of the SELinux infrastructure

The init scripts notice that the system booted with the selinux=0 parameter and touch the /.autorelabel file
This causes the system to automatically relabel the next time you boot with SELinux enabled

Important: Red Hat does not recommend using the selinux=0 parameter

To debug your system, prefer using permissive mode

autorelabel=1

This parameter forces the system to relabel similarly to the following commands

sudo touch /.autorelabel
sudo reboot

If the system labeling contains a large amount of errors, you might need to boot in permissive mode in order that the autorelabel succeeds

For additional SELinux-related kernel boot parameters, such as checkreqprot, see the [[/usr/share/doc/kernel-doc-<KERNEL_VER>/Documentation/kernel-parameters.txt]] file

This documentation is installed with the kernel-doc package
Replace the <KERNEL_VER> string with the version number of the installed kernel, for example

sudo yum install kernel-doc
less /usr/share/doc/kernel-doc-3.10.0/Documentation/kernel-parameters.txt

Booleans

Booleans allow parts of SELinux policy to be changed at runtime, without any knowledge of SELinux policy writing

This allows changes, such as allowing services access to NFS volumes, without reloading or recompiling SELinux policy

Listing Booleans

For a list of Booleans, an explanation of what each one is, and whether they are on or off, run the semanage boolean -l command as the Linux root user

The following example does not list all Booleans and the output is shortened for brevity

sudo semanage boolean -l

SELinux boolean State Default Description

smartmon_3ware (off , off) Determine whether smartmon can.. mpd_enable_homedirs (off , off) Determine whether mpd can traverse..

Note: To have more detailed descriptions, install the selinux-policy-devel package

The SELinux boolean column lists Boolean names

The Description column lists whether the Booleans are on or off, and what they do

The getsebool -a command lists Booleans, whether they are on or off, but does not give a description of each one

The following example does not list all Booleans

getsebool -a
cvs_read_shadow --> off
daemons_dump_core --> on

Run the getsebool ''boolean-name'' command to only list the status of the boolean-name Boolean

getsebool cvs_read_shadow
cvs_read_shadow --> off

Use a space-separated list to list multiple Booleans

getsebool cvs_read_shadow daemons_dump_core
cvs_read_shadow --> off
daemons_dump_core --> on

Configuring Booleans

Run the setsebool utility in the setsebool ''boolean_name'' on/off form to enable or disable Booleans

The following example demonstrates configuring the httpd_can_network_connect_db Boolean

Configuring Booleans

By default, the httpd_can_network_connect_db Boolean is off, preventing Apache HTTP Server scripts and modules from connecting to database servers

getsebool httpd_can_network_connect_db
httpd_can_network_connect_db --> off

To temporarily enable Apache HTTP Server scripts and modules to connect to database servers, enter the following command as root

sudo setsebool httpd_can_network_connect_db on

Use the getsebool utility to verify the Boolean has been enabled

getsebool httpd_can_network_connect_db
httpd_can_network_connect_db --> on

This allows Apache HTTP Server scripts and modules to connect to database servers

This change is not persistent across reboots
- To make changes persistent across reboots, run the setsebool -P ''boolean-name'' on command as root:[3]

sudo setsebool -P httpd_can_network_connect_db on

Shell Auto-Completion

It is possible to use shell auto-completion with the getsebool, setsebool, and semanage utilities

Use the auto-completion with getsebool and setsebool to complete both command-line parameters and Booleans
To list only the command-line parameters, add the hyphen character ("-") after the command name and hit the Tab key

sudo setsebool -[Tab]
-P

To complete a Boolean, start writing the Boolean name and then hit Tab

getsebool samba_[Tab]
samba_create_home_dirs samba_export_all_ro samba_run_unconfined
samba_domain_controller samba_export_all_rw samba_share_fusefs
samba_enable_home_dirs samba_portmapper samba_share_nfs

sudo setsebool -P virt_use_[Tab]
virt_use_comm virt_use_nfs virt_use_sanlock
virt_use_execmem virt_use_rawip virt_use_usb
virt_use_fusefs virt_use_samba virt_use_xserver

The semanage utility is used with several command-line arguments that are completed one by one

The first argument of a semanage command is an option, which specifies what part of SELinux policy is managed

sudo semanage [Tab]
boolean export import login node port
dontaudit fcontext interface module permissive user

Then, one or more command-line parameters follow

sudo semanage fcontext -[Tab]
-a -D --equal --help -m -o
--add --delete -f -l --modify -S
-C --deleteall --ftype --list -n -t
-d -e -h --locallist --noheading --type

Finally, complete the name of a particular SELinux entry, such as a Boolean, SELinux user, domain, or another

Start typing the entry and hit Tab

sudo semanage fcontext -a -t samba<tab>
samba_etc_t samba_secrets_t
sambagui_exec_t samba_share_t
samba_initrc_exec_t samba_unconfined_script_exec_t
samba_log_t samba_unit_file_t
samba_net_exec_t

Command-line parameters can be chained in a command

sudo semanage port -a -t http_port_t -p tcp 81

SELinux Contexts – Labeling Files

On systems running SELinux, all processes and files are labeled in a way that represents security-relevant information

This information is called the SELinux context
For files, this is viewed using the ls -Z command

ls -Z file1
-rw-rw-r-- user1 group1 unconfined_u:object_r:user_home_t:s0 file1

In this example, SELinux provides a user (unconfined_u), a role (object_r), a type (user_home_t), and a level (s0)

This information is used to make access control decisions
On DAC systems, access is controlled based on Linux user and group IDs
SELinux policy rules are checked after DAC rules
SELinux policy rules are not used if DAC rules deny access first

Note: By default, newly-created files and directories inherit the SELinux type of their parent directories

For example, when creating a new file in the /etc directory that is labeled with the etc_t type, the new file inherits the same type

ls -dZ - /etc
drwxr-xr-x root root system_u:object_r:etc_t:s0 /etc

sudo touch /etc/file1

sudo ls -lZ /etc/file1
-rw-r--r-- root root unconfined_u:object_r:etc_t:s0 /etc/file1

SELinux provides multiple commands for managing the file system labeling, such as chcon, semanage fcontext, restorecon, and matchpathcon

Temporary Changes: chcon

The chcon command changes the SELinux context for files

However, changes made with the chcon command are not persistent across file-system relabels, or the execution of the restorecon command
SELinux policy controls whether users are able to modify the SELinux context for any given file
When using chcon, users provide all or part of the SELinux context to change
An incorrect file type is a common cause of SELinux denying access

Quick Reference

Run the chcon -t ''type'' ''file-name'' command to change the file type, where type is an SELinux type, such as httpd_sys_content_t, and file-name is a file or directory name

chcon -t httpd_sys_content_t file-name

Run the chcon -R -t ''type'' ''directory-name'' command to change the type of the directory and its contents, where type is an SELinux type, such as httpd_sys_content_t, and directory-name is a directory name

chcon -R -t httpd_sys_content_t directory-name

Changing a File's or Directory's Type

The following procedure demonstrates changing the type, and no other attributes of the SELinux context

