Guide/Contexts
From SELinux Wiki
(Difference between revisions)
| Revision as of 14:09, 26 June 2009 (edit) CalebCase (Talk | contribs) m ← Previous diff |
Revision as of 15:04, 26 June 2009 (edit) (undo) CalebCase (Talk | contribs) Next diff → |
||
| Line 1: | Line 1: | ||
| == Contexts == | == Contexts == | ||
| + | |||
| + | SELinux contexts are composed of 4 pieces: selinux user, role, type, and range. | ||
| + | |||
| + | <pre> | ||
| + | unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c255 | ||
| + | user : role : type : range | ||
| + | </pre> | ||
| + | |||
| + | The selinux range is composed of a low and high level: | ||
| + | |||
| + | <pre> | ||
| + | s0-s0:c0.c255 | ||
| + | low-high | ||
| + | </pre> | ||
| + | |||
| + | Each level is composed a MLS sensitivity and a set of categories: | ||
| + | |||
| + | <pre> | ||
| + | s0:c0.c255 | ||
| + | sensitivity:categories | ||
| + | </pre> | ||
| + | |||
| + | Categories are can be specified individually: | ||
| + | |||
| + | <pre> | ||
| + | c0,c5,c10 | ||
| + | </pre> | ||
| + | |||
| + | Or treated as an ordered set: | ||
| + | |||
| + | <pre> | ||
| + | c0.c10 | ||
| + | </pre> | ||
| + | |||
| + | Where this would mean all categories between c0 and c10 (inclusive). | ||
| === Displaying Contexts === | === Displaying Contexts === | ||
| Line 60: | Line 95: | ||
| $ id -Z | $ id -Z | ||
| system_u:system_r:crond_t:s0:c0.c255 | system_u:system_r:crond_t:s0:c0.c255 | ||
| + | </pre> | ||
| + | |||
| + | === Resetting Contexts === | ||
| + | |||
| + | Reset the context of... | ||
| + | |||
| + | ... a file: | ||
| + | |||
| + | <pre> | ||
| + | $ restorecon /tmp/myfile | ||
| </pre> | </pre> | ||
Revision as of 15:04, 26 June 2009
Contents |
Contexts
SELinux contexts are composed of 4 pieces: selinux user, role, type, and range.
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c255
user : role : type : range
The selinux range is composed of a low and high level:
s0-s0:c0.c255 low-high
Each level is composed a MLS sensitivity and a set of categories:
s0:c0.c255
sensitivity:categories
Categories are can be specified individually:
c0,c5,c10
Or treated as an ordered set:
c0.c10
Where this would mean all categories between c0 and c10 (inclusive).
Displaying Contexts
Display the context of...
... your shell:
$ id -Z unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c255
... a file:
$ ls -Z /bin/bash system_u:object_r:shell_exec_t:s0 /bin/bash
... a process:
$ ps -Z LABEL PID TTY TIME CMD unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c255 23912 pts/3 00:00:00 bash unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c255 25101 pts/3 00:00:00 ps
Changing Contexts
Change the context of...
... a file:
$ touch /tmp/myfile $ ls -Z /tmp/myfile unconfined_u:object_r:user_tmp_t:s0 /tmp/myfile $ chcon -t user_home_t /tmp/myfile $ ls -Z /tmp/myfile unconfined_u:object_r:user_home_t:s0 /tmp/myfile
... your shell:
$ id -Z unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c255 $ newrole -r system_r -t unconfined_t Password: $ id -Z unconfined_u:system_r:unconfined_t:s0-s0:c0.c255
... a program when started (temporary):
$ runcon system_u:system_r:crond_t:s0:c0.c255 /bin/bash $ id -Z system_u:system_r:crond_t:s0:c0.c255
Resetting Contexts
Reset the context of...
... a file:
$ restorecon /tmp/myfile
