Oracle Cloud Infrastructure Documentation

Administering SELinux Security Context

Describes SELinux security contexts and shows how to view, assign, and restore context information for users, files, and processes.

Under SELinux, all file systems, files, directories, devices, and processes have an associated security context. For files, SELinux stores a context label in the extended attributes of the file system. The context contains more information about a system object: the SELinux user, their role, their type, and the security level. SELinux uses this context information to control access by processes, Linux users, and files.

This topic explains how to administer SELinux security context information.

You can specify the -Z option with certain commands (ls, ps, and id) to display the SELinux context by using the following syntax: 

SELinux user:Role:Type:Level
SELinux user

An SELinux user account complements a regular Linux user account. SELinux maps every Linux user to an SELinux user identity that's used in the SELinux context for the processes in a user session. SELinux usernames often end with _u. Several Linux users can be mapped to the same SELinux user.

Role

In the Role-Based Access Control (RBAC) security model, a role acts as an intermediary abstraction layer between SELinux process domains or file types and an SELinux user. Processes run in specific SELinux domains, and file system objects are assigned SELinux file types. SELinux users are authorized to perform specified roles, and roles are authorized for specified SELinux domains and file types. A user's role defines which process domains and file types the user can access, and hence which processes and files the user can access. The convention in SELinux is that role names end in _r.

Type

All rules in SELinux are based on types. A type defines an SELinux file type or an SELinux process domain. Processes are separated from each other by running in their own domains. This separation prevents processes from accessing files that other processes use, and prevents processes from accessing other processes. The SELinux policy rules define the access that process domains have to file types and to other process domains.

Level

A level is an attribute of Multi-Level Security (MLS) and Multi-Category Security (MCS). An MLS range is a pair of sensitivity levels, written as low_level-high_level. The range can be abbreviated as low_level if the levels are identical. For example, s0 is the same as s0-s0. Each level has an optional set of security categories to which it applies. If the set is contiguous, it can be abbreviated. For example, s0:c0.c3 is the same as s0:c0,c1,c2,c3.

Displaying SELinux User Mapping

This task shows you how to view the mapping between SELinux and Linux user accounts using the semanage command.

  1. List all SELinux users.

    Run the following command to show all SELinux user accounts:

    seinfo -u

    The output is similar to the following:

    Users: 8
guest_u
root
staff_u
sysadm_u
system_u
unconfined_u
user_u
xguest_u
  2. Show which Linux user accounts are mapped to which SELinux user accounts.

    Run the following command to display the mappings:

    sudo semanage login -l

    The output is similar to the following:

    Login Name           SELinux User         MLS/MCS Range        Service

__default__          unconfined_u         s0-s0:c0.c1023       *
root                 unconfined_u         s0-s0:c0.c1023       *
system_u             system_u             s0-s0:c0.c1023       *

    By default, SELinux maps Linux users other than root and the default system-level user, system_u, to the Linux __default__ user, and in turn to the SELinux unconfined_u user. The MLS/MCS Range is the security level used by Multi-Level Security (MLS) and Multi-Category Security (MCS).

Displaying SELinux Context Information

This task shows how to view the SELinux context information associated with different resources.

  1. To display the context information that's associated with all files in a directory, use the ls -Z command: 
    ls -Z
  2. The output is similar to the following:
    -rw-------. root root system_u:object_r:admin_home_t:s0 anaconda-ks.cfg
-rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 config
-rw-r--r--. root root system_u:object_r:admin_home_t:s0 initial-setup-ks.cfg
drwxr-xr-x. root root unconfined_u:object_r:admin_home_t:s0 jail
-rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 team0.cfg
  3. Run the following command to view the context of the /etc/selinux/config file: 
    ls -Z /etc/selinux/config

    The output is similar to the following:

    -rw-r--r--. root root system_u:object_r:selinux_config_t:s0 /etc/selinux/config
  4. To display the context information that's associated with processes, run the ps -Z command: 
    ps -Z
    LABEL                                                 PID  TTY   TIME     CMD
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 3038 pts/0 00:00:00 su
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 3044 pts/0 00:00:00 bash
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 3322 pts/0 00:00:00 ps
  5. To display the context information that's associated with the current user, run the id -Z command: 
    id -Z

    The output is similar to the following:

    unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

Changing the Default File Type

This task shows you how to change the default file type for a file system hierarchy. In the example, you have chosen to use a different DocumentRoot directory for httpd than the default /var/www/html.

  1. Specify the new default file type for the directory hierarchy.

    To change the default file type of the directory hierarchy /var/webcontent to httpd_sys_content_t, use the semanage command:

    sudo /usr/sbin/semanage fcontext -a -t httpd_sys_content_t "/var/webcontent(/.*)?"

    Running this command adds the following entry to the /etc/selinux/targeted/contexts/files/file_contexts.local file:

    /var/webcontent(/.*)?     system_u:object_r:httpd_sys_content_t:s0
  2. Apply the new file type to the directory hierarchy:

    Use the restorecon command to apply the new file type to the entire directory hierarchy:

    sudo /sbin/restorecon -R -v /var/webcontent

Restoring the Default File Type

In this task, you reverse the change you made in the previous task, restoring the default file type of the directory hierarchy /var/webcontent.

  1. Delete the existing file type definition.

    Use the semanage command to delete the file type definition for the directory hierarchy from the /etc/selinux/targeted/contexts/files/file_contexts.local file:

    sudo /usr/sbin/semanage fcontext -d "/var/webcontent(/.*)?"
  2. Apply the default file type.

    Use the restorecon command to apply the default file type to the entire directory hierarchy:

    sudo /sbin/restorecon -R -v /var/webcontent

Relabeling a File System

If you see an error message that contains the string file_t, this probably means that the file system has an incorrect context label. This task shows you how to relabel the file system.

  1. Create the .autorelabel file.

    Create an empty file called .autorelabel in the root of the file system:

    sudo touch /.autorelabel

    Or, you can run the following command:

    sudo fixfiles -F onboot

    Either method performs a full SELinux relabel of the file system on the next boot, to ensure all files have the correct SELinux context labels according to policy.

  2. Reboot the system.