The example in this section works the same for directories, for example, if file1 was a directory. # Change into your home directory

Create a new file and view its SELinux context

touch file1

ls -Z file1
-rw-rw-r-- user1 group1 unconfined_u:object_r:user_home_t:s0 file1

In this example, the SELinux context for file1 includes the SELinux unconfined_u user, object_r role, user_home_t type, and the s0 level

For a description of each part of the SELinux context, see Chapter 2, SELinux Contexts

Enter the following command to change the type to samba_share_t

The -t option only changes the type
Then view the change

chcon -t samba_share_t file1

ls -Z file1
-rw-rw-r-- user1 group1 unconfined_u:object_r:samba_share_t:s0 file1

Use the following command to restore the SELinux context for the file1 file

Use the -v option to view what changes

restorecon -v file1
restorecon reset file1 context unconfined_u:object_r:samba_share_t:s0->system_u:object_r:user_home_t:s0

In this example, the previous type, samba_share_t, is restored to the correct, user_home_t type

When using targeted policy (the default SELinux policy in Red Hat Enterprise Linux), the restorecon command reads the files in the etc/selinux/targeted/contexts/files directory, to see which SELinux context files should have

Changing a Directory and its Contents Types

The following example demonstrates creating a new directory, and changing the directory's file type along with its contents to a type used by the Apache HTTP Server

The configuration in this example is used if you want Apache HTTP Server to use a different document root (instead of var/www/html)

As the root user, create a new web/ directory and then 3 empty files (file1, file2, and file3) within this directory

The web/ directory and files in it are labeled with the default_t type

sudo mkdir /web
sudo touch /web/file{1,2,3}
sudo ls -dZ /web
drwxr-xr-x root root unconfined_u:object_r:default_t:s0 /web

sudo ls -lZ /web
-rw-r--r-- root root unconfined_u:object_r:default_t:s0 file1
-rw-r--r-- root root unconfined_u:object_r:default_t:s0 file2
-rw-r--r-- root root unconfined_u:object_r:default_t:s0 file3

As root, enter the following command to change the type of the web/ directory (and its contents) to httpd_sys_content_t

sudo chcon -R -t httpd_sys_content_t /web/

sudo ls -dZ /web/
drwxr-xr-x root root unconfined_u:object_r:httpd_sys_content_t:s0 /web/

sudo ls -lZ /web/
-rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 file1
-rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 file2
-rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 file3

To restore the default SELinux contexts, use the restorecon utility as root

sudo restorecon -R -v /web/
restorecon reset /web context unconfined_u:object_r:httpd_sys_content_t:s0->system_u:object_r:default_t:s0
restorecon reset /web/file2 context unconfined_u:object_r:httpd_sys_content_t:s0->system_u:object_r:default_t:s0
restorecon reset /web/file3 context unconfined_u:object_r:httpd_sys_content_t:s0->system_u:object_r:default_t:s0
restorecon reset /web/file1 context unconfined_u:object_r:httpd_sys_content_t:s0->system_u:object_r:default_t:s0

See the chcon(1) manual page for further information about chcon

Note: Type Enforcement is the main permission control used in SELinux targeted policy

For the most part, SELinux users and roles can be ignored

Persistent Changes: semanage fcontext

The semanage fcontext command is used to change the SELinux context of files

To show contexts to newly created files and directories, enter the following command as root

sudo semanage fcontext -C -l

Changes made by semanage fcontext are used by the following utilities

The setfiles utility is used when a file system is relabeled and the restorecon utility restores the default SELinux contexts
This means that changes made by semanage fcontext are persistent, even if the file system is relabeled
SELinux policy controls whether users are able to modify the SELinux context for any given file

Quick Reference

To make SELinux context changes that survive a file system relabel

Enter the following command, remembering to use the full path to the file or directory

sudo semanage fcontext -a options file-name|directory-name

Use the restorecon utility to apply the context changes

sudo restorecon -v file-name|directory-name

Use of regular expressions with semanage fcontext

For the semanage fcontext command to work correctly, you can use either a fully qualified path or Perl-compatible regular expressions ()

The only PCRE flag in use is PCRE2_DOTALL, which causes the [[.]] wildcard to match anything, including a new line
Strings representing paths are processed as bytes, meaning that non-ASCII characters are not matched by a single wildcard

Note that file-context definitions specified using semanage fcontext are evaluated in reverse order to how they were defined the latest entry is evaluated first regardless of the stem length

Local file context modifications stored in file_contexts.local have a higher priority than those specified in policy modules
This means that whenever a match for a given file path is found in file_contexts.local, no other file-context definitions are considered

Important: File-context definitions specified using the semanage fcontext command effectively override all other file-context definitions

All regular expressions should therefore be as specific as possible to avoid unintentionally impacting other parts of the file system

For more information on a type of regular expression used in file-context definitions and flags in effect, see the semanage-fcontext(8) man page

Changing a File's or Directory 's Type

The following example demonstrates changing a file's type, and no other attributes of the SELinux context

This example works the same for directories, for instance if file1 was a directory. # As the root user, create a new file in the /etc directory
By default, newly-created files in /etc are labeled with the etc_t type

sudo touch /etc/file1

ls -Z /etc/file1
-rw-r--r-- root root unconfined_u:object_r:etc_t:s0 /etc/file1

To list information about a directory, use the following command

ls -dZ directory_name

As root, enter the following command to change the file1 type to samba_share_t

The -a option adds a new record, and the -t option defines a type (samba_share_t)
Note that running this command does not directly change the type; file1 is still labeled with the etc_t type

sudo semanage fcontext -a -t samba_share_t /etc/file1

sudo ls -Z /etc/file1
-rw-r--r-- root root unconfined_u:object_r:etc_t:s0 /etc/file1

semanage fcontext -C -l
/etc/file1 unconfined_u:object_r:samba_share_t:s0

As root, use the restorecon utility to change the type

Because semanage added an entry to file_contexts.local for /etc/file1, restorecon changes the type to samba_share_t

sudo restorecon -v /etc/file1
restorecon reset /etc/file1 context unconfined_u:object_r:etc_t:s0->system_u:object_r:samba_share_t:s0

Changing a Directory and its Contents Types

The following example demonstrates creating a new directory, and changing the directory's file type along with its contents to a type used by Apache HTTP Server

The configuration in this example is used if you want Apache HTTP Server to use a different document root instead of var/www/html

As the root user, create a new web/ directory and then 3 empty files (file1, file2, and file3) within this directory

