Red Hat Summit4.10. Maintaining SELinux Labels
These sections describe what happens to SELinux contexts when copying, moving, and archiving files and directories. Also, it explains how to preserve contexts when copying and archiving.
4.10.1. Copying Files and Directories
Copy linkLink copied to clipboard!
When a file or directory is copied, a new file or directory is created if it does not exist. That new file or directory's context is based on default-labeling rules, not the original file or directory's context unless options were used to preserve the original context. For example, files created in user home directories are labeled with the
user_home_t type:
touch file1
~]$ touch file1ls -Z file1
~]$ ls -Z file1
-rw-rw-r-- user1 group1 unconfined_u:object_r:user_home_t:s0 file1
If such a file is copied to another directory, such as
/etc, the new file is created in accordance to default-labeling rules for /etc. Copying a file without additional options may not preserve the original context:
ls -Z file1
~]$ ls -Z file1
-rw-rw-r-- user1 group1 unconfined_u:object_r:user_home_t:s0 file1
cp file1 /etc/
~]# cp file1 /etc/ls -Z /etc/file1
~]$ ls -Z /etc/file1
-rw-r--r-- root root unconfined_u:object_r:etc_t:s0 /etc/file1
When
file1 is copied to /etc, if /etc/file1 does not exist, /etc/file1 is created as a new file. As shown in the example above, /etc/file1 is labeled with the etc_t type, in accordance to default-labeling rules.
When a file is copied over an existing file, the existing file's context is preserved, unless the user specified
cp options to preserve the context of the original file, such as --preserve=context. SELinux policy may prevent contexts from being preserved during copies.
Procedure 4.11. Copying Without Preserving SELinux Contexts
This procedure shows that when copying a file with the
cp command, if no options are given, the type is inherited from the targeted, parent directory.
- Create a file in a user's home directory. The file is labeled with the
user_home_ttype:touch file1
~]$ touch file1Copy to Clipboard Copied! Toggle word wrap Toggle overflow ls -Z file1
~]$ ls -Z file1 -rw-rw-r-- user1 group1 unconfined_u:object_r:user_home_t:s0 file1Copy to Clipboard Copied! Toggle word wrap Toggle overflow - The
/var/www/html/directory is labeled with thehttpd_sys_content_ttype, as shown with the following command:ls -dZ /var/www/html/
~]$ ls -dZ /var/www/html/ drwxr-xr-x root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/Copy to Clipboard Copied! Toggle word wrap Toggle overflow - When
file1is copied to/var/www/html/, it inherits thehttpd_sys_content_ttype:cp file1 /var/www/html/
~]# cp file1 /var/www/html/Copy to Clipboard Copied! Toggle word wrap Toggle overflow ls -Z /var/www/html/file1
~]$ ls -Z /var/www/html/file1 -rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/file1Copy to Clipboard Copied! Toggle word wrap Toggle overflow
Procedure 4.12. Preserving SELinux Contexts When Copying
This procedure shows how to use the
--preserve=context option to preserve contexts when copying.
- Create a file in a user's home directory. The file is labeled with the
user_home_ttype:touch file1
~]$ touch file1Copy to Clipboard Copied! Toggle word wrap Toggle overflow ls -Z file1
~]$ ls -Z file1 -rw-rw-r-- user1 group1 unconfined_u:object_r:user_home_t:s0 file1Copy to Clipboard Copied! Toggle word wrap Toggle overflow - The
/var/www/html/directory is labeled with thehttpd_sys_content_ttype, as shown with the following command:ls -dZ /var/www/html/
~]$ ls -dZ /var/www/html/ drwxr-xr-x root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Using the
--preserve=contextoption preserves SELinux contexts during copy operations. As shown below, theuser_home_ttype offile1was preserved when the file was copied to/var/www/html/:cp --preserve=context file1 /var/www/html/
~]# cp --preserve=context file1 /var/www/html/Copy to Clipboard Copied! Toggle word wrap Toggle overflow ls -Z /var/www/html/file1
~]$ ls -Z /var/www/html/file1 -rw-r--r-- root root unconfined_u:object_r:user_home_t:s0 /var/www/html/file1Copy to Clipboard Copied! Toggle word wrap Toggle overflow
Procedure 4.13. Copying and Changing the Context
This procedure show how to use the
--context option to change the destination copy's context. The following example is performed in the user's home directory:
- Create a file in a user's home directory. The file is labeled with the
user_home_ttype:touch file1
~]$ touch file1Copy to Clipboard Copied! Toggle word wrap Toggle overflow ls -Z file1
~]$ ls -Z file1 -rw-rw-r-- user1 group1 unconfined_u:object_r:user_home_t:s0 file1Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Use the
--contextoption to define the SELinux context:cp --context=system_u:object_r:samba_share_t:s0 file1 file2
~]$ cp --context=system_u:object_r:samba_share_t:s0 file1 file2Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Without
--context,file2would be labeled with theunconfined_u:object_r:user_home_tcontext:ls -Z file1 file2
~]$ ls -Z file1 file2 -rw-rw-r-- user1 group1 unconfined_u:object_r:user_home_t:s0 file1 -rw-rw-r-- user1 group1 system_u:object_r:samba_share_t:s0 file2Copy to Clipboard Copied! Toggle word wrap Toggle overflow
Procedure 4.14. Copying a File Over an Existing File
This procedure shows that when a file is copied over an existing file, the existing file's context is preserved unless an option is used to preserve contexts.
