In this video Kevin Dankwardt describes the use of SELinux. The discussion includes temporarily and permanently setting SELinux type contexts. We set and restore SELinux contexts. We use semanage and chcon commands and look at the config files that are ch
- [Instructor] SELinux File Contexts. So associated with files, when you're using SELinux, is the context that the kernel uses, to check for permissions. You can see the context, with the capital Z, or capital Zed, option, the LS. The way it works in the kernel is, it checks regular permissions, the typical read/write/execute sort of stuff. And it checks extra stuff, based on these contexts. So this is going on in the kernel, in fact, pretty much every system call on the kernel, has a hook in it, to do extra checks.
So one of the great benefits of this, is a service, like a web server, can check the context on a file, or a kernel can enforce that, to prevent the web server from serving files it's not supposed to serve, for example. So if someone, say, tried to get your web server to serve up your password file, it wouldn't be able to do it, because of these sort of checks. So, you sometimes need to adjust these, so that, for example, this web server can serve up a page.
If you just copy some file over there, it might not be able to serve it up. So you can change the context on a file with a change con command. For example, the context for the httpd demon, is httpd_sys_content_t. So if we set that context on that info.html file, then the web server should be able to serve it up. But that's just temporary. If you reboot, or you do a restorecon, or if your file system gets re-labeled with the context, then that could go away.
So there's a way to change that, so that, whenever a re-store is done, it will be set to what you wanted to set it to. That restorecon command gets that information from files underneath /etc/selinux/target/context/files/. So, if you chcon the context, then you do a restorecon, it'll go back to what the default was. You can change the default, you can change the file that restorecon uses, with the semanage fcontext command.
So let's look at how contexts are inherited from parent directory. Using chcon, using restorecon, and using the semanage fcontext command. Let's look at the context for the etc directory. We see at the end there, that it's etc_t sort of stuff. If we go to /etc and we make a file, here we just touch a file.
We see it gets that etc_t type. So that's an example of inheriting from the directory. But we can use semanage to change the defaults, or change the remembered type for a file. But let's back that stuff up. Let's make a directory to hold, or back up, and let's copy those context config files.
Remember bang dollar, !$, means last thing on the previous line there. So I've made a copy of those. So if we do an semanage command, it will make some sort of change in a file under there. So, let's just look at a system file, etc/hosts. So even though this is an etc, it doesn't have the default etc_t type, it has net_conf_t type. Let's tell our system, that we want that file to have some other type.
So, just to be unusual, we're going to say, samba_share_t, which doesn't really make any sense, but it's a different type. Okay, so it took a second, doesn't print out anything, we don't really know what happened. If we look at the context of hosts, it didn't change. What changed was the config file. So let's go into etc/selinux/targeted/contexts/files, and let's do a diff, to get an idea what changed.
And we see we've got some file context.bin, and homedirs.bin. And we've got this file_contexts.local. And in there, it's got a line for etch/hosts, saying samba_share_t. So that's where it's stored, that we want etc/host to be samba_share_t. So let's remember where we are, shell variable.
Let's go back to etc, let's just double-check hosts, okay it's still its original. Now let's do a temporary change. We'll go some other kind of random choice here. Okay. So now it says public_content_rw_t. So its original was net_conf; we set it to public_content_rw, but we did an semanage to set it to samba_share_t.
Okay, but it hasn't yet had the samba_share_t. If we do restorecon, then it's going to look up what it's supposed to be; now it's the samba. So, because we did that semanage, if we ever do a restorecon, or we re-boot and do a re-label, then it's going to set it back to the samba_share_t. Remember, we remember that directory with t, so if we go back there, and we've got some stuff at the top there, so we're going to remove.
Okay. So, let's go and reset back with what we had before. So we're going to look at where we were. Going to go there, let's move that files to files.save. Let's make another files. And let's copy our backup here.
Go back to etc, double-check hosts, restorecon hosts. Now we're back to default. So, we replace the change we made with semanage by, restoring that directory. So now it's back to the fault for etc/host.
- Partitioning storage
- Creating, mounting, and unmounting file systems
- Formatting file systems
- Making volumes with LVM
- Adding storage security
- Managing swap spaces
- Backing up and recovering Linux storage systems
- Working with networked file systems like NFS and SSHFS