The web/ directory and files in it are labeled with the default_t type

sudo mkdir /web
sudo touch /web/file{1,2,3}
sudo ls -dZ /web
drwxr-xr-x root root unconfined_u:object_r:default_t:s0 /web
sudo ls -lZ /web
-rw-r--r-- root root unconfined_u:object_r:default_t:s0 file1
-rw-r--r-- root root unconfined_u:object_r:default_t:s0 file2
-rw-r--r-- root root unconfined_u:object_r:default_t:s0 file3

As root, enter the following command to change the type of the web/ directory and the files in it, to httpd_sys_content_t

The -a option adds a new record, and the -t option defines a type (httpd_sys_content_t)
The "/web(/.*)?" regular expression causes semanage to apply changes to web/, as well as the files in it
Note that running this command does not directly change the type; web/ and files in it are still labeled with the default_t type

sudo semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
ls -dZ /web
drwxr-xr-x root root unconfined_u:object_r:default_t:s0 /web
ls -lZ /web
-rw-r--r-- root root unconfined_u:object_r:default_t:s0 file1
-rw-r--r-- root root unconfined_u:object_r:default_t:s0 file2
-rw-r--r-- root root unconfined_u:object_r:default_t:s0 file3

The semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?" command adds the following entry to /etc/selinux/targeted/contexts/files/file_contexts.local

/web(/.*)? system_u:object_r:httpd_sys_content_t:s0

As root, use the restorecon utility to change the type of web/, as well as all files in it

The -R is for recursive, which means all files and directories under web/ are labeled with the httpd_sys_content_t type
Since semanage added an entry to file.contexts.local for /web(/.*)?, restorecon changes the types to httpd_sys_content_t

sudo restorecon -R -v /web
restorecon reset /web context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /web/file2 context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /web/file3 context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /web/file1 context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0

Note that by default, newly-created files and directories inherit the SELinux type of their parent directories

Deleting an added Context

The following example demonstrates adding and removing an SELinux context

If the context is part of a regular expression, for example, /web(/.*)?, use quotation marks around the regular expression

sudo semanage fcontext -d "/web(/.*)?"

To remove the context, as root, enter the following command, where file-name|directory-name is the first part in file_contexts.local

sudo semanage fcontext -d file-name|directory-name

The following is an example of a context in file_contexts.local

/test system_u:object_r:httpd_sys_content_t:s0

With the first part being test

To prevent the test/ directory from being labeled with the httpd_sys_content_t after running restorecon, or after a file system relabel, enter the following command as root to delete the context from file_contexts.local

sudo semanage fcontext -d /test

As root, use the restorecon utility to restore the default SELinux context

For further information about semanage, see the semanage(8) and semanage-fcontext(8) manual pages

Important: When changing the SELinux context with semanage fcontext -a, use the full path to the file or directory to avoid files being mislabeled after a file system relabel, or after the restorecon command is run

How File Context is Determined

Determining file context is based on file-context definitions, which are specified in the system security policy (the .fc files)

Based on the system policy, semanage generates file_contexts.homedirs and file_contexts files

System administrators can customize file-context definitions using the semanage fcontext command

Such customizations are stored in the file_contexts.local file

When a labeling utility, such as matchpathcon or restorecon, is determining the proper label for a given path, it searches for local changes first (file_contexts.local)

If the utility does not find a matching pattern, it searches the file_contexts.homedirs file and finally the file_contexts file
However, whenever a match for a given file path is found, the search ends, the utility does look for any additional file-context definitions
This means that home directory-related file contexts have higher priority than the rest, and local customizations override the system policy

File-context definitions specified by system policy (contents of file_contexts.homedirs and file_contexts files) are sorted by the length of the stem (prefix of the path before any wildcard) before evaluation

This means that the most specific path is chosen
However, file-context definitions specified using semanage fcontext are evaluated in reverse order to how they were defined

the latest entry is evaluated first regardless of the stem length

For more information on

changing the context of a file by using chcon, see Section “Temporary Changes

chcon”

changing and adding a file-context definition by using semanage fcontext, see Section “Persistent Changes

semanage fcontext”

changing and adding a file-context definition through a system-policy operation, see Section “Maintaining SELinux Labels” or Section “Prioritizing and Disabling SELinux Policy Modules”

The file_t and default_t Types

When using a file system that supports extended attributes (EA), the file_t type is the default type of a file that has not yet been assigned EA value

This type is only used for this purpose and does not exist on correctly-labeled file systems, because all files on a system running SELinux should have a proper SELinux context, and the file_t type is never used in file-context configuration[4]

The default_t type is used on files that do not match any pattern in file-context configuration, so that such files can be distinguished from files that do not have a context on disk, and generally are kept inaccessible to confined domains

For example, if you create a new top-level directory, such as mydirectory/, this directory may be labeled with the default_t type
If services need access to this directory, you need to update the file-contexts configuration for this location
See Section “Persistent Changes

semanage fcontext” for details on adding a context to the file-context configuration

Mounting File Systems

By default, when a file system that supports extended attributes is mounted, the security context for each file is obtained from the security.selinux extended attribute of the file

Files in file systems that do not support extended attributes are assigned a single, default security context from the policy configuration, based on file system type

Use the mount -o context command to override existing extended attributes, or to specify a different, default context for file systems that do not support extended attributes

This is useful if you do not trust a file system to supply the correct attributes, for example, removable media used in multiple systems
The mount -o context command can also be used to support labeling for file systems that do not support extended attributes, such as File Allocation Table (FAT) or NFS volumes
The context specified with the context option is not written to disk

the original contexts are preserved, and are seen when mounting without context if the file system had extended attributes in the first place

For further information about file system labeling, see James Morris's "Filesystem Labeling in SELinux" article http://www.linuxjournal.com/article/7426

Context Mounts

To mount a file system with the specified context, overriding existing contexts if they exist, or to specify a different, default context for a file system that does not support extended attributes, as the root user, use the mount -o context=''SELinux_user:role:type:level'' command when mounting the required file system

Context changes are not written to disk
By default, NFS mounts on the client side are labeled with a default context defined by policy for NFS volumes
In common policies, this default context uses the nfs_t type
Without additional mount options, this may prevent sharing NFS volumes using other services, such as the Apache HTTP Server
The following example mounts an NFS volume so that it can be shared using the Apache HTTP Server

sudo mount server:/export /local/mount/point -o \ context="system_u:object_r:httpd_sys_content_t:s0"

Newly-created files and directories on this file system appear to have the SELinux context specified with -o context

However, since these changes are not written to disk, the context specified with this option does not persist between mounts
Therefore, this option must be used with the same context specified during every mount to retain the required context
For information about making context mount persistent, see Section “Making Context Mounts Persistent”

Type Enforcement is the main permission control used in SELinux targeted policy

For the most part, SELinux users and roles can be ignored, so, when overriding the SELinux context with -o context, use the SELinux system_u user and object_r role, and concentrate on the type
If you are not using the MLS policy or multi-category security, use the s0 level

