RHEL/CentOS 7: How to Change File Contexts in SELinux

0
41

SELinux is a Linux kernel module that allows supporting mandatory access control (MAC) security policies. The Red Hat implementation of SELinux combines role-based access control (RBAC) with type enforcement (TE). Optionally, multilevel security (MLS) is also available but isn’t widely used as it implements fewer policies than the default Red Hat SELinux policies.

SELinux is enabled by default in RHEL 7 and supported for all software packaged by Red Hat.

Files and processes are labeled with a SELinux context, which contains additional information about a SELinux user, role type, and level. This information is provided by the SELinux kernel module to make access control decisions.

The SELinux user, a unique identity known by the SELinux policy, is authorized for a number of roles.

SELinux roles, as we already alluded to before, are attributes of SELinux users and part of the RBAC SELinux policy. SELinux roles are authorized for SELinux domains.

SELinux types define the type for files and domain for processes. SELinux policies define access between types and other files and processes. By default, if there is no specific rule in the SELinux policy, access is denied.

The SELinux level is only used when the SELinux type is set to MLS and should be avoided altogether on anything other than servers. This set of policies doesn’t cover the same domains as defined by the default Red Hat SELinux policy. The SELinux level is an attribute of MLS and multi-category security (MCS).

All files and processes on a system are labeled to represent security-relevant information. This information is called the SELinux context. To view the contexts of files (and directories), execute the following:

~# ls -Z
-rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 file
~#

You can temporarily change the context of a file (or files) or permanently change their context. The first option allows easy troubleshooting if you need to figure out whether changing the context solves your problem. Persistent changes are mostly used when your applications refer to data that is not in the standard location—for example, if your web server serves data from /srv/www.

TEMPORARY CONTEXT CHANGES

Temporary SELinux context changes remain until the file, or the filesystem that the file resides on, is relabeled.

To change the SELinux user of a file, execute the following:

~# chcon --user <SELinux user> <filename>

To change the SELinux role of a file, execute the following:

~# chcon --role <SELinux role> <filename>

To change the SELinux type of a file, execute the following:

~# chcon --type <SELinux types> <filename>

PERSISTENT FILE CONTEXT CHANGES

Changing the application data location doesn’t automatically modify SELinux contexts to allow your application to access this data.

To permanently relabel files or directories, perform the following:

  1. Change the SELinux user for your files or directories via this command:
    ~# semanage fcontext -a --seuser <SELinux user> <filename|dirname>
    
  2. Change the SELinux type of your files or directories by running the following:
    ~# semanage fcontext -a --type <SELinux type> <filename|dirname>
    
  3. Finish with this command line by applying the directive to the files/directories:
    ~# restorecon <filename|dirname>
    

To show all the available SELinux users, execute the following:

~# semanage user -l

Alternatively, you can install the setools-console package and run the following:

~# seinfo -u

To show all the available SELinux types, install the setools-console package and run the following:

~# seinfo -t

To show the available SELinux roles, install the setools-console package and run the following:

~# seinfo -r

The semanage tool doesn’t have an option to include all files recursively, but there is a solution to this. The filename or dirname you specify is actually a regular expression filter. So, for example, if you want to recursively include all the files in /srv/www, you could specify "/srv/www(/.*)?".

TIP

For now, there's no way to change the SELinux role using semanage. A way to get around this is to change the SELinux user or type using semanage and then edit it, as follows: /etc/selinux/targeted/contexts/files/file_contexts.local.

Here’s a wrong SELinux context example of an AVC denial report found in the audit.log file:

type=AVC msg=audit(1438884962.645:86): avc:  denied  { open } for  pid=1283 comm="httpd" path="/var/www/html/index.html" dev="dm-5" ino=1089 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=file

This command can be explained as follows:

Commands Description
type=AVC This is the log type
msg=audit(1438884962.645:86) This is the log entry timestamp
avc This is a repetition of the log type
denied This states whether enforcing is enabled
{ open } This is a permission that causes AVC denial
for pid=1283 This is the process ID
comm="httpd" This is the process command
path="/var/www/html/index.html" This is the path that is accessed
dev="dm-5" This blocks the device that the preceding file is located on
ino=1089 This is the inode of the preceding file
scontext=system_u:system_r:httpd_t:s0 This is the source SELinux context
tcontext=system_u:object_r:user_home_t:s0 This is the target SELinux context
tclass=file

This is the target SELinux class

 

LEAVE A REPLY

Please enter your comment!
Please enter your name here