Difference between revisions of "Guide/Contexts"
From SELinux Wiki
(→Changing Contexts) |
(→Contexts: linking selinux contexts) |
||
Line 1: | Line 1: | ||
== Contexts == | == Contexts == | ||
− | SELinux contexts are composed of 4 pieces: selinux user, role, type, and range. | + | [[SELinux contexts]] are composed of 4 pieces: selinux user, role, type, and range. |
<pre> | <pre> |
Latest revision as of 23:26, 13 September 2010
Contexts
SELinux contexts are composed of 4 pieces: selinux user, role, type, and range.
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c255 user : role : type : range
The selinux range is composed of a low and high level:
s0-s0:c0.c255 low-high
Each level is composed a MLS sensitivity and a set of categories:
s0:c0.c255 sensitivity:categories
Categories are can be specified individually:
c0,c5,c10
Or treated as an ordered set:
c0.c10
Where this would mean all categories between c0 and c10 (inclusive).
Displaying Contexts
Display the context of...
... your shell:
$ id -Z unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c255
... a file:
$ ls -Z /bin/bash system_u:object_r:shell_exec_t:s0 /bin/bash
... a process:
$ ps -Z LABEL PID TTY TIME CMD unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c255 23912 pts/3 00:00:00 bash unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c255 25101 pts/3 00:00:00 ps
Changing Contexts
Change the context of...
... a file:
$ touch /tmp/myfile $ ls -Z /tmp/myfile unconfined_u:object_r:user_tmp_t:s0 /tmp/myfile $ chcon -t user_home_t /tmp/myfile $ ls -Z /tmp/myfile unconfined_u:object_r:user_home_t:s0 /tmp/myfile
... a file (persistently across relabels):
# touch /var/cache/myfile # ls -Z /var/cache/myfile unconfined_u:object_r:var_t:s0 /var/cache/myfile # semanage fcontext -a -t user_home_t /var/cache/myfile # restorecon /var/cache/myfile # ls -Z /var/cache/myfile system_u:object_r:user_home_t:s0 /var/cache/myfile
... your shell:
$ id -Z unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c255 $ newrole -r system_r -t unconfined_t Password: $ id -Z unconfined_u:system_r:unconfined_t:s0-s0:c0.c255
... a program when started (temporary):
$ runcon system_u:system_r:crond_t:s0:c0.c255 /bin/bash $ id -Z system_u:system_r:crond_t:s0:c0.c255
Resetting Contexts
Reset the context of...
... a file:
$ restorecon /tmp/myfile