Note

When a file system is mounted with a context option, context changes by users and processes are prohibited

For example, running the chcon command on a file system mounted with a context option results in a Operation not supported error

Changing the Default Context

As mentioned in Section 4.8, “The file_t and default_t Types”, on file systems that support extended attributes, when a file that lacks an SELinux context on disk is accessed, it is treated as if it had a default context as defined by SELinux policy

In common policies, this default context uses the file_t type
If it is desirable to use a different default context, mount the file system with the defcontext option

The following example mounts a newly-created file system on /dev/sda2 to the newly-created test/ directory

It assumes that there are no rules in etc/selinux/targeted/contexts/files that define a context for the test/ directory

sudo mount /dev/sda2 /test/ -o defcontext="system_u:object_r:samba_share_t:s0"

In this example

the defcontext option defines that system_u:object_r:samba_share_t:s0 is "the default security context for unlabeled files"[5]
when mounted, the root directory (test/) of the file system is treated as if it is labeled with the context specified by defcontext (this label is not stored on disk)
This affects the labeling for files created under test/

new files inherit the samba_share_t type, and these labels are stored on disk

files created under test/ while the file system was mounted with a defcontext option retain their labels

Mounting an NFS Volume

By default, NFS mounts on the client side are labeled with a default context defined by policy for NFS volumes

In common policies, this default context uses the nfs_t type
Depending on policy configuration, services, such as Apache HTTP Server and MariaDB, may not be able to read files labeled with the nfs_t type
This may prevent file systems labeled with this type from being mounted and then read or exported by other services

If you would like to mount an NFS volume and read or export that file system with another service, use the context option when mounting to override the nfs_t type

Use the following context option to mount NFS volumes so that they can be shared using the Apache HTTP Server

sudo mount server:/export /local/mount/point -o context="system_u:object_r:httpd_sys_content_t:s0"

Since these changes are not written to disk, the context specified with this option does not persist between mounts

Therefore, this option must be used with the same context specified during every mount to retain the required context
For information about making context mount persistent, see Section “Making Context Mounts Persistent”

As an alternative to mounting file systems with context options, Booleans can be enabled to allow services access to file systems labeled with the nfs_t type

See Part II, “Managing Confined Services” for instructions on configuring Booleans to allow services access to the nfs_t type

Multiple NFS Mounts

When mounting multiple mounts from the same NFS export, attempting to override the SELinux context of each mount with a different context, results in subsequent mount commands failing

In the following example, the NFS server has a single export, export/, which has two subdirectories, web/ and database/
The following commands attempt two mounts from a single NFS export, and try to override the context for each one

sudo mount server:/export/web /local/web -o context="system_u:object_r:httpd_sys_content_t:s0"

sudo mount server:/export/database /local/database -o context="system_u:object_r:mysqld_db_t:s0"

The second mount command fails, and the following is logged to /var/log/messages kernel SELinux mount invalid

Same superblock, different security settings for (dev 0:15, type nfs)

To mount multiple mounts from a single NFS export, with each mount having a different context, use the -o nosharecache,context options

The following example mounts multiple mounts from a single NFS export, with a different context for each mount (allowing a single service access to each one)

sudo mount server:/export/web /local/web -o nosharecache,context="system_u:object_r:httpd_sys_content_t:s0"

sudo mount server:/export/database /local/database -o \ nosharecache,context="system_u:object_r:mysqld_db_t:s0"

In this example, server:/export/web is mounted locally to the local/web directory, with all files being labeled with the httpd_sys_content_t type, allowing Apache HTTP Server access. server:/export/database is mounted locally to local/database, with all files being labeled with the mysqld_db_t type, allowing MariaDB access

These type changes are not written to disk

Important

The nosharecache options allows you to mount the same subdirectory of an export multiple times with different contexts, for example, mounting export/web multiple times

Do not mount the same subdirectory from an export multiple times with different contexts, as this creates an overlapping mount, where files are accessible under two different contexts

Making Context Mounts Persistent

To make context mounts persistent across remounting and reboots, add entries for the file systems in the /etc/fstab file or an automounter map, and use the required context as a mount option

The following example adds an entry to /etc/fstab for an NFS context mount

server:/export /local/mount/ nfs context="system_u:object_r:httpd_sys_content_t:s0" 0 0

Maintaining SELinux Labels

These sections describe what happens to SELinux contexts when copying, moving, and archiving files and directories

Also, it explains how to preserve contexts when copying and archiving

Copying Files and Directories

When a file or directory is copied, a new file or directory is created if it does not exist

That new file or directory's context is based on default-labeling rules, not the original file or directory's context unless options were used to preserve the original context
For example, files created in user home directories are labeled with the user_home_t type

touch file1

$ ls -Z file1
-rw-rw-r-- user1 group1 unconfined_u:object_r:user_home_t:s0 file1

If such a file is copied to another directory, such as /etc, the new file is created in accordance to default-labeling rules for /etc

Copying a file without additional options may not preserve the original context

ls -Z file1
-rw-rw-r-- user1 group1 unconfined_u:object_r:user_home_t:s0 file1

sudo cp file1 /etc/

$ ls -Z /etc/file1
-rw-r--r-- root root unconfined_u:object_r:etc_t:s0 /etc/file1

When file1 is copied to /etc, if /etc/file1 does not exist, /etc/file1 is created as a new file

As shown in the example above, /etc/file1 is labeled with the etc_t type, in accordance to default-labeling rules

When a file is copied over an existing file, the existing file's context is preserved, unless the user specified cp options to preserve the context of the original file, such as --preserve=context

SELinux policy may prevent contexts from being preserved during copies

Copying Without Preserving SELinux Contexts

This procedure shows that when copying a file with the cp command, if no options are given, the type is inherited from the targeted, parent directory

Create a file in a user's home directory

The file is labeled with the user_home_t type

touch file1
ls -Z file1
-rw-rw-r-- user1 group1 unconfined_u:object_r:user_home_t:s0 file1

The var/www/html directory is labeled with the httpd_sys_content_t type, as shown with the following command

ls -dZ /var/www/html/drwxr-xr-x root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/

When file1 is copied to var/www/html, it inherits the httpd_sys_content_t type

sudo cp file1 /var/www/html/
ls -Z /var/www/html/file1-rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/file1

Preserving SELinux Contexts When Copying

This procedure shows how to use the --preserve=context option to preserve contexts when copying. # Create a file in a user's home directory

The file is labeled with the user_home_t type

touch file1
ls -Z file1-rw-rw-r-- user1 group1 unconfined_u:object_r:user_home_t:s0 file1

The var/www/html directory is labeled with the httpd_sys_content_t type, as shown with the following command

ls -dZ /var/www/html/
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/

Using the --preserve=context option preserves SELinux contexts during copy operations

