user guide drafts: Maintaining SELinux Labels

[Murray McAllister <mmcallis@redhat.com>]

Hi,

The following are the first few drafts of the "Maintaining SELinux 
Labels" sections. Any comments and corrections are appreciated.

Cheers.

Copying Files and Directories

When files and directories are copied, they inherit the SELinux context 
of the parent directory they are copied to. This helps ensure files and 
directories are labeled with the correct SELinux context after being 
moved. The following example demonstrates copying a file from a user's 
home directory to /var/www/html/, which is used by the Apache HTTP 
Server. Since the file is copied, it inherits the correct SELinux context:

1. Run the cd command without any arguments to change into your home 
directory. Once in your home directory, run the touch file1 command to 
create a file. This file is labeled with the user_home_t type:

$ ls -Z file1
-rw-rw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0 file1

2. Run the ls -dZ /var/www/html/ command to view the SELinux context of 
the /var/www/html/ directory:

$ ls -dZ /var/www/html/
drwxr-xr-x  root root system_u:object_r:httpd_sys_content_t:s0 
/var/www/html/

By default, the /var/www/html/ directory is labeled with the 
httpd_sys_content_t type. Files and directories created under the 
/var/www/html/ directory inherit this type, and as such, they are 
labeled with this type.

3. As the Linux root user, run the cp file1 /var/www/html command to 
copy file1 to the /var/www/html/ directory. Since this file is copied, 
it inherits the httpd_sys_content_t type from the /var/www/html/ directory:

# cp file1 /var/www/html/
# ls -Z /var/www/html/file1
-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 
/var/www/html/file1

<important note>
Copy files and directories, rather than moving them. This helps ensure 
they are labeled with the correct SELinux contexts. Incorrect SELinux 
contexts can prevent processes from accessing such files and directories.
</important note>

Moving Files and Directories

File and directories keep their current SELinux context when they are 
moved. In many cases, this is incorrect for the location they are being 
moved to. The following example demonstrates moving a file from a user's 
home directory to /var/www/html/, which is used by the Apache HTTP 
Server. Since the file is moved, it does not inherit the correct SELinux 
context:

1. Run the cd command without any arguments to change into your home 
directory. Once in your home directory, run the touch file1 command to 
create a file. This file is labeled with the user_home_t type:

$ ls -Z file1
-rw-rw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0 file1

2. Run the ls -dZ /var/www/html/ command to view the SELinux context of 
the /var/www/html/ directory:

$ ls -dZ /var/www/html/
drwxr-xr-x  root root system_u:object_r:httpd_sys_content_t:s0 
/var/www/html/

By default, the /var/www/html/ directory is labeled with the 
httpd_sys_content_t type. Files and directories created under the 
/var/www/html/ directory inherit this type, and as such, they are 
labeled with this type.

3. As the Linux root user, run the mv file1 /var/www/html command to 
move file1 to the /var/www/html directory. Since this file is moved, it 
keeps its current user_home_t type:

# mv file1 /var/www/html
# ls -Z /var/www/html/file1
-rw-rw-r--  user1 group1 unconfined_u:object_r:user_home_t:s0 
/var/www/html/file1

By default, the Apache HTTP Server can not read files that are labeled 
with the user_home_t type. If all files comprising a web page are 
labeled with the user_home_t type, or another type that the Apache HTTP 
Server can not read, permission is denied when attempting to access them 
via Firefox or text-based Web browsers.

<important note>
Moving files and directories with the mv command may result in the wrong 
SELinux context, preventing processes, such as the Apache HTTP Server 
and Samba, from accessing such files and directories.
</important note>

Checking the Default SELinux Context

Use the /usr/sbin/matchpathcon command to check if files and directories 
have the correct SELinux context. From the matchpathcon(8) manual page: 
"matchpathcon queries the system policy and outputs the default security 
context associated with the file path."[1]. The following example 
demonstrates using the /usr/sbin/matchpathcon command to verify that 
files in /var/www/html/ directory are labeled correctly:

1. As the Linux root user, run the touch /var/www/html/file{1,2,3} 
command to create three files (file1, file2, and file3). These files 
inherit the httpd_sys_content_t type from the /var/www/html/ directory:

# touch /var/www/html/file{1,2,3}
# ls -Z /var/www/html/
-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file1
-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file2
-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 file3

2. As the Linux root user, run the chcon -t samba_share_t 
/var/www/html/file1 command to change the file1 type to samba_share_t. 
Note: the Apache HTTP Server can not read files or directories labeled 
with the samba_share_t type.

3. The /usr/sbin/matchpathcon -V option compares the current SELinux 
context to the correct, default context in SELinux policy. Run the 
/usr/sbin/matchpathcon -V /var/www/html/* command to check all files in 
the /var/www/html/ directory:

$ /usr/sbin/matchpathcon -V /var/www/html/*
/var/www/html/file1 has context unconfined_u:object_r:samba_share_t:s0, 
should be system_u:object_r:httpd_sys_content_t:s0
/var/www/html/file2 verified.
/var/www/html/file3 verified.

The following output from the /usr/sbin/matchpathcon command explains 
that file1 is labeled with the samba_share_t type, but should be labeled 
with the httpd_sys_content_t type:

/var/www/html/file1 has context unconfined_u:object_r:samba_share_t:s0, 
should be system_u:object_r:httpd_sys_content_t:s0

To resolve the label problem and allow the Apache HTTP Server access to 
file1, as the Linux root user, run the /sbin/restorecon -v 
/var/www/html/file1 command:

# /sbin/restorecon -v /var/www/html/file1
restorecon reset /var/www/html/file1 context 
unconfined_u:object_r:samba_share_t:s0->system_u:object_r:httpd_sys_content_t:s0


[1] The matchpathcon(8) manual page, as shipped with the 
libselinux-utils package in Fedora, is written by Daniel Walsh. Any 
edits or changes in this version were done by Murray McAllister.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.