SELinux
Security Enhanced Linux, selinux is the discretionary access control in the Linux distribution. This extra layer of security keeps the users data safe in the system. selinux context contains additional information, labels that are attached to each process and files to determine the selinux policy. The extra details about user, role, type, and sensitivity help to make access control decisions. The context of the file is generally similar to the context of its parent directory.
chcon
It is important to alter the selinux context to grant or deny access through selinux. chcon, (change context) the command that is used to change the selinux context. The files and processes share the same selinux context as their parent directory.
$ mkdir data
$ ls -Zd /data
drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 /data
We are creating a directory called /data. ls -Zd is the command to show the selinux context of the directory.
$ sudo chcon -t httpd_sys_content_t /data
$ ls -Zd /data
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 /data
With chcon -t we changed selinux context of /data to httpd_sys_content_t from its default context default_t .
restorecon
restorecon restores, alters the context of the files, process and directories to it’s default selinux context.
$ sudo restorecon -v /data
restorecon reset /data context unconfined_u:object_r:httpd_sys_content_t:s0->unconfined_u:object_r:default_t:s0
semanage
semange is the policy management tool for SELinux. It modifies the port type for service different from its default usage. But it does not modify or recompile the policy sources. It is another command through which you can change the context for selinux. semanage can map the usernames to selinux user identities and security context for objects like network ports, interfaces, and hosts. The default settings of selinux only allow known services to bind to known ports. To modify a service for the usage of a non-default port we use semanage.
$ sudo semanage fcontext -a -t httpd_sys_content_t '/data(./*)?'
This add the selinux policy for the data directory.
$ sudo semanage fcontext -l
/data(./*)? all files system_u:object_r:httpd_sys_content_t:s0
Then we can add the new context by using the restorecon command.
$ sudo restorecon -v /data
restorecon reset /data context unconfined_u:object_r:default_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
Difference between semanage and chcon
With both semanageand chcon commands we can change the selinux context of a file, process or directory. But there is a major difference between both. The changes made with chcon are temporary in nature whereas with semanage it is permanent. The context of the file altered with chcon goes back to default with the execution of the restorecon command. With semanage we set the selinux rules. Then restorecon command relabels the file system and restores the selinux context according to the rules set by semanage. This makes changes made by semanage fcontext persistent. Therefore it is not advisable to use the chcon to change the selinux context.
from Planet Python
via read more
No comments:
Post a Comment