- As root, create a new file,
file1in the/etcdirectory. As shown below, the file is labeled with theetc_ttype:touch /etc/file1
~]# touch /etc/file1Copy to Clipboard Copied! Toggle word wrap Toggle overflow ls -Z /etc/file1
~]$ ls -Z /etc/file1 -rw-r--r-- root root unconfined_u:object_r:etc_t:s0 /etc/file1Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Create another file,
file2, in the/tmpdirectory. As shown below, the file is labeled with theuser_tmp_ttype:touch /tmp/file2
~]$ touch /tmp/file2Copy to Clipboard Copied! Toggle word wrap Toggle overflow ~$ ls -Z /tmp/file2 -rw-r--r-- root root unconfined_u:object_r:user_tmp_t:s0 /tmp/file2
~$ ls -Z /tmp/file2 -rw-r--r-- root root unconfined_u:object_r:user_tmp_t:s0 /tmp/file2Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Overwrite
file1withfile2:cp /tmp/file2 /etc/file1
~]# cp /tmp/file2 /etc/file1Copy to Clipboard Copied! Toggle word wrap Toggle overflow - After copying, the following command shows
file1labeled with theetc_ttype, not theuser_tmp_ttype from/tmp/file2that replaced/etc/file1:ls -Z /etc/file1
~]$ ls -Z /etc/file1 -rw-r--r-- root root unconfined_u:object_r:etc_t:s0 /etc/file1Copy to Clipboard Copied! Toggle word wrap Toggle overflow
Important
Copy files and directories, rather than moving them. This helps ensure they are labeled with the correct SELinux contexts. Incorrect SELinux contexts can prevent processes from accessing such files and directories.
4.10.2. Moving Files and Directories
Copy linkLink copied to clipboard!
Files and directories keep their current SELinux context when they are moved. In many cases, this is incorrect for the location they are being moved to. The following example demonstrates moving a file from a user's home directory to the
/var/www/html/ directory, which is used by the Apache HTTP Server. Since the file is moved, it does not inherit the correct SELinux context:
Procedure 4.15. Moving Files and Directories
- Change into your home directory and create file in it. The file is labeled with the
user_home_ttype:touch file1
~]$ touch file1Copy to Clipboard Copied! Toggle word wrap Toggle overflow ls -Z file1
~]$ ls -Z file1 -rw-rw-r-- user1 group1 unconfined_u:object_r:user_home_t:s0 file1Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Enter the following command to view the SELinux context of the
/var/www/html/directory:ls -dZ /var/www/html/
~]$ ls -dZ /var/www/html/ drwxr-xr-x root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/Copy to Clipboard Copied! Toggle word wrap Toggle overflow By default,/var/www/html/is labeled with thehttpd_sys_content_ttype. Files and directories created under/var/www/html/inherit this type, and as such, they are labeled with this type. - As root, move
file1to/var/www/html/. Since this file is moved, it keeps its currentuser_home_ttype:mv file1 /var/www/html/
~]# mv file1 /var/www/html/Copy to Clipboard Copied! Toggle word wrap Toggle overflow ls -Z /var/www/html/file1
~]# ls -Z /var/www/html/file1 -rw-rw-r-- user1 group1 unconfined_u:object_r:user_home_t:s0 /var/www/html/file1Copy to Clipboard Copied! Toggle word wrap Toggle overflow
By default, the Apache HTTP Server cannot read files that are labeled with the
user_home_t type. If all files comprising a web page are labeled with the user_home_t type, or another type that the Apache HTTP Server cannot read, permission is denied when attempting to access them using web browsers, such as Mozilla Firefox.
