Red Hat SummitEste conteúdo não está disponível no idioma selecionado.
5.6.2. Persistent Changes: semanage fcontext
The
semanage fcontext command is used to change the SELinux context of files. When using targeted policy, changes are written to files located in the /etc/selinux/targeted/contexts/files/ directory:
- The
file_contextsfile specifies default contexts for many files, as well as contexts updated viasemanage fcontext. - The
file_contexts.localfile stores contexts to newly created files and directories not found infile_contexts.
Two utilities read these files. The
setfiles utility is used when a file system is relabeled and the restorecon utility restores the default SELinux contexts. This means that changes made by semanage fcontext are persistent, even if the file system is relabeled. SELinux policy controls whether users are able to modify the SELinux context for any given file.
Quick Reference
To make SELinux context changes that survive a file system relabel:
- Run the
semanage fcontext -a options file-name|directory-namecommand, remembering to use the full path to the file or directory. - Run the
restorecon -v file-name|directory-namecommand to apply the context changes.
Procedure 5.7. Changing a File's or Directory 's Type
The following example demonstrates changing a file's type, and no other attributes of the SELinux context. This example works the same for directories, for instance if
file1 was a directory.
- As the Linux root user, run the
touch /etc/file1command to create a new file. By default, newly-created files in the/etc/directory are labeled with theetc_ttype:ls -Z /etc/file1
~]# ls -Z /etc/file1 -rw-r--r-- root root unconfined_u:object_r:etc_t:s0 /etc/file1Copy to Clipboard Copied! Toggle word wrap Toggle overflow Use thels -dZ directory_namecommand to list information about a directory. - As the Linux root user, run the
semanage fcontext -a -t samba_share_t /etc/file1command to change thefile1type tosamba_share_t. The-aoption adds a new record, and the-toption defines a type (samba_share_t). Note that running this command does not directly change the type;file1is still labeled with theetc_ttype:semanage fcontext -a -t samba_share_t /etc/file1 ls -Z /etc/file1
~]# semanage fcontext -a -t samba_share_t /etc/file1 ~]# ls -Z /etc/file1 -rw-r--r-- root root unconfined_u:object_r:etc_t:s0 /etc/file1Copy to Clipboard Copied! Toggle word wrap Toggle overflow Thesemanage fcontext -a -t samba_share_t /etc/file1command adds the following entry to/etc/selinux/targeted/contexts/files/file_contexts.local:/etc/file1 unconfined_u:object_r:samba_share_t:s0
/etc/file1 unconfined_u:object_r:samba_share_t:s0Copy to Clipboard Copied! Toggle word wrap Toggle overflow - As the Linux root user, run the
restorecon -v /etc/file1command to change the type. Because thesemanagecommand added an entry tofile_contexts.localfor/etc/file1, therestoreconcommand changes the type tosamba_share_t:restorecon -v /etc/file1
~]# restorecon -v /etc/file1 restorecon reset /etc/file1 context unconfined_u:object_r:etc_t:s0->system_u:object_r:samba_share_t:s0Copy to Clipboard Copied! Toggle word wrap Toggle overflow
Procedure 5.8. Changing a Directory and its Contents Types
The following example demonstrates creating a new directory, and changing the directory's file type (along with its contents) to a type used by Apache HTTP Server. The configuration in this example is used if you want Apache HTTP Server to use a different document root (instead of
/var/www/html/):
- As the Linux root user, run the
mkdir /webcommand to create a new directory, and then thetouch /web/file{1,2,3}command to create 3 empty files (file1,file2, andfile3). The/web/directory and files in it are labeled with thedefault_ttype:Copy to Clipboard Copied! Toggle word wrap Toggle overflow - As the Linux root user, run the
semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"command to change the type of the/web/directory and the files in it, tohttpd_sys_content_t. The-aoption adds a new record, and the-toption defines a type (httpd_sys_content_t). The"/web(/.*)?"regular expression causes thesemanagecommand to apply changes to the/web/directory, as well as the files in it. Note that running this command does not directly change the type;/web/and files in it are still labeled with thedefault_ttype:Copy to Clipboard Copied! Toggle word wrap Toggle overflow Thesemanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"command adds the following entry to/etc/selinux/targeted/contexts/files/file_contexts.local:/web(/.*)? system_u:object_r:httpd_sys_content_t:s0
/web(/.*)? system_u:object_r:httpd_sys_content_t:s0Copy to Clipboard Copied! Toggle word wrap Toggle overflow - As the Linux root user, run the
restorecon -R -v /webcommand to change the type of the/web/directory, as well as all files in it. The-Ris for recursive, which means all files and directories under the/web/directory are labeled with thehttpd_sys_content_ttype. Since thesemanagecommand added an entry tofile.contexts.localfor/web(/.*)?, therestoreconcommand changes the types tohttpd_sys_content_t:Copy to Clipboard Copied! Toggle word wrap Toggle overflow Note that by default, newly-created files and directories inherit the SELinux type of their parent directories.
Procedure 5.9. Deleting an added Context
The following example demonstrates adding and removing an SELinux context. If the context is part of a regular expression, for example,
/web(/.*)?, use quotation marks around the regular expression:
semanage fcontext -d "/web(/.*)?"
~]# semanage fcontext -d "/web(/.*)?"- To remove the context, as the Linux root user, run the
semanage fcontext -d file-name|directory-namecommand, where file-name|directory-name is the first part infile_contexts.local. The following is an example of a context infile_contexts.local:/test system_u:object_r:httpd_sys_content_t:s0
/test system_u:object_r:httpd_sys_content_t:s0Copy to Clipboard Copied! Toggle word wrap Toggle overflow With the first part being/test. To prevent the/test/directory from being labeled with thehttpd_sys_content_tafter runningrestorecon, or after a file system relabel, run the following command as the Linux root user to delete the context fromfile_contexts.local:semanage fcontext -d /test
~]# semanage fcontext -d /testCopy to Clipboard Copied! Toggle word wrap Toggle overflow - As the Linux root user, use the
restoreconutility to restore the default SELinux context.
Refer to the semanage(8) manual page for further information about
semanage.
Important
When changing the SELinux context with
semanage fcontext -a, use the full path to the file or directory to avoid files being mislabeled after a file system relabel, or after the restorecon command is run.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}