• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer navigation

The Geek Diary

  • OS
    • Linux
    • CentOS/RHEL
    • Solaris
    • Oracle Linux
    • VCS
  • Interview Questions
  • Database
    • oracle
    • oracle 12c
    • ASM
    • mysql
    • MariaDB
  • DevOps
    • Docker
    • Shell Scripting
  • Big Data
    • Hadoop
    • Cloudera
    • Hortonworks HDP

Understanding SELinux File Labelling and SELinux Context

by admin

SELinux File Labeling

All files, directories, devices, and processes have a security context (or label) associated with them. For files, this context is stored in the extended attributes of the file system. Problems with SELinux often arise from the file system being mislabeled. If you see an error message containing file_t, that is usually a good indicator that you have a problem with file system labelling.

There are several ways to relabel the file system:

  • Create the /.autorelabel file and reboot.
  • The Status view in the SELinux GUI provides an option to relabel on next reboot.
  • Three command-line utilities, restorecon, setfiles, and fixfiles, relabel files.

SELinux Context

The SELinux context contains additional information such as SELinux user, role, type, and level. Access control decisions on processes, Linux users, and files are based on this context information. Access control is based on below information:

  • SELinux user: Linux users are mapped to SELinux users.
  • Role: An attribute of RBAC that acts as an intermediary between domains and SELinux users
  • Type: An attribute of TE that defines a domain for processes
  • Level: Optional information; an attribute of MLS and MCS

Viewing SELinux context information

View SELinux context information about files
To view the file system context information from the command line, use the “ls –Z” command:

# ls -Z
-rw-------. root root system_u:object_r:admin_home_t:s0 anaconda-ks.cfg
-rw-r--r--. root root system_u:object_r:admin_home_t:s0 initial-setup-ks.cfg
NOTE: This information is also stored in the /etc/selinux/[SELINUXTYPE]/contexts/files directory.

View SELinux context information about processes
To view the SELinux context information about processes, use the “ps –Z” command:

# ps -Z
LABEL                              PID TTY          TIME CMD
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 6617 pts/0 00:00:00 sudo
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 6623 pts/0 00:00:00 su
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 6624 pts/0 00:00:00 bash
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 8188 pts/0 00:00:00 ps

View SELinux context information about users
To view the SELinux context associated with your Linux user, use the “id –Z” command:

# id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

SELinux context is displayed by using the following syntax:

user:role:type:level

Changing the Context File Type

KVM virtual machine disk images are created in the /var/lib/libvirt/images directory by default. SELinux requires that image files have the virt_image_t label applied to them. You can use the “ls –dZ” command to confirm that this label is applied to the /var/lib/libvirt/images directory:

# ls -dZ /var/lib/libvirt/images
drwx--x--x. root root system_u:object_r:virt_image_t:s0 /var/lib/libvirt/images

You can use a different directory for your virtual machine images but you need to add the new directory to your SELinux policy and relabel it first. The following steps are used to add the /kvmimages directory to the targeted SELinux policy and relabel the directory:

# semanage fcontext -a -t virt_image_t "/kvmimages(/.*)?"

The above command adds the /kvmimages directory to the SELinux policy by appending a line to the following file:

# cat /etc/selinux/targeted/contexts/files/file_contexts.local
/kvmimages(/.*)?    system _u:object_r:virt_image_t:s0

You still need to set the new security context on the directory and all files in the directory. You can use any of the following commands to change the SELinux contexts on the /kvmimages directory,:

  • fixfiles: Fixes the security context on file systems
  • restorecon: Resets the security context on one or more files
  • setfiles: Initializes the security context on one or more files

Each of these commands reads the files in /etc/selinux/targeted/contexts/files directory. The following example shows the SELinux contexts before running the restorecon command:

# ls -dZ /kvmimages
drwx--x--x. root root system_u:object_r:unlabeled_t:s0 /var/lib/libvirt/images

Notice that the SELinux type is set to unlabeled_t. The following example runs the restorecon command to change the type as defined in the /etc/selinux/targeted/contexts/files/file_contexts.local file:

# restorecon -R -v /kvmimages
# ls -dZ /var/kvmimages
drwx--x--x. root root system_u:object_r:virt_image_t:s0 /kvmimages

There are also SELinux Booleans that affect KVM when launched by libvirt. Two of these Booleans are listed as follows:

  • virt_use_nfs: Allow virt to manage NFS files.
  • virt_use_samba: Allow virt to manage CIFS files.

These Booleans need to be enabled when using NFS or SAMBA shares, respectively, for storing virtual machine disk images. There are additional SELinux Booleans that affect KVM. Some of these are listed as follows:

# getsebool -a | grep virt
staff_use_svirt --> off
unprivuser_use_svirt --> off
virt_read_qemu_ga_data --> off
virt_rw_qemu_ga_data --> off
virt_sandbox_use_all_caps --> on
virt_sandbox_use_audit --> on
virt_sandbox_use_fusefs --> off
virt_sandbox_use_mknod --> off
virt_sandbox_use_netlink --> off
virt_sandbox_use_sys_admin --> off
virt_transition_userdomain --> off
virt_use_comm --> off
virt_use_execmem --> off
virt_use_fusefs --> off
virt_use_nfs --> on
virt_use_rawip --> off
virt_use_samba --> off
virt_use_sanlock --> off
virt_use_usb --> on
virt_use_xserver --> off
What are SELinux Users and how to Map Linux Users to SELinux Users

Filed Under: CentOS/RHEL 6, CentOS/RHEL 7, Linux

Some more articles you might also be interested in …

  1. dnsrecon Command Examples in Linux
  2. How to Install and configure telnet in RHEL / CentOS 5,6
  3. enum4linux: command not found
  4. Linux: No space left on device while df command shows a lot of free space
  5. mkfs.ext4 Command Examples in Linux
  6. tracepath: command not found
  7. RPM command examples to query, install, remove and upgrade packages
  8. Linux OS Service ‘sendmail’
  9. How to view file size/details from ls command in Unix
  10. “Failed to start test.mount: Unit is not loaded properly: Invalid argument.” – While mounting a fileystem using systemd

You May Also Like

Primary Sidebar

Recent Posts

  • qtchooser Command Examples in Linux
  • qtchooser: command not found
  • qsub Command Examples in Linux
  • qsub: command not found

© 2023 · The Geek Diary

  • Archives
  • Contact Us
  • Copyright