ls -Z
command:
~]$
ls -Z file1
-rw-rw-r-- user1 group1 unconfined_u:object_r:user_home_t:s0 file1
unconfined_u
), a role (object_r
), a type (user_home_t
), and a level (s0
). This information is used to make access control decisions. On DAC systems, access is controlled based on Linux user and group IDs. SELinux policy rules are checked after DAC rules. SELinux policy rules are not used if DAC rules deny access first.
chcon
, semanage fcontext
, and restorecon
.
chcon
command changes the SELinux context for files. However, changes made with the chcon
command do not survive a file system relabel, or the execution of the restorecon
command. SELinux policy controls whether users are able to modify the SELinux context for any given file. When using chcon
, users provide all or part of the SELinux context to change. An incorrect file type is a common cause of SELinux denying access.
chcon -t type file-name
command to change the file type, where type is an SELinux type, such as httpd_sys_content_t
, and file-name is a file or directory name:
~]$
chcon -t httpd_sys_content_t file-name
chcon -R -t type directory-name
command to change the type of the directory and its contents, where type is an SELinux type, such as httpd_sys_content_t
, and directory-name is a directory name:
~]$
chcon -R -t httpd_sys_content_t directory-name
Procedure 10.11. Changing a File's or Directory's Type
file1
was a directory.
~]$
touch file1
~]$
ls -Z file1
-rw-rw-r-- user1 group1 unconfined_u:object_r:user_home_t:s0 file1
file1
includes the SELinux unconfined_u
user, object_r
role, user_home_t
type, and the s0
level. For a description of each part of the SELinux context, see Section 10.2, “SELinux Contexts”.
samba_share_t
. The -t
option only changes the type. Then view the change:
~]$
chcon -t samba_share_t file1
~]$
ls -Z file1
-rw-rw-r-- user1 group1 unconfined_u:object_r:samba_share_t:s0 file1
file1
file. Use the -v
option to view what changes:
~]$
restorecon -v file1
restorecon reset file1 context unconfined_u:object_r:samba_share_t:s0->system_u:object_r:user_home_t:s0
samba_share_t
, is restored to the correct, user_home_t
type. When using targeted policy (the default SELinux policy in Fedora), the restorecon
command reads the files in the /etc/selinux/targeted/contexts/files/
directory, to see which SELinux context files should have.
Procedure 10.12. Changing a Directory and its Contents Types
/var/www/html/
):
/mkdir/
directory and then 3 empty files (file1
, file2
, and file3
) within this directory. The /web/
directory and files in it are labeled with the default_t
type:
~]#
mkdir /web
~]#
touch /web/file{1,2,3}
~]#
ls -dZ /web
drwxr-xr-x root root unconfined_u:object_r:default_t:s0 /web
~]#
ls -lZ /web
-rw-r--r-- root root unconfined_u:object_r:default_t:s0 file1 -rw-r--r-- root root unconfined_u:object_r:default_t:s0 file2 -rw-r--r-- root root unconfined_u:object_r:default_t:s0 file3
/web/
directory (and its contents) to httpd_sys_content_t
:
~]#
chcon -R -t httpd_sys_content_t /web/
~]#
ls -dZ /web/
drwxr-xr-x root root unconfined_u:object_r:httpd_sys_content_t:s0 /web/
~]#
ls -lZ /web/
-rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 file1 -rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 file2 -rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 file3
restorecon
utility as root:
~]#
restorecon -R -v /web/
restorecon reset /web context unconfined_u:object_r:httpd_sys_content_t:s0->system_u:object_r:default_t:s0 restorecon reset /web/file2 context unconfined_u:object_r:httpd_sys_content_t:s0->system_u:object_r:default_t:s0 restorecon reset /web/file3 context unconfined_u:object_r:httpd_sys_content_t:s0->system_u:object_r:default_t:s0 restorecon reset /web/file1 context unconfined_u:object_r:httpd_sys_content_t:s0->system_u:object_r:default_t:s0
chcon
.
Note