4.10. Maintaining SELinux Labels
4.10.1. Copying Files and Directories
user_home_t
type:
~]$
touch file1
~]$
ls -Z file1
-rw-rw-r-- user1 group1 unconfined_u:object_r:user_home_t:s0 file1
/etc
, the new file is created in accordance to default-labeling rules for /etc
. Copying a file without additional options may not preserve the original context:
~]$
ls -Z file1
-rw-rw-r-- user1 group1 unconfined_u:object_r:user_home_t:s0 file1
~]#
cp file1 /etc/
~]$
ls -Z /etc/file1
-rw-r--r-- root root unconfined_u:object_r:etc_t:s0 /etc/file1
file1
is copied to /etc
, if /etc/file1
does not exist, /etc/file1
is created as a new file. As shown in the example above, /etc/file1
is labeled with the etc_t
type, in accordance to default-labeling rules.
cp
options to preserve the context of the original file, such as --preserve=context
. SELinux policy may prevent contexts from being preserved during copies.
Procedure 4.11. Copying Without Preserving SELinux Contexts
cp
command, if no options are given, the type is inherited from the targeted, parent directory.
- Create a file in a user's home directory. The file is labeled with the
user_home_t
type:~]$
touch file1
~]$
ls -Z file1
-rw-rw-r-- user1 group1 unconfined_u:object_r:user_home_t:s0 file1 - The
/var/www/html/
directory is labeled with thehttpd_sys_content_t
type, as shown with the following command:~]$
ls -dZ /var/www/html/
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/ - When
file1
is copied to/var/www/html/
, it inherits thehttpd_sys_content_t
type:~]#
cp file1 /var/www/html/
~]$
ls -Z /var/www/html/file1
-rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/file1
Procedure 4.12. Preserving SELinux Contexts When Copying
--preserve=context
option to preserve contexts when copying.
- Create a file in a user's home directory. The file is labeled with the
user_home_t
type:~]$
touch file1
~]$
ls -Z file1
-rw-rw-r-- user1 group1 unconfined_u:object_r:user_home_t:s0 file1 - The
/var/www/html/
directory is labeled with thehttpd_sys_content_t
type, as shown with the following command:~]$
ls -dZ /var/www/html/
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/ - Using the
--preserve=context
option preserves SELinux contexts during copy operations. As shown below, theuser_home_t
type offile1
was preserved when the file was copied to/var/www/html/
:~]#
cp --preserve=context file1 /var/www/html/
~]$
ls -Z /var/www/html/file1
-rw-r--r-- root root unconfined_u:object_r:user_home_t:s0 /var/www/html/file1
Procedure 4.13. Copying and Changing the Context
--context
option to change the destination copy's context. The following example is performed in the user's home directory:
- Create a file in a user's home directory. The file is labeled with the
user_home_t
type:~]$
touch file1
~]$
ls -Z file1
-rw-rw-r-- user1 group1 unconfined_u:object_r:user_home_t:s0 file1 - Use the
--context
option to define the SELinux context:~]$
cp --context=system_u:object_r:samba_share_t:s0 file1 file2
- Without
--context
,file2
would be labeled with theunconfined_u:object_r:user_home_t
context:~]$
ls -Z file1 file2
-rw-rw-r-- user1 group1 unconfined_u:object_r:user_home_t:s0 file1 -rw-rw-r-- user1 group1 system_u:object_r:samba_share_t:s0 file2
Procedure 4.14. Copying a File Over an Existing File
- As root, create a new file,
file1
in the/etc
directory. As shown below, the file is labeled with theetc_t
type:~]#
touch /etc/file1
~]$
ls -Z /etc/file1
-rw-r--r-- root root unconfined_u:object_r:etc_t:s0 /etc/file1 - Create another file,
file2
, in the/tmp
directory. As shown below, the file is labeled with theuser_tmp_t
type:~]$
touch /tmp/file2
~$
ls -Z /tmp/file2
-rw-r--r-- root root unconfined_u:object_r:user_tmp_t:s0 /tmp/file2 - Overwrite
file1
withfile2
:~]#
cp /tmp/file2 /etc/file1
- After copying, the following command shows
file1
labeled with theetc_t
type, not theuser_tmp_t
type from/tmp/file2
that replaced/etc/file1
:~]$
ls -Z /etc/file1
