Click on each book below to review & buy on Amazon.
As an Amazon Associate, I earn from qualifying purchases.
RHCSA - Manage Security: List & Identify SELinux File & Process Context
Security-enhanced Linux (SELinux) is a security framework implemented in the Linux kernel. It provides an additional layer of access control to enforce mandatory access controls (MAC) on processes and files. SELinux uses security contexts, which are labels assigned to processes and files, to determine their access permissions.
Understanding SELinux Contexts
SELinux assigns a context to every process and file on the system. Each context consists of three elements: the user
, role
and type
. These elements help define the access permissions for the corresponding process or file. The SELinux context is displayed in the format of user:role:type
, where:
- User: Represents the SELinux user associated with the process or file.
- Role: Defines the role assigned to the process or file.
- Type: Specifies the SELinux type, which determines the access rules applied to the process or file.
Below are some example SELinux contexts:
SELinux Context Type | Description |
---|---|
bin_t |
SELinux type for binary executable files. |
httpd_log_t |
The type for log files generated by the httpd process. |
httpd_sys_content_t |
The type for static web content (HTML, CSS, JavaScript) that the httpd process can access. |
httpd_sys_script_exec_t |
The type for CGI scripts that the httpd process can execute. |
httpd_t |
The type for the Apache HTTP Server (httpd) process. |
object_r |
Object type reference. |
security_t |
SELinux type for security-related files and processes. |
sysadm_t |
SELinux type for system administration files. |
system_r |
System role. |
system_u |
System user. |
unconfined_r |
Unconfined role. |
unconfined_u |
Unconfined user. |
user_home_t |
SELinux type for user home directories. |
var_log_t |
SELinux type for log files stored in the /var/log directory. |
To list all available users
, roles
or types
, install the setools-console
package and run seinfo -u
, seinfo -r
or seinfo -t
.
Listing and Identifying SELinux Contexts
File Contexts
To list file contexts you use the -Z
option to the ls
command. Following the exercise below to view some SELinux file contexts:
View SELinux file contexts:
Display the file context for the /etc/passwd
and /etc/group
files:
ls -Z /etc/passwd /etc/group
The context should be set as, follows and notice how both files have passwd_file_t
set:
system_u:object_r:passwd_file_t:s0 /etc/group
system_u:object_r:passwd_file_t:s0 /etc/passwd
View your home directories file context:
ls -Zd $HOME
The context type shows as user_home_dir_t
.
unconfined_u:object_r:user_home_dir_t:s0 /home/dtvlinux
As you can see, the SELinux contexts tend to be named in a way that makes sense which would help in identifying when something does not not look right when troubleshooting permission issues.
Process Contexts
To list process contexts you use the -Z
option to the ps
command. Following the exercise below to view some SELinux process contexts:
View SELinux process contexts:
Display the SELinux context for the crond
process:
ps -eZ | grep crond
The context type shows as crond_t
, but as we ran grep
for crond
, this also displays the atd
process which also has the same process context:
system_u:system_r:crond_t:s0-s0:c0.c1023 1087 ? 00:00:00 atd
system_u:system_r:crond_t:s0-s0:c0.c1023 1155 ? 00:00:00 crond
Display systemd
processes and their related contexts:
ps -eZ | grep systemd
This time the output shows different process contexts for each of the systemd services:
system_u:system_r:init_t:s0 1 ? 00:00:01 systemd
system_u:system_r:syslogd_t:s0 622 ? 00:00:00 systemd-journal
system_u:system_r:udev_t:s0-s0:c0.c1023 636 ? 00:00:00 systemd-udevd
system_u:system_r:systemd_logind_t:s0 789 ? 00:00:00 systemd-logind
Support DTV Linux
Click on each book below to review & buy on Amazon. As an Amazon Associate, I earn from qualifying purchases.
NordVPN ®: Elevate your online privacy and security. Grab our Special Offer to safeguard your data on public Wi-Fi and secure your devices. I may earn a commission on purchases made through this link.