Log in

No account? Create an account

Previous Entry Share Next Entry
Managing File Context
Great securityblog by Josh Brindle

Any ways back to SELinux for Dummies.

SELinux has a few commands for managing file context.

ls -Z is the tool to use when viewing file context.
> ls -lZ /tmp/dan
-rw-rw-r-- dwalsh dwalsh user_u:object_r:user_home_t /tmp/dan

You can also use getfattr although, you need to specify -n security.selinux

> getfattr -n security.selinux /tmp/dan
getfattr: Removing leading '/' from absolute path names
# file: tmp/dan

There are multiple commands for setting file labels. Remember while all of these tools can modify file context, the kernel policy will determine whether you are able to run the tools and whether you are able to modify the file context.
  • chcon
This is a command similar to chmod, that allows the user/administrator to change the file context on a particular file/directory. The user must specify the context, or partial context. Other file_context tools will overwrite the changed file context to the default unless they are a customizable_types. Customizable types are defined in /etc/selinux/POLIICYTYPE/contexts/customizable_types. Or you can modify the file_contexts.local file to use the new path. So if you decide to run your bind service out of /opt/named you can use chcon to reset the context, but if you later relabel the entire system, these modifications will be lost. If you uses customizable_types or modify file_context.local, they will be maintained.
  • setfiles
setfiles was the original tool for labeling your file system. It is used when you touch /.autorelabel; reboot. It takes a file_context directive and usually works at the file system level. So you specify the file systems you want to relabel and the file_context that you will use.

When I started working on SELinux, I hated the way setfiles worked, because every time I wanted to relabel a single file I would have to enter this huge path to where the system file_context was stored. So I decided to make a new tool called restorecon. I probably screwed up in that I didn't rewrite setfiles to make it work like restorecon, but I didn't.
  • restorecon
restorecon reverts files back to the default labels. For example, you can run restorecon -v -R /var/www/ to reset all the file labels in the /var/www/ directory. Internally, restorecon reads the /etc/selinux/POLICYTYPE/contexts/files/file_contexts* files, which has a set of regular expressions mapping file paths to security contexts.

After working with restorecon for a while, I realized there was a lot of scripts I was generating to do some neat things to fix file context on the system. Some of these things would have been difficult to do in "C" so I built a wrapper around restorecon/setfiles called
  • fixfiles
fixfiles is a shell script that wraps setfiles and restorecon. It provides some nice features, like figuring out which file systems are mounted on the machine and automatically relabeling all of them. It can also take an RPM name as an argument and restorecon all the files in the package. It also has a nice feature used by RPM to compare the previous policy file_context versus the newly installed file context and then runs restorecon on the difference.
  •   matchpathcon
This is a simple tool that takes files/directories and prints the default security context of the files.

Finally,  if you recursively walk a directory tree with setfiles and restorecon, they use the "C" function ntfw. One problem with this function is that there is no way to tell it to stop recursively walking this branch of the tree, but continue on others. You either continue or fail completely. So even if you are walking a tree and discover you have stepped into a file system that does not support extended attributes, you will either need to continue or fail altogether. So if you say something like restorecon -R -v / and it steps into a NFS file system it will continue through out this file system checking every file to find out they do not support xattrs. This has caused problems in the past in that it can take a very long time. the find command has a -prune call which fixes this problem. So now fixfiles uses "find" to walk the tree and then hands restorecon the list of files to relabel. I believe that we could rewrite setfiles/restorecon to use fts, to work in a similar way. I have this towards the end of my todo list, but if anyone has spare cycles, this would be a nice feature...

Tomorrow I will talk about the new daemon restorecond.


  • 1
Hello Dan,

Your site has helped me understand more about SELINUX than I ever did before, and I appreciate your generosity.

I've been using Fedora since Core 3 for servers, running Postgresql databases for a tcp application. Core 3 was pretty solid, and Core 4 was okay; however, Core 5 has been an uphill climb.

I installed Core 5 on a new machine with Postgresql, sendmail, PHP - straight from the Fedora Core 5 DVD. The install goes well. I take my dumped postgresql database from the Core 4 machine, import into the new database of the Core 5 (according to the instructions from the Fedora site), reboot, and Postgresql fails to launch on boot up. Yesterday, I followed your links about using audit2allow and semodule in an effort to fix it, but the problem would not go away.

