Exploring SELinux

Exploring SELinux: Context

A key part of SELinux is understanding and using SELinux contexts. Everything on your system contains a context, and these contexts are used to determine which users, applications and services have access to which files, directories and applications. Even without an understanding of detailed policy creation, most SELinux users can manage their systems through using and altering contexts.

There are three types of contexts in SELinux, which are best explained by viewing the SELinux permissions on a file. To view the SELinux context of a directory, use the ls command with a -Z flag. This is for the /var/www/ directory:

[vagrant@centos www]$ ls -Z
drwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 cgi-bin
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 html

What we want to look at from the permissions output is the portion that resembles system_u:object_r:httpd_sys_script_exec_t.

These are the three contexts of a file. Let’s take a deeper look:

SELinux contextsUser Context

The first, blue portion is the user context. This has three available values: user_u, system_u and root. Each of these denote which overall type of user can access this file — not which user specifically. With a user context of user_u, average login users can access the file (with regards to normal file permissions); a value of system_u denotes a system user — as in the example above; finally, root means that only the root user of the system can access the file.

Role Context

Role context, magenta in the example above, is used primarily for processes and domains. The average SELinux user may not need worry about this context. For files and directories, this is always object_u.

Type Context

Type context, purple, is arguably the most important context to concern yourself with when setting SELinux permissions and otherwise troubleshooting SELinux. Type context provides the fine-grain control associated with SELinux. Your system, even with only the default SELinux enabled and no changes made, has a number of type contexts. Use the semanage fcontext -l command to view all available types. You may want to pipe to grep when reviewing contexts for specific files or services. The output uses regular expressions to denote if the given contexts are recursive.

For example, here are all the directories with a type context of httpd_sys_content_t on a CentOS 7 installation:

[vagrant@centos ~]$ sudo semanage fcontext -l | grep "httpd_sys_content"
/srv/([^/]*/)?www(/.*)?                            all files          system_u:object_r:httpd_sys_content_t:s0
/var/www(/.*)?                                     all files          system_u:object_r:httpd_sys_content_t:s0
/etc/htdig(/.*)?                                   all files          system_u:object_r:httpd_sys_content_t:s0
/srv/gallery2(/.*)?                                all files          system_u:object_r:httpd_sys_content_t:s0
/var/lib/trac(/.*)?                                all files          system_u:object_r:httpd_sys_content_t:s0
/var/lib/htdig(/.*)?                               all files          system_u:object_r:httpd_sys_content_t:s0
/var/www/icons(/.*)?                               all files          system_u:object_r:httpd_sys_content_t:s0
/usr/share/glpi(/.*)?                              all files          system_u:object_r:httpd_sys_content_t:s0
/usr/share/htdig(/.*)?                             all files          system_u:object_r:httpd_sys_content_t:s0
/usr/share/drupal.*                                all files          system_u:object_r:httpd_sys_content_t:s0
/usr/share/z-push(/.*)?                            all files          system_u:object_r:httpd_sys_content_t:s0
/var/www/svn/conf(/.*)?                            all files          system_u:object_r:httpd_sys_content_t:s0
/usr/share/icecast(/.*)?                           all files          system_u:object_r:httpd_sys_content_t:s0
/var/lib/cacti/rra(/.*)?                           all files          system_u:object_r:httpd_sys_content_t:s0
/usr/share/ntop/html(/.*)?                         all files          system_u:object_r:httpd_sys_content_t:s0
/usr/share/doc/ghc/html(/.*)?                      all files          system_u:object_r:httpd_sys_content_t:s0
/usr/share/openca/htdocs(/.*)?                     all files          system_u:object_r:httpd_sys_content_t:s0
/usr/share/selinux-policy[^/]*/html(/.*)?          all files          system_u:object_r:httpd_sys_content_t:s0

Altering Context

We can change the context of certain directories, if we so wish. This can be done because we need to alter permissions or because we moved a file between locations — while context is inherited for all files created within a folder, moved files retain their original context.

Let’s say we moved a new index.html file into our /var/www/html directory:

[vagrant@centos ~]$ sudo mv index.html /var/www/html/
[vagrant@centos ~]$ cd /var/www/html/
[vagrant@centos html]$ ls -Z
-rw-rw-r--. vagrant vagrant unconfined_u:object_r:user_home_t:s0 index.html

This example is particularly appropriate, because we can see the effects of SELinux in practice. Should we try to view our index.html file through our web browser, we receive a Forbidden error. This is because, as shown above, it retains its original user_home_t type, not the httpd_sys_content_t context it needs. This can be changed with the restorecon command:

[vagrant@centos html]$ restorecon index.html
[vagrant@centos html]$ ls -Z
-rw-rw-r--. vagrant vagrant unconfined_u:object_r:httpd_sys_content_t:s0 index.html

restorecon uses SELinux’s default contexts to ensure all files are the appropriate type. In this instance, it sees that index.html is part of the /var/www(/.*)? directory and ensures it inherits the appropriate contexts.

Alternatively, say we moved the entire html/ directory over and need to change SELinux context for the whole thing. Assume, for whatever reason, our server does not have the necessary default SELinux policies for Apache. For this, we can use semanage to change the type context:

semanage fcontext -a -t httpd_sys_content_t '/var/www/html(/.*)?'

The -t flag denotes type. Additionally, notice the inclusion of (/.*)? — this tells SELinux that the file and directories under the /var/www/html directory inherit this style, as well.

Should we need to, we can also delete a directory’s context:

semanage fcontext -d "/var/www/html(/.*)?"

Even by managing SELinux context and permissions, we have barely scratched the surface of this in-depth tool. Check back at the blog for more Exploring SELinux, or go to LinuxAcademy.com for more lessons on SELinux and other systems administration and security topics.

Elle K

Elle is a technical writer and Linux aficionado at Linux Academy.

One thought on “Exploring SELinux: Context

Leave a Reply

Your email address will not be published. Required fields are marked *