RHEL6 – Using Semanage and Restorecon to Modify SELinux File Contexts

Potty TrainingOk, how to keep this simple? Lets see…

Semanage:

Ok, semanage, when used with the fcontext argument, is used to define SELinux file contexts for file. It basically adds the new definition to the file,  /etc/selinux/targeted/contexts/files/file_contexts.

For example lets say that I create a new file called /root/foobar.

Using the command below I can see the default context that is assigned to a file created in /root

# ls -lZ foobar
-rw-r–r–. root root unconfined_u:object_r:admin_home_t:s0 foobar

Now lets say that I want to change the context of this file to public_content_t.  The first step to accomplish this is to define its new context.

# semanage fcontext -a -t public_content_t /root/foobar

Restorecon:

Now that the context type is defined we need to actually modify the current context of our file. So now you run restorecon against the file to actually make the change. Note: use -v for verbose.

# restorecon -v /root/foobar

restorecon reset /root/foobar context unconfined_u:object_r:admin_home_t:s0->unconfined_u:object_r:public_content_t:s0

Chcon:

There is also a command called chcon, that can also be used to change the defined context for a file. However I advise against using it as changes made using chcon will not survive a filesystem relabel. What is a filesystem relabel? Well according to wiki.centos.org, a relabel is defined below.

“Sometimes it is necessary to relabel the complete filesystem although this should only be necessary when enabling SELinux after it has been disabled or when changing the SELinux policy from the default targeted policy to strict.”

 

RHEL6 – SELinux Modes and Contexts

Anime,art,cartoon,chibi,darth,vader,darthvader-26d94e794e11142d417a277b8fbdc0eb_hSELinux, or Security-Enhanced Linux as its known by the guy who invented it, is a Linux feature that provides an additional level of security by setting rules for which processes can access which files, directories, ports, etc.

Display and Modify SELinux Modes:

You can use /etc/sysconfig/selinux to change the default SELinux mode at boot, and the setenforce command can be used to change the default level on the fly. Getenforce can be used to determine the current SELinux mode. 

# getenforce
Enforcing

Display SELinux Contexts:

Under SELinux, every file, process, directory, or port is assigned a special security label called a context.

To view the contexts assigned to a file or directory use the '-Z' option. Coupled with and 'ls" or a 'ps" this is a formidable command.

To view a list of all possible assigned contexts use semanage.

# semanage fcontext -l

Modify SELinux Contexts:

For example, lets create two test files in /tmp called testfile1 and testfile2, and then lets check their contexts.

# ls -lZ test*
-rw-r–r–. root root unconfined_u:object_r:user_tmp_t:s0 testfile1
-rw-r–r–. root root unconfined_u:object_r:user_tmp_t:s0 testfile2

Now compare this to the default context assigned to apache content

# ls -ldZ /var/www/html
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html

So lets say that I want to move testfile1 to /var/www/html and make it accessable via a webbrowser; in order to do this I must assign the correct context to the file using the restorecon command.

# restorecon -Rv /var/www/html

The command above restores or even better, allows the testfiles to inherit the contexts assigned to the parent directory, which in this case is /var/www/html/

Add SELinux Contexts:

Now lets say that you need to add a directory and apply a context directly to that directory, instead of allowing a context to be inheritted. For example, lets say that I need to setup an apache virtual server under /virtual_server2, so lets first create the directory and a simple index.html

# mkdir /virtual_server2
# vi /virtual_server2/index.html
# ls -Zd /virtual_server2
drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 /virtual_server2

# ls -Zd /virtual_server2/index.html
-rw-r–r–. root root unconfined_u:object_r:default_t:s0 /virtual_server2/index.html

Now we need to set and apply the correct http content context to /virtual_server2 and its contents (say that 5 times fast)

# semanage fcontext -a -f "" -t httpd_sys_content_t '/virtual_server2(/.*)?'

# restorecon -RFvvv /virtual_server2/

restorecon reset /virtual_server2 context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /virtual_server2/index.html context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0

Now that our context is correct apache should have no issue serving up our new content (once configured on the apache side)

# ls -Zd /virtual_server2/
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /virtual_server2/