Previous Entry Share Next Entry
Managing File Context
Great securityblog by Josh Brindle

Any ways back to SELinux for Dummies.

SELinux has a few commands for managing file context.

ls -Z is the tool to use when viewing file context.
> ls -lZ /tmp/dan
-rw-rw-r-- dwalsh dwalsh user_u:object_r:user_home_t /tmp/dan

You can also use getfattr although, you need to specify -n security.selinux

> getfattr -n security.selinux /tmp/dan
getfattr: Removing leading '/' from absolute path names
# file: tmp/dan

There are multiple commands for setting file labels. Remember while all of these tools can modify file context, the kernel policy will determine whether you are able to run the tools and whether you are able to modify the file context.
  • chcon
This is a command similar to chmod, that allows the user/administrator to change the file context on a particular file/directory. The user must specify the context, or partial context. Other file_context tools will overwrite the changed file context to the default unless they are a customizable_types. Customizable types are defined in /etc/selinux/POLIICYTYPE/contexts/customizable_types. Or you can modify the file_contexts.local file to use the new path. So if you decide to run your bind service out of /opt/named you can use chcon to reset the context, but if you later relabel the entire system, these modifications will be lost. If you uses customizable_types or modify file_context.local, they will be maintained.
  • setfiles
setfiles was the original tool for labeling your file system. It is used when you touch /.autorelabel; reboot. It takes a file_context directive and usually works at the file system level. So you specify the file systems you want to relabel and the file_context that you will use.

When I started working on SELinux, I hated the way setfiles worked, because every time I wanted to relabel a single file I would have to enter this huge path to where the system file_context was stored. So I decided to make a new tool called restorecon. I probably screwed up in that I didn't rewrite setfiles to make it work like restorecon, but I didn't.
  • restorecon
restorecon reverts files back to the default labels. For example, you can run restorecon -v -R /var/www/ to reset all the file labels in the /var/www/ directory. Internally, restorecon reads the /etc/selinux/POLICYTYPE/contexts/files/file_contexts* files, which has a set of regular expressions mapping file paths to security contexts.

After working with restorecon for a while, I realized there was a lot of scripts I was generating to do some neat things to fix file context on the system. Some of these things would have been difficult to do in "C" so I built a wrapper around restorecon/setfiles called
  • fixfiles
fixfiles is a shell script that wraps setfiles and restorecon. It provides some nice features, like figuring out which file systems are mounted on the machine and automatically relabeling all of them. It can also take an RPM name as an argument and restorecon all the files in the package. It also has a nice feature used by RPM to compare the previous policy file_context versus the newly installed file context and then runs restorecon on the difference.
  •   matchpathcon
This is a simple tool that takes files/directories and prints the default security context of the files.

Finally,  if you recursively walk a directory tree with setfiles and restorecon, they use the "C" function ntfw. One problem with this function is that there is no way to tell it to stop recursively walking this branch of the tree, but continue on others. You either continue or fail completely. So even if you are walking a tree and discover you have stepped into a file system that does not support extended attributes, you will either need to continue or fail altogether. So if you say something like restorecon -R -v / and it steps into a NFS file system it will continue through out this file system checking every file to find out they do not support xattrs. This has caused problems in the past in that it can take a very long time. the find command has a -prune call which fixes this problem. So now fixfiles uses "find" to walk the tree and then hands restorecon the list of files to relabel. I believe that we could rewrite setfiles/restorecon to use fts, to work in a similar way. I have this towards the end of my todo list, but if anyone has spare cycles, this would be a nice feature...

Tomorrow I will talk about the new daemon restorecond.


I have a file that needs to be read by both apache and sendmail. What can I do?

No HTML allowed in subject


(will be screened)


Log in