As shown below, the user_home_t type of file1 was preserved when the file was copied to var/www/html

sudo cp --preserve=context file1 /var/www/html/
ls -Z /var/www/html/file1-rw-r--r-- root root unconfined_u:object_r:user_home_t:s0 /var/www/html/file1

Copying and Changing the Context

This procedure show how to use the --context option to change the destination copy's context

The following example is performed in the user's home directory

Create a file in a user's home directory

The file is labeled with the user_home_t type

touch file1
ls -Z file1-rw-rw-r-- user1 group1 unconfined_u:object_r:user_home_t:s0 file1

Use the --context option to define the SELinux context

cp --context=system_u:object_r:samba_share_t:s0 file1 file2

Without --context, file2 would be labeled with the unconfined_u:object_r:user_home_t context

ls -Z file1 file2-rw-rw-r-- user1 group1 unconfined_u:object_r:user_home_t:s0 file1-rw-rw-r-- user1 group1 system_u:object_r:samba_share_t:s0 file2

Copying a File Over an Existing File

This procedure shows that when a file is copied over an existing file, the existing file's context is preserved unless an option is used to preserve contexts. # As root, create a new file, file1 in the /etc directory

As shown below, the file is labeled with the etc_t type

sudo touch /etc/file1
ls -Z /etc/file1-rw-r--r-- root root unconfined_u:object_r:etc_t:s0 /etc/file1

Create another file, file2, in the /tmp directory

As shown below, the file is labeled with the user_tmp_t type

touch /tmp/file2
ls -Z /tmp/file2-rw-r--r-- root root unconfined_u:object_r:user_tmp_t:s0 /tmp/file2

Overwrite file1 with file2

sudo cp /tmp/file2 /etc/file1

After copying, the following command shows file1 labeled with the etc_t type, not the user_tmp_t type from /tmp/file2 that replaced /etc/file1

ls -Z /etc/file1-rw-r--r-- root root unconfined_u:object_r:etc_t:s0 /etc/file1

Important

Copy files and directories, rather than moving them

This helps ensure they are labeled with the correct SELinux contexts
Incorrect SELinux contexts can prevent processes from accessing such files and directories

Moving Files and Directories

Files and directories keep their current SELinux context when they are moved

In many cases, this is incorrect for the location they are being moved to
The following example demonstrates moving a file from a user's home directory to the var/www/html directory, which is used by the Apache HTTP Server
Since the file is moved, it does not inherit the correct SELinux context

Moving Files and Directories

Change into your home directory and create file in it

The file is labeled with the user_home_t type

touch file1

ls -Z file1
-rw-rw-r-- user1 group1 unconfined_u:object_r:user_home_t:s0 file1

Enter the following command to view the SELinux context of the var/www/html directory

ls -dZ /var/www/html/
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/

By default, var/www/html is labeled with the httpd_sys_content_t type

Files and directories created under var/www/html inherit this type, and as such, they are labeled with this type

As root, move file1 to var/www/html

Since this file is moved, it keeps its current user_home_t type

sudo mv file1 /var/www/html/

sudo ls -Z /var/www/html/file1
-rw-rw-r-- user1 group1 unconfined_u:object_r:user_home_t:s0 /var/www/html/file1

By default, the Apache HTTP Server cannot read files that are labeled with the user_home_t type

If all files comprising a web page are labeled with the user_home_t type, or another type that the Apache HTTP Server cannot read, permission is denied when attempting to access them using web browsers, such as Mozilla Firefox

Important

Moving files and directories with the mv command may result in the incorrect SELinux context, preventing processes, such as the Apache HTTP Server and Samba, from accessing such files and directories

Checking the Default SELinux Context

Use the matchpathcon utility to check if files and directories have the correct SELinux context

This utility queries the system policy and then provides the default security context associated with the file path.[6] The following example demonstrates using matchpathcon to verify that files in var/www/html directory are labeled correctly

Checking the Default SELinux Conxtext with matchpathcon'''

As the root user, create three files (file1, file2, and file3) in the var/www/html directory

These files inherit the httpd_sys_content_t type from var/www/html

sudo touch /var/www/html/file{1,2,3}

sudo ls -Z /var/www/html/
-rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 file1
-rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 file2
-rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 file3

As root, change the file1 type to samba_share_t

Note that the Apache HTTP Server cannot read files or directories labeled with the samba_share_t type

sudo chcon -t samba_share_t /var/www/html/file1

The matchpathcon -V option compares the current SELinux context to the correct, default context in SELinux policy

Enter the following command to check all files in the var/www/html directory

matchpathcon -V /var/www/html/*
/var/www/html/file1 has context unconfined_u:object_r:samba_share_t:s0, should be system_u:object_r:httpd_sys_content_t:s0
/var/www/html/file2 verified
/var/www/html/file3 verified

The following output from the matchpathcon command explains that file1 is labeled with the samba_share_t type, but should be labeled with the httpd_sys_content_t type

/var/www/html/file1 has context unconfined_u:object_r:samba_share_t:s0, should be system_u:object_r:httpd_sys_content_t:s0

To resolve the label problem and allow the Apache HTTP Server access to file1, as root, use the restorecon utility

sudo restorecon -v /var/www/html/file1
restorecon reset /var/www/html/file1 context unconfined_u:object_r:samba_share_t:s0->system_u:object_r:httpd_sys_content_t:s0

Archiving Files with tar

The tar utility does not retain extended attributes by default

Since SELinux contexts are stored in extended attributes, contexts can be lost when archiving files
Use the tar --selinux command to create archives that retain contexts and to restore files from the archives
If a tar archive contains files without extended attributes, or if you want the extended attributes to match the system defaults, use the restorecon utility

tar -xvf archive.tar | restorecon -f -

Note that depending on the directory, you may need to be the root user to run the restorecon

The following example demonstrates creating a tar archive that retains SELinux contexts

Creating a tar Archive

Change to the var/www/html directory and view its SELinux context

cd /var/www/html/

ls -dZ /var/www/html/
drwxr-xr-x

root root system_u:object_r:httpd_sys_content_t:s0

As root, create three files (file1, file2, and file3) in var/www/html

These files inherit the httpd_sys_content_t type from var/www/html

html]# touch file{1,2,3}

ls -Z /var/www/html/
-rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 file1
-rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 file2
-rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 file3