-rw-r--r-- root root unconfined_u:object_r:etc_t:s0 /etc/file1
Important
4.10.2. Moving Files and Directories
/var/www/html/
directory, which is used by the Apache HTTP Server. Since the file is moved, it does not inherit the correct SELinux context:
Procedure 4.15. Moving Files and Directories
- Change into your home directory and create file in it. The file is labeled with the
user_home_t
type:~]$
touch file1
~]$
ls -Z file1
-rw-rw-r-- user1 group1 unconfined_u:object_r:user_home_t:s0 file1 - Enter the following command to view the SELinux context of the
/var/www/html/
directory:~]$
ls -dZ /var/www/html/
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/By default,/var/www/html/
is labeled with thehttpd_sys_content_t
type. Files and directories created under/var/www/html/
inherit this type, and as such, they are labeled with this type. - As root, move
file1
to/var/www/html/
. Since this file is moved, it keeps its currentuser_home_t
type:~]#
mv file1 /var/www/html/
~]#
ls -Z /var/www/html/file1
-rw-rw-r-- user1 group1 unconfined_u:object_r:user_home_t:s0 /var/www/html/file1
user_home_t
type. If all files comprising a web page are labeled with the user_home_t
type, or another type that the Apache HTTP Server cannot read, permission is denied when attempting to access them using web browsers, such as Mozilla Firefox.
Important
mv
command may result in the incorrect SELinux context, preventing processes, such as the Apache HTTP Server and Samba, from accessing such files and directories.
4.10.3. Checking the Default SELinux Context
matchpathcon
utility to check if files and directories have the correct SELinux context. This utility queries the system policy
and then provides the default security context associated with the file path.[6] The following example demonstrates using matchpathcon
to verify that files in /var/www/html/
directory are labeled correctly:
Procedure 4.16. Checking the Default SELinux Conxtext with matchpathcon
- As the root user, create three files (
file1
,file2
, andfile3
) in the/var/www/html/
directory. These files inherit thehttpd_sys_content_t
type from/var/www/html/
:~]#
touch /var/www/html/file{1,2,3}
~]#
ls -Z /var/www/html/
-rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 file1 -rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 file2 -rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 file3 - As root, change the
file1
type tosamba_share_t
. Note that the Apache HTTP Server cannot read files or directories labeled with thesamba_share_t
type.~]#
chcon -t samba_share_t /var/www/html/file1
- The
matchpathcon
-V
option compares the current SELinux context to the correct, default context in SELinux policy. Enter the following command to check all files in the/var/www/html/
directory:~]$
matchpathcon -V /var/www/html/*
/var/www/html/file1 has context unconfined_u:object_r:samba_share_t:s0, should be system_u:object_r:httpd_sys_content_t:s0 /var/www/html/file2 verified. /var/www/html/file3 verified.
matchpathcon
command explains that file1
is labeled with the samba_share_t
type, but should be labeled with the httpd_sys_content_t
type:
/var/www/html/file1 has context unconfined_u:object_r:samba_share_t:s0, should be system_u:object_r:httpd_sys_content_t:s0
file1
, as root, use the restorecon
utility:
~]#
restorecon -v /var/www/html/file1
restorecon reset /var/www/html/file1 context unconfined_u:object_r:samba_share_t:s0->system_u:object_r:httpd_sys_content_t:s0
4.10.4. Archiving Files with tar
tar
utility does not retain extended attributes by default. Since SELinux contexts are stored in extended attributes, contexts can be lost when archiving files. Use the tar --selinux
command to create archives that retain contexts and to restore files from the archives. If a tar
archive contains files without extended attributes, or if you want the extended attributes to match the system defaults, use the restorecon
utility:
~]$
tar -xvf archive.tar | restorecon -f -
restorecon
.
