SELinux – Change context. – free-tutorials.org news free tutorials source code development scripts

Processes and files are labeled with an SELinux context that contains additional information, such as an SELinux user, role, type, and, optionally, a level. When running SELinux, all of this information is used to make access control decisions.
Let’s test this with httpd sercice and index.html file.
You need to start this service on Fedora.
Using these commands we can see the context of this file.
I will change this context and restore it.
Let’s start with the first steps:

[mythcat@desk ~]$ sudo systemctl start httpd.service
[sudo] password for mythcat:
[mythcat@desk ~]$ systemctl status httpd.service
● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor pres>
   Active: active (running) since Tue 2019-08-13 19:23:49 EEST; 7s ago

[mythcat@desk ~]$ ps -efZ | grep 'httpd'
...
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 mythcat 3378 2271  0 19:25 pts/0 00:00:00 grep --color=auto httpd

[mythcat@desk ~]$ sudo vim /var/www/html/index.html
[mythcat@desk ~]$ ls -Z  /var/www/html/*
unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/index.html
[mythcat@desk ~]$ sudo touch /var/www/html/index.html

[mythcat@desk ~]$ sudo vim /var/www/html/index.html
[mythcat@desk ~]$ sudo chmod -R 755 /var/www/*
[mythcat@desk ~]$ sudo systemctl restart httpd.service

[mythcat@desk ~]$ sudo systemctl start httpd.service

[sudo] password for mythcat:

[mythcat@desk ~]$ systemctl status httpd.service

● httpd.service - The Apache HTTP Server

Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor pres>

Active: active (running) since Tue 2019-08-13 19:23:49 EEST; 7s ago

[mythcat@desk ~]$ ps -efZ | grep 'httpd'

...

unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 mythcat 3378 2271 0 19:25 pts/0 00:00:00 grep --color=auto httpd

[mythcat@desk ~]$ sudo vim /var/www/html/index.html

[mythcat@desk ~]$ ls -Z /var/www/html/*

unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/index.html

[mythcat@desk ~]$ sudo touch /var/www/html/index.html

[mythcat@desk ~]$ sudo vim /var/www/html/index.html

[mythcat@desk ~]$ sudo chmod -R 755 /var/www/*

[mythcat@desk ~]$ sudo systemctl restart httpd.service

You can see the index.html on localhost:

[mythcat@desk ~]$ sudo chcon --type var_t /var/www/html/index.html
[mythcat@desk ~]$ ls -lZ /var/www/html/
total 4
-rwxr-xr-x. 1 root root unconfined_u:object_r:var_t:s0 23 Aug 13 19:30 index.html

[mythcat@desk ~]$ sudo chcon --type var_t /var/www/html/index.html

[mythcat@desk ~]$ ls -lZ /var/www/html/

total 4

-rwxr-xr-x. 1 root root unconfined_u:object_r:var_t:s0 23 Aug 13 19:30 index.html

Let’s change the context. The result on Fedora will be the apache default page.
You can get back the selinux context of file with this command:

[mythcat@desk ~]$ sudo restorecon -v  /var/www/html/index.html
Relabeled /var/www/html/index.html from unconfined_u:object_r:var_t:s0 to unconfined_u:object_r:httpd_sys_content_t:s0
[mythcat@desk ~]$ ls -lZ /var/www/html/
total 4
-rwxr-xr-x. 1 root root unconfined_u:object_r:httpd_sys_content_t:s0 23 Aug 13 19:30 index.html

[mythcat@desk ~]$ sudo restorecon -v /var/www/html/index.html

Relabeled /var/www/html/index.html from unconfined_u:object_r:var_t:s0 to unconfined_u:object_r:httpd_sys_content_t:s0

[mythcat@desk ~]$ ls -lZ /var/www/html/

total 4

-rwxr-xr-x. 1 root root unconfined_u:object_r:httpd_sys_content_t:s0 23 Aug 13 19:30 index.html

Leave a Reply Cancel reply