From Fedora Project Wiki

Revision as of 14:16, 7 January 2016 by Plautrba (talk | contribs) (Update sort rules with local modifications)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

SELinux has a few commands for managing file context.

ls -Z is the tool to use when viewing file context.

There are multiple commands for file labels,

This command is useful if you want to revert back to the default labels on files. For example, you can run restorecon -v -R /var/www/ to reset all the file labels in the /var/www/ directory. Internally, restorecon reads the /etc/selinux/POLICYTYPE/contexts/files/file_contexts* files, which has a set of regular expressions mapping file paths to security contexts.

This command is used to initialize a system. It is used when you touch /.autorelabel; reboot. It takes a file_context directive and usually works at the file system level, whereas restorcon works at the file/directory level.

This command is a shell script that wraps setfiles and restorecon. It provides some nice features, like figuring out which file systems are mounted on the machine and automatically relabeling all of them. It can also take an RPM name as an argument and restorecon all the files in the package. It also has a nice feature used by RPM to compare the previous policy file_context versus the newly installed file context and then runs restorcon on the difference.

This is a command similar to chmod, that allows the user/administrator to change the file context on a particular file/direcory. The user must specify the context, or partial context. The other file_context tools will overwrite the changed file context to the default unless they are a customizable_types. Customizable types are defined in /etc/selinux/POLIICYTYPE/contexts/customizable_types

This is a simple tool that takes files/directories and prints the default security context of the files.

This tool allows, amongst other things, the default file contexts for files (as used by restorecon etc.) to be displayed or changed. You can use semanage fcontext -l to list all of the default file contexts for a system. This is a list of regular expressions.

File Contexts Sort Ordering

Sometimes it is not obvious from looking at the output of semanage fcontext -l why a particular file has a given default context, since multiple regular expressions might match the pathname of the file. The one that is chosen is the one deemed to be the most specific. The sorting algorithm to determine the most specific match is based on the following heuristics, applied in this order:

When comparing two file contexts A and B...

  • if A is a local contexts added by 'semanage fcontext -a' and B is not, B is less specific than A
  • if A and B are both local contexts added by 'semanage fcontext -a', the last added context is the most specific
  • if A is a regular expression and B is not, A is less specific than B
  • if A's stem length (the number of characters before the first regular expression metacharacter) is shorter than B's stem length, A is less specific than B
  • if A's string length (the entire length of the file context string) is shorter than B's string length, A is less specific than B
  • if A does not have a specified type and B does, A is less specific than B
  • else, they are considered equally specific.

These are the same heuristics applied to file contexts when building reference policy.

The sort is implemented as a stable iterative mergesort .

The possible metacharacters are: . ^ $ ? * + | [ ( { ]