Lesson 9.5: List and identify SELinux file and process context

To view the security context of a file/dir

Format : user:role:type:sensitivity

 
[root@server ~]# ls -Z 
unconfined_u:object_r:admin_home_t:s0 data1  unconfined_u:object_r:admin_home_t:s0 loans
unconfined_u:object_r:admin_home_t:s0 data2  unconfined_u:object_r:admin_home_t:s0 stratis

Effects of create, copy & move operations on a file for SELinux point of view

Create : Whenever any file is created then the file inherits SELinux context of it parents directory.
Copy : Whenever file is copied from one dir to another dir, then the file takes SELinux Security Context of the destination directory.
Move : Whenever file is moved from one dir to another dir, then the file still retains its original SELINUX Security Context.

Viewing an example of create, copy & move operations on a web server

 
# Creating a file , new file takes the SELinux Context of its parent directoy. Hence Website displayed
[root@server html]# vim index.html 
[root@server html]# ls
index.html
[root@server html]# ls -Z 
unconfined_u:object_r:httpd_sys_content_t:s0 index.html
[root@server html]# 
[root@server html]# ls -dZ /var/www/html/
system_u:object_r:httpd_sys_content_t:s0 /var/www/html/
 
# Copying a file, copyed file takes the SELinux context of the destination directory /var/www/html
[root@server ~]# ls -dZ 
system_u:object_r:admin_home_t:s0 .
[root@server ~]# vim index.html
[root@server ~]# cp index.html /var/www/html/
[root@server ~]# cd /var/www/html/
[root@server html]# ls -Z index.html 
unconfined_u:object_r:httpd_sys_content_t:s0 index.html
 
# Moving a file, moved file takes the SELinux context of the directory from where it was moved  /
[root@server ~]# vim index.html
[root@server ~]# ls -dZ 
system_u:object_r:admin_home_t:s0 .
[root@server ~]# mv index.html /var/www/html/
[root@server ~]# cd /var/www/html/
[root@server html]# ls -Z index.html 
unconfined_u:object_r:admin_home_t:s0 index.html