As root, enter the following command to create a tar archive named test.tar

Use the --selinux to retain the SELinux context

sudo tar --selinux -cf test.tar file{1,2,3}

As root, create a new directory named test/, and then allow all users full access to it

sudo mkdir /test
sudo chmod 777 /test/

Copy the test.tar file into test/

cp /var/www/html/test.tar /test/

Change into test/ directory

Once in this directory, enter the following command to extract the tar archive
Specify the --selinux option again otherwise the SELinux context will be changed to default_t

cd /test/

tar --selinux -xvf test.tar

View the SELinux contexts

The httpd_sys_content_t type has been retained, rather than being changed to default_t, which would have happened had the --selinux not been used

test]$ ls -lZ /test/
-rw-r--r-- user1 group1 unconfined_u:object_r:httpd_sys_content_t:s0 file1
-rw-r--r-- user1 group1 unconfined_u:object_r:httpd_sys_content_t:s0 file2
-rw-r--r-- user1 group1 unconfined_u:object_r:httpd_sys_content_t:s0 file3
-rw-r--r-- user1 group1 unconfined_u:object_r:default_t:s0 test.tar

If the test/ directory is no longer required, as root, enter the following command to remove it, as well as all files in it

sudo rm -ri /test/

See the tar(1) manual page for further information about tar, such as the --xattrs option that retains all extended attributes

Archiving Files with star

The star utility does not retain extended attributes by default

Since SELinux contexts are stored in extended attributes, contexts can be lost when archiving files
Use the star -xattr -H=exustar command to create archives that retain contexts
The star package is not installed by default
To install star, run the yum install star command as the root user

The following example demonstrates creating a star archive that retains SELinux contexts

Creating a star Archive

As root, create three files (file1, file2, and file3) in the var/www/html

These files inherit the httpd_sys_content_t type from var/www/html

sudo touch /var/www/html/file{1,2,3}

sudo ls -Z /var/www/html/
-rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 file1
-rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 file2
-rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 file3

Change into var/www/html directory

Once in this directory, as root, enter the following command to create a star archive named test.star

cd /var/www/html

html]# star -xattr -H=exustar -c -f=test.star file{1,2,3}
star

1 blocks + 0 bytes (total of 10240 bytes = 10.00k)

As root, create a new directory named test/, and then allow all users full access to it

sudo mkdir /test

sudo chmod 777 /test/

Enter the following command to copy the test.star file into test/

cp /var/www/html/test.star /test/

Change into test/

Once in this directory, enter the following command to extract the star archive

cd /test/

test]$ star -x -f=test.star
star

1 blocks + 0 bytes (total of 10240 bytes = 10.00k)

View the SELinux contexts

The httpd_sys_content_t type has been retained, rather than being changed to default_t, which would have happened had the -xattr -H=exustar option not been used

ls -lZ /test/
-rw-r--r-- user1 group1 unconfined_u:object_r:httpd_sys_content_t:s0 file1
-rw-r--r-- user1 group1 unconfined_u:object_r:httpd_sys_content_t:s0 file2
-rw-r--r-- user1 group1 unconfined_u:object_r:httpd_sys_content_t:s0 file3
-rw-r--r-- user1 group1 unconfined_u:object_r:default_t:s0 test.star

If the test/ directory is no longer required, as root, enter the following command to remove it, as well as all files in it

sudo rm -ri /test/

If star is no longer required, as root, remove the package

sudo yum remove star

See the star(1) manual page for further information about star

Information Gathering Tools

The utilities listed below are command-line tools that provide well-formatted information, such as access vector cache statistics or the number of classes, types, or Booleans

avcstat

This command provides a short output of the access vector cache statistics since boot

You can watch the statistics in real time by specifying a time interval in seconds
This provides updated statistics since the initial output
The statistics file used is /sys/fs/selinux/avc/cache_stats, and you can specify a different cache file with the -f /path/to/file option

sudo avcstat
lookups hits misses allocs reclaims frees
47517410 47504630 12780 12780 12176 12275

seinfo

This utility is useful in describing the break-down of a policy, such as the number of classes, types, Booleans, allow rules, and others. seinfo is a command-line utility that uses a policy.conf file, a binary policy file, a modular list of policy packages, or a policy list file as input

You must have the setools-console package installed to use the seinfo utility

The output of seinfo will vary between binary and source files

For example, the policy source file uses the [[{ }]] brackets to group multiple rule elements onto a single line
A similar effect happens with attributes, where a single attribute expands into one or many types
Because these are expanded and no longer relevant in the binary policy file, they have a return value of zero in the search results
However, the number of rules greatly increases as each formerly one line rule using brackets is now a number of individual lines

Some items are not present in the binary policy

For example, neverallow rules are only checked during policy compile, not during runtime, and initial Security Identifiers (SIDs) are not part of the binary policy since they are required prior to the policy being loaded by the kernel during boot

sudo seinfo

Statistics for policy file

/sys/fs/selinux/policy

Policy Version & Type

v.28 (binary, mls)

Classes

77 Permissions 229

Sensitivities

1 Categories 1024

Types

3001 Attributes 244

Users

9 Roles 13

Booleans

158 Cond

Expr.

193

Allow

262796 Neverallow 0

Auditallow

44 Dontaudit 156710

Type_trans

10760 Type_change 38

Type_member

44 Role allow 20

Role_trans

237 Range_trans 2546

Constraints

62 Validatetrans 0

Initial SIDs

27 Fs_use 22

Genfscon

82 Portcon 373

Netifcon

0 Nodecon 0

Permissives

22 Polcap 2

The seinfo utility can also list the number of types with the domain attribute, giving an estimate of the number of different confined processes

sudo seinfo -adomain -x | wc -l
550

Not all domain types are confined

To look at the number of unconfined domains, use the unconfined_domain attribute

sudo seinfo -aunconfined_domain_type -x | wc -l
52

Permissive domains can be counted with the --permissive option

sudo seinfo --permissive -x | wc -l
31

Remove the additional wc -l command in the above commands to see the full lists

sesearch

You can use the sesearch utility to search for a particular rule in the policy

It is possible to search either policy source files or the binary file
For example

sesearch --role_allow -t httpd_sys_content_t
Found 20 role allow rules
allow system_r sysadm_r;
allow sysadm_r system_r;
allow sysadm_r staff_r;
allow sysadm_r user_r;
allow system_r git_shell_r;
allow system_r guest_r;
allow logadm_r system_r;
allow system_r logadm_r;
allow system_r nx_server_r;
allow system_r staff_r;
allow staff_r logadm_r;
allow staff_r sysadm_r;
allow staff_r unconfined_r;
allow staff_r webadm_r;
allow unconfined_r system_r;
allow system_r unconfined_r;
allow system_r user_r;
allow webadm_r system_r;
allow system_r webadm_r;
allow system_r xguest_r;

The sesearch utility can provide the number of allow rules

sudo sesearch --allow | wc -l
262798

And the number of dontaudit rules

sudo sesearch --dontaudit | wc -l
156712

Prioritizing and Disabling SELinux Policy Modules

The SELinux module storage in etc/selinux allows using a priority on SELinux modules

Enter the following command as root to show two module directories with a different priority

sudo ls /etc/selinux/targeted/active/modules
100 400 disabled

While the default priority used by semodule utility is 400, the priority used in selinux-policy packages is 100, so you can find most of the SELinux modules installed with the priority 100

