Redhat: SELINUX Context

Every file has an SELinux Context. The context is made up of four items: the user, role, type and secutity level (for mls)

View the Current Context of a file or directory

To check the linux context of a file or directory use 'ls -Z'

ls -Z anaconda-ks.cfg
-rw-------. root root system_u:object_r:admin_home_t:s0 anaconda-ks.cfg

The most important part of the context is the type. Fort a service such as FTP or HTTP, the type determines if and how a folder can be used. The context of the FTP file is shown below.

ls -Z /var/ftp/
-rw-------. root root system_u:object_r:public_content_t pub

Changing the Conext

If you for example wanted to use a non standard directory for ftp, the new folder would need to have the same context as the default folder. Currently there is only the object role so this usually would not need changing.

The -R flag sets the context recursivly to all files and sub folders.

chcon -R -u system_u -t public_content_t  <new folder>

Another way to set the context on the new folder is to set them to match the default folder. This can be done using the --reference flag. This will set the conext of the new folder to match the reference folder

chcon -R --reference /var/ftp  <new folder>

Restore Context

If you make a mistake when changing the context, all is not lost. The Context can be restored using the restorecon command:

resotorecon -F <folder>

However - it may not restore the context as it was before!!

The /etc/selinux/targeted/context/file_context file defines what contexts are applied. As an example if you were to restore the context on the /ftp folder (in /),, by default it would be restored to the system_u user and default_t type.

This is due to a line in the file_context file. ALl file and folders in the / root directory will be restored to the context shown.

/. system_u:object_r:default_t

Process Context

It is not only files that have context. All processes have a context. To view these use the ps -eZ command.