RHCSA - Manage Security: List & Identify SELinux File & Process Context

Security-enhanced Linux (SELinux) is a security framework implemented in the Linux kernel. It provides an additional layer of access control to enforce mandatory access controls (MAC) on processes and files. SELinux uses security contexts, which are labels assigned to processes and files, to determine their access permissions.

Understanding SELinux Contexts

SELinux assigns a context to every process and file on the system. Each context consists of three elements: the user, role and type. These elements help define the access permissions for the corresponding process or file. The SELinux context is displayed in the format of user:role:type, where:

User: Represents the SELinux user associated with the process or file.
Role: Defines the role assigned to the process or file.
Type: Specifies the SELinux type, which determines the access rules applied to the process or file.

Below are some example SELinux contexts:

SELinux Context Type	Description
`bin_t`	SELinux type for binary executable files.
`httpd_log_t`	The type for log files generated by the httpd process.
`httpd_sys_content_t`	The type for static web content (HTML, CSS, JavaScript) that the httpd process can access.
`httpd_sys_script_exec_t`	The type for CGI scripts that the httpd process can execute.
`httpd_t`	The type for the Apache HTTP Server (httpd) process.
`object_r`	Object type reference.
`security_t`	SELinux type for security-related files and processes.
`sysadm_t`	SELinux type for system administration files.
`system_r`	System role.
`system_u`	System user.
`unconfined_r`	Unconfined role.
`unconfined_u`	Unconfined user.
`user_home_t`	SELinux type for user home directories.
`var_log_t`	SELinux type for log files stored in the `/var/log` directory.

To list all available users, roles or types, install the setools-console package and run seinfo -u, seinfo -r or seinfo -t.

Listing and Identifying SELinux Contexts

File Contexts

To list file contexts you use the -Z option to the ls command. Following the exercise below to view some SELinux file contexts:

View SELinux file contexts:

Display the file context for the /etc/passwd and /etc/group files:

ls -Z /etc/passwd /etc/group

The context should be set as, follows and notice how both files have passwd_file_t set:

system_u:object_r:passwd_file_t:s0 /etc/group
system_u:object_r:passwd_file_t:s0 /etc/passwd

View your home directories file context:

ls -Zd $HOME

The context type shows as user_home_dir_t.

unconfined_u:object_r:user_home_dir_t:s0 /home/dtvlinux

As you can see, the SELinux contexts tend to be named in a way that makes sense which would help in identifying when something does not not look right when troubleshooting permission issues.

Process Contexts

To list process contexts you use the -Z option to the ps command. Following the exercise below to view some SELinux process contexts:

View SELinux process contexts:

Display the SELinux context for the crond process:

ps -eZ | grep crond

The context type shows as crond_t, but as we ran grep for crond, this also displays the atd process which also has the same process context:

system_u:system_r:crond_t:s0-s0:c0.c1023 1087 ?  00:00:00 atd
system_u:system_r:crond_t:s0-s0:c0.c1023 1155 ?  00:00:00 crond

Display systemd processes and their related contexts:

ps -eZ | grep systemd

This time the output shows different process contexts for each of the systemd services:

system_u:system_r:init_t:s0           1 ?        00:00:01 systemd
system_u:system_r:syslogd_t:s0      622 ?        00:00:00 systemd-journal
system_u:system_r:udev_t:s0-s0:c0.c1023 636 ?    00:00:00 systemd-udevd
system_u:system_r:systemd_logind_t:s0 789 ?      00:00:00 systemd-logind

Support DTV Linux

Click on each book below to review & buy on Amazon. As an Amazon Associate, I earn from qualifying purchases.

NordVPN ®: Elevate your online privacy and security. Grab our Special Offer to safeguard your data on public Wi-Fi and secure your devices. I may earn a commission on purchases made through this link.