When to use security context in SELinux command?

When to use security context in SELinux command?

Sometimes you might not know what SELinux context you should be setting for a file. In that case, you can use the security context of another file as a reference, and use that to assign it to your file. Basically, instead of specifying the full SELinux context for the file, you are just using another file’s context for your file.

What is the chcon command in SELinux for?

In SELinux, one of the frequent task that you may do is to change the security context of an object. For this, you’ll use chcon command. chcon stands for Change Context. This command is used to change the SELinux security context of a file.

What to do if SELinux denies access to a file?

Now that you are aware that SELinux governs file access by verifying the security context of the process (the domain) and the context of the file, it is time to find out how, if SELinux denies a certain access, you can troubleshoot this in more detail.

Where to find SELinux security context in WordPress?

The above line indicates that the main configuration file of WordPress named wp-config.php should receive the SELinux security context label: This SELinux label will only be applied, however, if the file is located in /usr/share/wordpress-mu/, which is almost certainly not the case on your system.

How does the chcon command change the SELinux context?

The chcon command changes the SELinux context for files. However, changes made with the chcon command do not survive a file system relabel, or the execution of the restorecon command. SELinux policy controls whether users are able to modify the SELinux context for any given file.

How to change the root context in SELinux?

By default, you can use chcon to recursively change SELinux context on all the files under your root filesystem as shown below. This is called don’t preserve the root option (i.e –no-preserve-root is the default behavior) WARNING: Don’t execute this command on your system. You’ll end-up having an unusable system.

Is there a way to remove the SELinux label?

Theoretically you could also take a virtual machine, or another machine (or perhaps just find them online) and copy the known good defaults into their proper directories, and allow the system to relabel in order to get the proper defaults. This too will have some short comings though.

How does SELinux control file and directory information?

Allow any process that runs as the root Linux user to read the slocate directory information Allow any process that runs as the root Linux user to write into the slocate directory (create files and such) Allow any process that runs as the root Linux user to enter the slocate directory (and thus search for files within)

How does SELinux tell what privileges a process has?

In the previous tutorial, we learned that SELinux adds in another method for finding out what the privileges would be for a process: a security context. This security context, together with the run-time user that the process is in, would define what the process is allowed to do.