Important
Moving files and directories with the
mv command may result in the incorrect SELinux context, preventing processes, such as the Apache HTTP Server and Samba, from accessing such files and directories.
4.10.3. Checking the Default SELinux Context
Copy linkLink copied to clipboard!
Use the
matchpathcon utility to check if files and directories have the correct SELinux context. This utility queries the system policy and then provides the default security context associated with the file path.[6] The following example demonstrates using matchpathcon to verify that files in /var/www/html/ directory are labeled correctly:
Procedure 4.16. Checking the Default SELinux Conxtext with matchpathcon
- As the root user, create three files (
file1,file2, andfile3) in the/var/www/html/directory. These files inherit thehttpd_sys_content_ttype from/var/www/html/:touch /var/www/html/file{1,2,3}~]# touch /var/www/html/file{1,2,3}Copy to Clipboard Copied! Toggle word wrap Toggle overflow ls -Z /var/www/html/
~]# ls -Z /var/www/html/ -rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 file1 -rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 file2 -rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 file3Copy to Clipboard Copied! Toggle word wrap Toggle overflow - As root, change the
file1type tosamba_share_t. Note that the Apache HTTP Server cannot read files or directories labeled with thesamba_share_ttype.chcon -t samba_share_t /var/www/html/file1
~]# chcon -t samba_share_t /var/www/html/file1Copy to Clipboard Copied! Toggle word wrap Toggle overflow - The
matchpathcon-Voption compares the current SELinux context to the correct, default context in SELinux policy. Enter the following command to check all files in the/var/www/html/directory:matchpathcon -V /var/www/html/*
~]$ matchpathcon -V /var/www/html/* /var/www/html/file1 has context unconfined_u:object_r:samba_share_t:s0, should be system_u:object_r:httpd_sys_content_t:s0 /var/www/html/file2 verified. /var/www/html/file3 verified.Copy to Clipboard Copied! Toggle word wrap Toggle overflow
The following output from the
matchpathcon command explains that file1 is labeled with the samba_share_t type, but should be labeled with the httpd_sys_content_t type:
/var/www/html/file1 has context unconfined_u:object_r:samba_share_t:s0, should be system_u:object_r:httpd_sys_content_t:s0
/var/www/html/file1 has context unconfined_u:object_r:samba_share_t:s0, should be system_u:object_r:httpd_sys_content_t:s0
To resolve the label problem and allow the Apache HTTP Server access to
file1, as root, use the restorecon utility:
restorecon -v /var/www/html/file1
~]# restorecon -v /var/www/html/file1
restorecon reset /var/www/html/file1 context unconfined_u:object_r:samba_share_t:s0->system_u:object_r:httpd_sys_content_t:s0
4.10.4. Archiving Files with tar
Copy linkLink copied to clipboard!
The
tar utility does not retain extended attributes by default. Since SELinux contexts are stored in extended attributes, contexts can be lost when archiving files. Use the tar --selinux command to create archives that retain contexts and to restore files from the archives. If a tar archive contains files without extended attributes, or if you want the extended attributes to match the system defaults, use the restorecon utility:
tar -xvf archive.tar | restorecon -f -
~]$ tar -xvf archive.tar | restorecon -f -tar -xvf archive.tar | restorecon -f -tar -xvf archive.tar | restorecon -f -
Note that depending on the directory, you may need to be the root user to run the
restorecon.
The following example demonstrates creating a
tar archive that retains SELinux contexts:
Procedure 4.17. Creating a tar Archive
- Change to the
/var/www/html/directory and view its SELinux context:cd /var/www/html/
~]$ cd /var/www/html/Copy to Clipboard Copied! Toggle word wrap Toggle overflow html]$ ls -dZ /var/www/html/ drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 .
