Guide/Contexts

From SELinux Wiki

(Difference between revisions)
Jump to: navigation, search
Revision as of 14:05, 26 June 2009 (edit)
CalebCase (Talk | contribs)
(New page: === Contexts === ==== Displaying Contexts ==== Display the context of... ... your shell: <pre> $ id -Z unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c255 </pre> ... a file: <pre> $...)
← Previous diff
Current revision (23:26, 13 September 2010) (edit) (undo)
Jaxelson (Talk | contribs)
(Contexts - linking selinux contexts)
 
(3 intermediate revisions not shown.)
Line 1: Line 1:
-=== Contexts ===+== Contexts ==
-==== Displaying Contexts ====+[[SELinux contexts]] are composed of 4 pieces: selinux user, role, type, and range.
 + 
 +<pre>
 +unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c255
 + user : role : type : range
 +</pre>
 + 
 +The selinux range is composed of a low and high level:
 + 
 +<pre>
 + s0-s0:c0.c255
 + low-high
 +</pre>
 + 
 +Each level is composed a MLS sensitivity and a set of categories:
 + 
 +<pre>
 + s0:c0.c255
 +sensitivity:categories
 +</pre>
 + 
 +Categories are can be specified individually:
 + 
 +<pre>
 +c0,c5,c10
 +</pre>
 + 
 +Or treated as an ordered set:
 + 
 +<pre>
 +c0.c10
 +</pre>
 + 
 +Where this would mean all categories between c0 and c10 (inclusive).
 + 
 +=== Displaying Contexts ===
Display the context of... Display the context of...
Line 28: Line 63:
</pre> </pre>
-==== Changing Contexts ====+=== Changing Contexts ===
Change the context of... Change the context of...
Line 41: Line 76:
$ ls -Z /tmp/myfile $ ls -Z /tmp/myfile
unconfined_u:object_r:user_home_t:s0 /tmp/myfile unconfined_u:object_r:user_home_t:s0 /tmp/myfile
 +</pre>
 +
 +... a file (persistently across relabels):
 +
 +<pre>
 +# touch /var/cache/myfile
 +# ls -Z /var/cache/myfile
 +unconfined_u:object_r:var_t:s0 /var/cache/myfile
 +# semanage fcontext -a -t user_home_t /var/cache/myfile
 +# restorecon /var/cache/myfile
 +# ls -Z /var/cache/myfile
 +system_u:object_r:user_home_t:s0 /var/cache/myfile
</pre> </pre>
Line 60: Line 107:
$ id -Z $ id -Z
system_u:system_r:crond_t:s0:c0.c255 system_u:system_r:crond_t:s0:c0.c255
 +</pre>
 +
 +=== Resetting Contexts ===
 +
 +Reset the context of...
 +
 +... a file:
 +
 +<pre>
 +$ restorecon /tmp/myfile
</pre> </pre>

Current revision

Contents

[edit] Contexts

SELinux contexts are composed of 4 pieces: selinux user, role, type, and range.

unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c255
    user    :    role    :    type    :    range    

The selinux range is composed of a low and high level:

  s0-s0:c0.c255
 low-high 

Each level is composed a MLS sensitivity and a set of categories:

         s0:c0.c255
sensitivity:categories

Categories are can be specified individually:

c0,c5,c10

Or treated as an ordered set:

c0.c10

Where this would mean all categories between c0 and c10 (inclusive).

[edit] Displaying Contexts

Display the context of...

... your shell:

$ id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c255

... a file:

$ ls -Z /bin/bash
system_u:object_r:shell_exec_t:s0 /bin/bash

... a process:

$ ps -Z
LABEL                             PID TTY          TIME CMD
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c255 23912 pts/3 00:00:00 bash
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c255 25101 pts/3 00:00:00 ps

[edit] Changing Contexts

Change the context of...

... a file:

$ touch /tmp/myfile
$ ls -Z /tmp/myfile
unconfined_u:object_r:user_tmp_t:s0 /tmp/myfile
$ chcon -t user_home_t /tmp/myfile
$ ls -Z /tmp/myfile
unconfined_u:object_r:user_home_t:s0 /tmp/myfile

... a file (persistently across relabels):

# touch /var/cache/myfile
# ls -Z /var/cache/myfile 
unconfined_u:object_r:var_t:s0 /var/cache/myfile
# semanage fcontext -a -t user_home_t /var/cache/myfile 
# restorecon /var/cache/myfile 
# ls -Z /var/cache/myfile 
system_u:object_r:user_home_t:s0 /var/cache/myfile

... your shell:

$ id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c255
$ newrole -r system_r -t unconfined_t
Password:
$ id -Z
unconfined_u:system_r:unconfined_t:s0-s0:c0.c255

... a program when started (temporary):

$ runcon system_u:system_r:crond_t:s0:c0.c255 /bin/bash
$ id -Z
system_u:system_r:crond_t:s0:c0.c255

[edit] Resetting Contexts

Reset the context of...

... a file:

$ restorecon /tmp/myfile
Personal tools