Lesson 9.5: List and identify SELinux file and process context
To view the security context of a file/dir
Format : user:role:type:sensitivity
[root@server ~]# ls -Z
unconfined_u:object_r:admin_home_t:s0 data1 unconfined_u:object_r:admin_home_t:s0 loans
unconfined_u:object_r:admin_home_t:s0 data2 unconfined_u:object_r:admin_home_t:s0 stratis
Effects of create, copy & move operations on a file for SELinux point of view
- Create : Whenever any file is created then the file inherits SELinux context of it parents directory.
- Copy : Whenever file is copied from one dir to another dir, then the file takes SELinux Security Context of the destination directory.
- Move : Whenever file is moved from one dir to another dir, then the file still retains its original SELINUX Security Context.
Viewing an example of create, copy & move operations on a web server
# Creating a file , new file takes the SELinux Context of its parent directoy. Hence Website displayed
[root@server html]# vim index.html
[root@server html]# ls
index.html
[root@server html]# ls -Z
unconfined_u:object_r:httpd_sys_content_t:s0 index.html
[root@server html]#
[root@server html]# ls -dZ /var/www/html/
system_u:object_r:httpd_sys_content_t:s0 /var/www/html/
# Copying a file, copyed file takes the SELinux context of the destination directory /var/www/html
[root@server ~]# ls -dZ
system_u:object_r:admin_home_t:s0 .
[root@server ~]# vim index.html
[root@server ~]# cp index.html /var/www/html/
[root@server ~]# cd /var/www/html/
[root@server html]# ls -Z index.html
unconfined_u:object_r:httpd_sys_content_t:s0 index.html
# Moving a file, moved file takes the SELinux context of the directory from where it was moved /
[root@server ~]# vim index.html
[root@server ~]# ls -dZ
system_u:object_r:admin_home_t:s0 .
[root@server ~]# mv index.html /var/www/html/
[root@server ~]# cd /var/www/html/
[root@server html]# ls -Z index.html
unconfined_u:object_r:admin_home_t:s0 index.html