SELinux File Labeling
All files, directories, devices, and processes have a security context (or label) associated with them. For files, this context is stored in the extended attributes of the file system. Problems with SELinux often arise from the file system being mislabeled. If you see an error message containing file_t, that is usually a good indicator that you have a problem with file system labelling.
There are several ways to relabel the file system:
- Create the /.autorelabel file and reboot.
- The Status view in the SELinux GUI provides an option to relabel on next reboot.
- Three command-line utilities, restorecon, setfiles, and fixfiles, relabel files.
The SELinux context contains additional information such as SELinux user, role, type, and level. Access control decisions on processes, Linux users, and files are based on this context information. Access control is based on below information:
- SELinux user: Linux users are mapped to SELinux users.
- Role: An attribute of RBAC that acts as an intermediary between domains and SELinux users
- Type: An attribute of TE that defines a domain for processes
- Level: Optional information; an attribute of MLS and MCS
Viewing SELinux context information
View SELinux context information about files
To view the file system context information from the command line, use the “ls –Z” command:
# ls -Z -rw-------. root root system_u:object_r:admin_home_t:s0 anaconda-ks.cfg -rw-r--r--. root root system_u:object_r:admin_home_t:s0 initial-setup-ks.cfg
View SELinux context information about processes
To view the SELinux context information about processes, use the “ps –Z” command:
# ps -Z LABEL PID TTY TIME CMD unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 6617 pts/0 00:00:00 sudo unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 6623 pts/0 00:00:00 su unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 6624 pts/0 00:00:00 bash unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 8188 pts/0 00:00:00 ps
View SELinux context information about users
To view the SELinux context associated with your Linux user, use the “id –Z” command:
# id -Z unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
SELinux context is displayed by using the following syntax:
Changing the Context File Type
KVM virtual machine disk images are created in the /var/lib/libvirt/images directory by default. SELinux requires that image files have the virt_image_t label applied to them. You can use the “ls –dZ” command to confirm that this label is applied to the /var/lib/libvirt/images directory:
# ls -dZ /var/lib/libvirt/images drwx--x--x. root root system_u:object_r:virt_image_t:s0 /var/lib/libvirt/images
You can use a different directory for your virtual machine images but you need to add the new directory to your SELinux policy and relabel it first. The following steps are used to add the /kvmimages directory to the targeted SELinux policy and relabel the directory:
# semanage fcontext -a -t virt_image_t "/kvmimages(/.*)?"
The above command adds the /kvmimages directory to the SELinux policy by appending a line to the following file:
# cat /etc/selinux/targeted/contexts/files/file_contexts.local /kvmimages(/.*)? system _u:object_r:virt_image_t:s0
You still need to set the new security context on the directory and all files in the directory. You can use any of the following commands to change the SELinux contexts on the /kvmimages directory,:
- fixfiles: Fixes the security context on file systems
- restorecon: Resets the security context on one or more files
- setfiles: Initializes the security context on one or more files
Each of these commands reads the files in /etc/selinux/targeted/contexts/files directory. The following example shows the SELinux contexts before running the restorecon command:
# ls -dZ /kvmimages drwx--x--x. root root system_u:object_r:unlabeled_t:s0 /var/lib/libvirt/images
Notice that the SELinux type is set to unlabeled_t. The following example runs the restorecon command to change the type as defined in the /etc/selinux/targeted/contexts/files/file_contexts.local file:
# restorecon -R -v /kvmimages
# ls -dZ /var/kvmimages drwx--x--x. root root system_u:object_r:virt_image_t:s0 /kvmimages
There are also SELinux Booleans that affect KVM when launched by libvirt. Two of these Booleans are listed as follows:
- virt_use_nfs: Allow virt to manage NFS files.
- virt_use_samba: Allow virt to manage CIFS files.
These Booleans need to be enabled when using NFS or SAMBA shares, respectively, for storing virtual machine disk images. There are additional SELinux Booleans that affect KVM. Some of these are listed as follows:
# getsebool -a | grep virt staff_use_svirt --> off unprivuser_use_svirt --> off virt_read_qemu_ga_data --> off virt_rw_qemu_ga_data --> off virt_sandbox_use_all_caps --> on virt_sandbox_use_audit --> on virt_sandbox_use_fusefs --> off virt_sandbox_use_mknod --> off virt_sandbox_use_netlink --> off virt_sandbox_use_sys_admin --> off virt_transition_userdomain --> off virt_use_comm --> off virt_use_execmem --> off virt_use_fusefs --> off virt_use_nfs --> on virt_use_rawip --> off virt_use_samba --> off virt_use_sanlock --> off virt_use_usb --> on virt_use_xserver --> off