You can override an existing module with a modified module with the same name using a higher priority

When there are more modules with the same name and different priorities, only a module with the highest priority is used when the policy is built

Using SELinux Policy Modules Priority

Prepare a new module with modified file context

Install the module with the semodule -i command and set the priority of the module to 400
We use sandbox.pp in the following example

sudo semodule -X 400 -i sandbox.pp
sudo semodule --list-modules=full | grep sandbox
400 sandbox pp
100 sandbox pp

To return back to the default module, enter the semodule -r command as root

sudo semodule -X 400 -r sandbox

libsemanage.semanage_direct_remove_key sandbox module at priority 100 is now active

Disabling a System Policy Module

To disable a system policy module, enter the following command as root semodule -d MODULE_NAME

Warning

If you remove a system policy module using the semodule -r command, it is deleted on your system's storage and you cannot load it again

To avoid unnecessary reinstallations of the selinux-policy-targeted package for restoring all system policy modules, use the semodule -d command instead

Multi-Level Security (MLS)

The Multi-Level Security technology refers to a security scheme that enforces the Bell-La Padula Mandatory Access Model

Under MLS, users and processes are called subjects, and files, devices, and other passive components of the system are called objects
Both subjects and objects are labeled with a security level, which entails a subject's clearance or an object's classification
Each security level is composed of a sensitivity and a category, for example, an internal release schedule is filed under the internal documents category with a confidential sensitivity

Figure&nbsp“Levels of clearance” shows levels of clearance as originally designed by the US defense community

Relating to our internal schedule example above, only users that have gained the confidential clearance are allowed to view documents in the confidential category
However, users who only have the confidential clearance are not allowed to view documents that require higher levels or clearance; they are allowed read access only to documents with lower levels of clearance, and write access to documents with higher levels of clearance

Figure Levels of clearance

Figure “Allowed data flows using MLS” shows all allowed data flows between a subject running under the "Secret" security level and various objects with different security levels

In simple terms, the Bell-LaPadula model enforces two properties

no read up and no write down

Figure Allowed data flows using MLS

MLS and System Privileges

MLS access rules are always combined with conventional access permissions (file permissions)

For example, if a user with a security level of "Secret" uses Discretionary Access Control (DAC) to block access to a file by other users, this also blocks access by users with a security level of "Top Secret"
It is important to remember that SELinux MLS policy rules are checked after DAC rules
A higher security clearance does not automatically give permission to arbitrarily browse a file system

Users with top-level clearances do not automatically acquire administrative rights on multi-level systems

While they may have access to all information on the computer, this is different from having administrative rights

Enabling MLS in SELinux

Note

It is not recommended to use the MLS policy on a system that is running the X Window System

Follow these steps to enable the SELinux MLS policy on your system

Enabling SELinux MLS Policy

Install the selinux-policy-mls package

sudo yum install selinux-policy-mls

Before the MLS policy is enabled, each file on the file system must be relabeled with an MLS label

When the file system is relabeled, confined domains may be denied access, which may prevent your system from booting correctly
To prevent this from happening, configure SELINUX=permissive in the /etc/selinux/config file
Also, enable the MLS policy by configuring SELINUXTYPE=mls
Your configuration file should look like this

# This file controls the state of SELinux on the system
# SELINUX= can take one of these three values
# enforcing - SELinux security policy is enforced
# permissive - SELinux prints warnings instead of enforcing
# disabled - No SELinux policy is loaded
SELINUX=permissive
# SELINUXTYPE= can take one of these two values
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection
SELINUXTYPE=mls

# Make sure SELinux is running in permissive mode
sudo setenforce 0

getenforce
Permissive

Use the fixfiles script to create the /.autorelabel file containing the -F option to ensure that files are relabeled upon next reboot

sudo fixfiles -F onboot

Reboot your system

During the next boot, all file systems will be relabeled according to the MLS policy
The label process labels all files with an appropriate SELinux context

*** Warning -- SELinux mls policy relabel is required
*** Relabeling could take a very long time, depending on file
*** system size and speed of hard drives
***********

Each * (asterisk) character on the bottom line represents 1000 files that have been labeled

In the above example, eleven * characters represent 11000 files which have been labeled
The time it takes to label all files depends upon the number of files on the system, and the speed of the hard disk drives
On modern systems, this process can take as little as 10 minutes
Once the labeling process finishes, the system will automatically reboot

In permissive mode, SELinux policy is not enforced, but denials are still logged for actions that would have been denied if running in enforcing mode

Before changing to enforcing mode, as root, enter the following command to confirm that SELinux did not deny actions during the last boot
If SELinux did not deny actions during the last boot, this command does not return any output
See Chapter Troubleshooting for troubleshooting information if SELinux denied access during boot

sudo grep "SELinux is preventing" /var/log/messages

If there were no denial messages in the /var/log/messages file, or you have resolved all existing denials, configure SELINUX=enforcing in the /etc/selinux/config file

# This file controls the state of SELinux on the system
# SELINUX= can take one of these three values
# enforcing - SELinux security policy is enforced
# permissive - SELinux prints warnings instead of enforcing
# disabled - No SELinux policy is loaded
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection
SELINUXTYPE=mls

Reboot your system and make sure SELinux is running in enforcing mode

getenforce
Enforcing

and the MLS policy is enabled

sudo sestatus |grep mls
Policy from config file

mls

Creating a User With a Specific MLS Range

Follow these steps to create a new Linux user with a specific MLS range

Creating a User With a Specific MLS Range

Add a new Linux user using the useradd command and map the new Linux user to an existing SELinux user (in this case, staff_u)

sudo useradd -Z staff_u john

Assign the newly-created Linux user a password

prompt sudo passwd john

Enter the following command as root to view the mapping between SELinux and Linux users

The output should be as follows

sudo semanage login -l
Login Name SELinux User MLS/MCS Range Service

__default__ user_u s0-s0 *
john staff_u s0-s15:c0.c1023 *
root root s0-s15:c0.c1023 *
staff staff_u s0-s15:c0.c1023 *
sysadm staff_u s0-s15:c0.c1023 *
system_u system_u s0-s15:c0.c1023 *

Define a specific range for user john

sudo semanage login --modify --range s2:c100 john

View the mapping between SELinux and Linux users again

Note that the user john now has a specific MLS range defined

sudo semanage login -l
Login Name SELinux User MLS/MCS Range Service

__default__ user_u s0-s0 *
john staff_u s2:c100 *
root root s0-s15:c0.c1023 *
staff staff_u s0-s15:c0.c1023 *
sysadm staff_u s0-s15:c0.c1023 *
system_u system_u s0-s15:c0.c1023 *

To correct the label on john's home directory if needed, enter the following command

sudo chcon -R -l s2:c100 /home/john

Setting Up Polyinstantiated Directories

The /tmp and var/tmp directories are normally used for temporary storage by all programs, services, and users