Thinking I'd erred somehow, I started with a fresh install early this morning, restored the database, rebooted, and the same messages appear in /var/log/messages:
Apr 6 07:56:21 vsi kernel: audit(1144324578.867:2): avc: denied { append } for pid=1816 comm="hostname" name="pgstartup.log" dev=dm-0 ino=14534786 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:object_r:postgresql_log_t:s0 tclass=file
Apr 6 07:56:21 vsi kernel: audit(1144324579.263:3): avc: denied { search } for pid=1830 comm="postmaster" name="pgsql" dev=dm-0 ino=5466913 scontext=system_u:system_r:postgresql_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=dir

In my pgstartup log:
postmaster cannot access the server configuration file "/data/pgsql/postgresql.conf": Permission denied

I don't get it, because the permissions are correct. Is this a bug with the new SELINUX?

Postgres policy expects it data to be in /var/lib/pgsql/data

Which would be labeled system_u:object_r:postgresql_db_t.s0

You could either mount you /data at this point or do a

chcon -R -t postgresql_db_t /data

Then to make this permanent, IE survice a relabel, you need to change the local file context.

semanage fcontext -a -t postgresql_db_t "/data(/.*)?"

Thanks, Mr. Walsh!

That has solved my dilemma. There don't appear to be too many posts about this. I look forward to your book!

hi, i would like to know how to completely remove ALL file labels created by SELinux:
ive been encountering problems installing software on FC5 but works on RH9 & FC4!!

FC4 file label: system_u:object_r:etc_t
FC5 file label: system_u:object_r:etc_t:s0

on regular files these labels no longer exist.. im thinking this could be the source of my problems. some questions below:

1. would taking out all labels have any significant effect on the system?
2. how do i remove all labels on files and folders? (chcon syntax e.g. chcon -t label -h)
3. what does the s0 label mean (see above FC5 file label system).

* SElinux has been completely disabled on grub.conf and /etc/selinux/config

Re: SELinux labels

1. As far as I know labels are SELinux mechanism and you can't remove them. You can disable SELinux system itself and all security related mechanism will go away. I am not sure if you want to go that way though.

2. Again, you can not remove labels it is part of SELinux system. However, you can change them with whatever fits your security model.

3. Those are level of security, read Dan's earlier article.

multiple contexts

I have a file that needs to be read by both apache and sendmail. What can I do?

Re: multiple contexts

Simplest way would be to just add the allow rules to allow sendmail_t or system_mail_t to read httpd_sys_content_t.

grep sendmail /var/log/audit/audit.log | grep http | audit2allow -M mysendmail
semodule -i mysendmail.pp

Would allow all access that was requested by sendmail to look at apache content.

Multiple DB on a file system


I want to put multiple databases (Postgres, MySQL, etc) on a file system as a test (/db/postgres/data /db/mysql/...) but with selinux and the above info I can only do one. How is it possible to put multiple db's on / when it's context is root_t? Is there something magical about root_t that can only be used on /? Are there group contexts that can contain other contexts, say a db_root_t that contains postgresql_db_t and mysql_db_t (or what ever it uses)?



Re: Multiple DB on a file system

No this is actually a simple labelling issue.

I would set this up with labeling /db as var_t and then each directory with its postgres and mysql labels.

# semanage fcontext -a -t var_t '/db(/.*)?'
# semanage fcontext -a -t postgresql_db_t '/db/postgresql(/.*)?'
# semanage fcontext -a -t mysql_db_t '/db/mysql(/.*)?'
# restorecon -R -v /db

Error setting value in selinux label


Thank you for the good post.
I am getting an error when trying to modify the selinux context for a file

"chcon: can't apply partial context to unlabeled file `pre-commit'"

running the "ls -Z" command I understand why

-rwxr-x--x apache apache ? pre-commit

but don't know how this happened and I have no idea on how to fix it.

Can you please explain?

Re: Error setting value in selinux label

What is the chcon command you are using?

  • 1