html]$ ls -dZ /var/www/html/ drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 .Copy to Clipboard Copied! Toggle word wrap Toggle overflow - As root, create three files (
file1,file2, andfile3) in/var/www/html/. These files inherit thehttpd_sys_content_ttype from/var/www/html/:html]# touch file{1,2,3}html]# touch file{1,2,3}Copy to Clipboard Copied! Toggle word wrap Toggle overflow html]$ ls -Z /var/www/html/ -rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 file1 -rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 file2 -rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 file3
html]$ ls -Z /var/www/html/ -rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 file1 -rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 file2 -rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 file3Copy to Clipboard Copied! Toggle word wrap Toggle overflow - As root, enter the following command to create a
tararchive namedtest.tar. Use the--selinuxto retain the SELinux context:html]# tar --selinux -cf test.tar file{1,2,3}html]# tar --selinux -cf test.tar file{1,2,3}Copy to Clipboard Copied! Toggle word wrap Toggle overflow - As root, create a new directory named
test/, and then allow all users full access to it:mkdir /test
~]# mkdir /testCopy to Clipboard Copied! Toggle word wrap Toggle overflow chmod 777 /test/
~]# chmod 777 /test/Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Copy the
test.tarfile intotest/:cp /var/www/html/test.tar /test/
~]$ cp /var/www/html/test.tar /test/Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Change into
test/directory. Once in this directory, enter the following command to extract thetararchive. Specify the--selinuxoption again otherwise the SELinux context will be changed todefault_t:cd /test/
~]$ cd /test/Copy to Clipboard Copied! Toggle word wrap Toggle overflow test]$ tar --selinux -xvf test.tar
test]$ tar --selinux -xvf test.tarCopy to Clipboard Copied! Toggle word wrap Toggle overflow - View the SELinux contexts. The
httpd_sys_content_ttype has been retained, rather than being changed todefault_t, which would have happened had the--selinuxnot been used:Copy to Clipboard Copied! Toggle word wrap Toggle overflow - If the
test/directory is no longer required, as root, enter the following command to remove it, as well as all files in it:rm -ri /test/
~]# rm -ri /test/Copy to Clipboard Copied! Toggle word wrap Toggle overflow
See the tar(1) manual page for further information about
tar, such as the --xattrs option that retains all extended attributes.
4.10.5. Archiving Files with star
Copy linkLink copied to clipboard!
The
star utility does not retain extended attributes by default. Since SELinux contexts are stored in extended attributes, contexts can be lost when archiving files. Use the star -xattr -H=exustar command to create archives that retain contexts. The star package is not installed by default. To install star, run the yum install star command as the root user.
The following example demonstrates creating a
star archive that retains SELinux contexts:
Procedure 4.18. Creating a star Archive
- As root, create three files (
file1,file2, andfile3) in the/var/www/html/. These files inherit thehttpd_sys_content_ttype from/var/www/html/:touch /var/www/html/file{1,2,3}~]# touch /var/www/html/file{1,2,3}Copy to Clipboard Copied! Toggle word wrap Toggle overflow ls -Z /var/www/html/
~]# ls -Z /var/www/html/ -rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 file1 -rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 file2 -rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 file3Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Change into
/var/www/html/directory. Once in this directory, as root, enter the following command to create astararchive namedtest.star:cd /var/www/html
~]$ cd /var/www/htmlCopy to Clipboard Copied! Toggle word wrap Toggle overflow html]# star -xattr -H=exustar -c -f=test.star file{1,2,3} star: 1 blocks + 0 bytes (total of 10240 bytes = 10.00k).html]# star -xattr -H=exustar -c -f=test.star file{1,2,3} star: 1 blocks + 0 bytes (total of 10240 bytes = 10.00k).Copy to Clipboard Copied! Toggle word wrap Toggle overflow - As root, create a new directory named
test/, and then allow all users full access to it:mkdir /test
~]# mkdir /testCopy to Clipboard Copied! Toggle word wrap Toggle overflow chmod 777 /test/
~]# chmod 777 /test/Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Enter the following command to copy the
test.starfile intotest/:cp /var/www/html/test.star /test/
~]$ cp /var/www/html/test.star /test/Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Change into
test/. Once in this directory, enter the following command to extract thestararchive:cd /test/
~]$ cd /test/Copy to Clipboard Copied! Toggle word wrap Toggle overflow test]$ star -x -f=test.star star: 1 blocks + 0 bytes (total of 10240 bytes = 10.00k).
test]$ star -x -f=test.star star: 1 blocks + 0 bytes (total of 10240 bytes = 10.00k).Copy to Clipboard Copied! Toggle word wrap Toggle overflow - View the SELinux contexts. The
httpd_sys_content_ttype has been retained, rather than being changed todefault_t, which would have happened had the-xattr -H=exustaroption not been used:Copy to Clipboard Copied! Toggle word wrap Toggle overflow - If the
test/directory is no longer required, as root, enter the following command to remove it, as well as all files in it:rm -ri /test/
~]# rm -ri /test/Copy to Clipboard Copied! Toggle word wrap Toggle overflow - If
staris no longer required, as root, remove the package:yum remove star
~]# yum remove starCopy to Clipboard Copied! Toggle word wrap Toggle overflow
See the star(1) manual page for further information about
star.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}