Such setup, however, makes these directories vulnerable to race condition attacks, or an information leak based on file names
SELinux offers a solution in the form of polyinstantiated directories
This effectively means that both /tmp and var/tmp are instantiated, making them appear private for each user
When instantiation of directories is enabled, each user's /tmp and var/tmp directory is automatically mounted under /tmp-inst and /var/tmp/tmp-inst

Follow these steps to enable polyinstantiation of directories

Enabling Polyinstantiation Directories

Uncomment the last three lines in the /etc/security/namespace.conf file to enable instantiation of the /tmp, var/tmp, and users' home directories

tail -n 3 /etc/security/namespace.conf
/tmp /tmp-inst/ level root,adm
/var/tmp /var/tmp/tmp-inst/ level root,adm
$HOME $HOME/$USER.inst/ level

Ensure that in the /etc/pam.d/login file, the pam_namespace.so module is configured for session

grep namespace /etc/pam.d/login
session required pam_namespace.so

Reboot your system

File Name Transition

The file name transition feature allows policy writers to specify the file name when writing policy transition rules

It is possible to write a rule that states

If a process labeled A_t creates a specified object class in a directory labeled B_t and the specified object class is named objectname, it gets the label C_t

This mechanism provides more fine-grained control over processes on the system

Without file name transition, there are three possible ways how to label an object

By default, objects inherit labels from parent directories
For example, if the user creates a file in a directory labeled etc_t, then the file is labeled also etc_t
However, this method is useless when it is desirable to have multiple files within a directory with different labels
Policy writers can write a rule in policy that states

If a process with type A_t creates a specified object class in a directory labeled B_t, the object gets the new C_t label

This practice is problematic if a single program creates multiple objects in the same directory where each object requires a separate label
Moreover, these rules provide only partial control, because names of the created objects are not specified
Certain applications have SELinux awareness that allow such an application to ask the system what the label of a certain path should be
These applications then request the kernel to create the object with the required label
Examples of applications with SELinux awareness are the rpm package manager, the restorecon utility, or the udev device manager
However, it is not possible to instruct every application that creates files or directories with SELinux awareness
It is often necessary to relabel objects with the correct label after creating
Otherwise, when a confined domain attempts to use the object, AVC messages are returned

The file name transition feature decreases problems related to incorrect labeling and improves the system to be more secure

Policy writers are able to state properly that a certain application can only create a file with a specified name in a specified directory
The rules take into account the file name, not the file path
This is the basename of the file path
Note that file name transition uses an exact match done by the strcmp() function
Use of regular expressions or wildcard characters is not considered

Note: File paths can vary in the kernel and file name transition does not use the paths to determine labels

Consequently, this feature only affects initial file creation and does not fix incorrect labels of already created objects

Examples of Policy Rules Written with File Name Transition

The example below shows a policy rule with file name transition filetrans_pattern(unconfined_t, admin_home_t, ssh_home_t, dir, ".ssh")

This rule states that if a process with the unconfined_t type creates the ~/.ssh/ directory in a directory labeled admin_home_t, the ~/.ssh/ directory gets the label ssh_home_t

Similar examples of policy rules written with file name transition are presented below

filetrans_pattern(staff_t, user_home_dir_t, httpd_user_content_t, dir, "public_html")
filetrans_pattern(thumb_t, user_home_dir_t, thumb_home_t, file, "missfont.log")
filetrans_pattern(kernel_t, device_t, xserver_misc_device_t, chr_file, "nvidia0")
filetrans_pattern(puppet_t, etc_t, krb5_conf_t, file, "krb5.conf")

Note: The file name transition feature affects mainly policy writers, but users can notice that instead of file objects almost always created with the default label of the containing directory, some file objects have a different label as specified in policy

Disabling ptrace()

The ptrace() system call allows one process to observe and control the execution of another process and change its memory and registers

This call is used primarily by developers during debugging, for example when using the strace utility
When ptrace() is not needed, it can be disabled to improve system security
This can be done by enabling the deny_ptrace Boolean, which denies all processes, even those that are running in unconfined_t domains, from being able to use ptrace() on other processes

The deny_ptrace Boolean is disabled by default

To enable it, run the setsebool -P deny_ptrace on command as the root user

sudo setsebool -P deny_ptrace on

To verify if this Boolean is enabled, use the following command

getsebool deny_ptrace
deny_ptrace --> on

To disable this Boolean, run the setsebool -P deny_ptrace off command as root

sudo setsebool -P deny_ptrace off

Note: The setsebool -P command makes persistent changes

Do not use the -P option if you do not want changes to persist across reboots

This Boolean influences only packages that are part of Red Hat Enterprise Linux

Consequently, third-party packages could still use the ptrace() system call
To list all domains that are allowed to use ptrace(), enter the following command
Note that the setools-console package provides the sesearch utility and that the package is not installed by default

sudo sesearch -A -p ptrace,sys_ptrace -C | grep -v deny_ptrace | cut -d ' ' -f 5

Thumbnail Protection

The thumbnail icons can potentially allow an attacker to break into a locked machine using removable media, such as USB devices or CDs

When the system detects a removable media, the Nautilus file manager executes the thumbnail driver code to display thumbnail icons in an appropriate file browser even if the machine is locked
This behavior is unsafe because if the thumbnail executables were vulnerable, the attacker could use the thumbnail driver code to bypass the lock screen without entering the password

Therefore, a new SELinux policy is used to prevent such attacks

This policy ensures that all thumbnail drivers are locked when the screen is locked
The thumbnail protection is enabled for both confined users and unconfined users

This policy affects the following applications

/usr/bin/evince-thumbnailer
/usr/bin/ffmpegthumbnailer
/usr/bin/gnome-exe-thumbnailer.sh
/usr/bin/gnome-nds-thumbnailer
/usr/bin/gnome-xcf-thumbnailer
/usr/bin/gsf-office-thumbnailer
/usr/bin/raw-thumbnailer
/usr/bin/shotwell-video-thumbnailer
/usr/bin/totem-video-thumbnailer
/usr/bin/whaaw-thumbnailer
/usr/lib/tumbler-1/tumblerd
/usr/lib64/tumbler-1/tumblerd

Links

[3] To temporarily revert to the default behavior, as the Linux root user, run the setsebool httpd_can_network_connect_db off command
- For changes that persist across reboots, run the setsebool -P httpd_can_network_connect_db off command
[4] Files in the etc/selinux/targeted/contexts/files directory define contexts for files and directories
Files in this directory are read by the restorecon and setfiles utilities to restore files and directories to their default contexts
[5] Morris, James. "Filesystem Labeling in SELinux" http://www.linuxjournal.com/article/7426
[6] See the matchpathcon(8) manual page for further information about matchpathcon