tar
archive that retains SELinux contexts:
Procedure 4.17. Creating a tar Archive
- Change to the
/var/www/html/
directory and view its SELinux context:~]$
cd /var/www/html/
html]$
ls -dZ /var/www/html/
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 . - As root, create three files (
file1
,file2
, andfile3
) in/var/www/html/
. These files inherit thehttpd_sys_content_t
type from/var/www/html/
:html]#
touch file{1,2,3}
html]$
ls -Z /var/www/html/
-rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 file1 -rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 file2 -rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 file3 - As root, enter the following command to create a
tar
archive namedtest.tar
. Use the--selinux
to retain the SELinux context:html]#
tar --selinux -cf test.tar file{1,2,3}
- As root, create a new directory named
test/
, and then allow all users full access to it:~]#
mkdir /test
~]#
chmod 777 /test/
- Copy the
test.tar
file intotest/
:~]$
cp /var/www/html/test.tar /test/
- Change into
test/
directory. Once in this directory, enter the following command to extract thetar
archive. Specify the--selinux
option again otherwise the SELinux context will be changed todefault_t
:~]$
cd /test/
test]$
tar --selinux -xvf test.tar
- View the SELinux contexts. The
httpd_sys_content_t
type has been retained, rather than being changed todefault_t
, which would have happened had the--selinux
not been used:test]$
ls -lZ /test/
-rw-r--r-- user1 group1 unconfined_u:object_r:httpd_sys_content_t:s0 file1 -rw-r--r-- user1 group1 unconfined_u:object_r:httpd_sys_content_t:s0 file2 -rw-r--r-- user1 group1 unconfined_u:object_r:httpd_sys_content_t:s0 file3 -rw-r--r-- user1 group1 unconfined_u:object_r:default_t:s0 test.tar - If the
test/
directory is no longer required, as root, enter the following command to remove it, as well as all files in it:~]#
rm -ri /test/
tar
, such as the --xattrs
option that retains all extended attributes.
4.10.5. Archiving Files with star
star
utility does not retain extended attributes by default. Since SELinux contexts are stored in extended attributes, contexts can be lost when archiving files. Use the star -xattr -H=exustar
command to create archives that retain contexts. The star package is not installed by default. To install star
, run the yum install star
command as the root user.
star
archive that retains SELinux contexts:
Procedure 4.18. Creating a star
Archive
- As root, create three files (
file1
,file2
, andfile3
) in the/var/www/html/
. These files inherit thehttpd_sys_content_t
type from/var/www/html/
:~]#
touch /var/www/html/file{1,2,3}
~]#
ls -Z /var/www/html/
-rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 file1 -rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 file2 -rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 file3 - Change into
/var/www/html/
directory. Once in this directory, as root, enter the following command to create astar
archive namedtest.star
:~]$
cd /var/www/html
html]#
star -xattr -H=exustar -c -f=test.star file{1,2,3}
star: 1 blocks + 0 bytes (total of 10240 bytes = 10.00k). - As root, create a new directory named
test/
, and then allow all users full access to it:~]#
mkdir /test
~]#
chmod 777 /test/
- Enter the following command to copy the
test.star
file intotest/
:~]$
cp /var/www/html/test.star /test/
- Change into
test/
. Once in this directory, enter the following command to extract thestar
archive:~]$
cd /test/
test]$
star -x -f=test.star
star: 1 blocks + 0 bytes (total of 10240 bytes = 10.00k). - View the SELinux contexts. The
httpd_sys_content_t
type has been retained, rather than being changed todefault_t
, which would have happened had the-xattr -H=exustar
option not been used:~]$
ls -lZ /test/
-rw-r--r-- user1 group1 unconfined_u:object_r:httpd_sys_content_t:s0 file1 -rw-r--r-- user1 group1 unconfined_u:object_r:httpd_sys_content_t:s0 file2 -rw-r--r-- user1 group1 unconfined_u:object_r:httpd_sys_content_t:s0 file3 -rw-r--r-- user1 group1 unconfined_u:object_r:default_t:s0 test.star - If the
test/
directory is no longer required, as root, enter the following command to remove it, as well as all files in it:~]#
rm -ri /test/
- If
star
is no longer required, as root, remove the package:~]#
yum remove star
star
.