next up previous contents
Next: Manage SELinux Booleans Up: SELinux Previous: 啟動、關閉與觀察   Contents

SELinux Contexts

  1. Display Contexts
    [root@deyu ~]# ps axZ | grep sshd
    system_u:system_r:sshd_t:s0-s0:c0.c1023 2054 ? Ss     0:00 /usr/sbin/sshd
    #user:role:type:range
    #for a process, the type is also called the domain of the process
    
    [root@deyu ~]# ls -Z anaconda-ks.cfg 
    -rw-------. root root system_u:object_r:admin_home_t:s0 anaconda-ks.cfg
    
  2. File's context depends on where it was created
    [root@deyu ~]# cal > ~/index.html
    [root@deyu ~]# cal > /var/www/html/index.html
    [root@deyu ~]# ls -Z ~/index.html /var/www/html/index.html 
    -rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 /root/index.html
    -rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/index.html
    [root@deyu ~]# ls -Zd ~ /var/www/html
    dr-xr-x---. root root system_u:object_r:admin_home_t:s0 /root
    drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html
    
  3. 測試httpd檔案
    [root@deyu ~]# /etc/init.d/httpd restart
    Stopping httpd:                                            [  OK  ]
    Starting httpd:                                            [  OK  ]
    [root@deyu ~]# curl http://127.0.0.1/index.html
        December 2011   
    Su Mo Tu We Th Fr Sa
                 1  2  3
     4  5  6  7  8  9 10
    11 12 13 14 15 16 17
    18 19 20 21 22 23 24
    25 26 27 28 29 30 31
    
    [root@deyu ~]# mv index.html /var/www/html/index.html 
    mv: overwrite `/var/www/html/index.html'? y
    
    [root@deyu ~]# curl http://127.0.0.1/index.html
    <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
    <html><head>
    <title>403 Forbidden</title>
    </head><body>
    <h1>Forbidden</h1>
    <p>You don't have permission to access /index.html
    on this server.</p>
    <hr>
    <address>Apache/2.2.15 (CentOS) Server at 127.0.0.1 Port 80</address>
    </body></html>
    
  4. Change index.html SELinux security context
    [root@deyu ~]# ls -Z /var/www/html/index.html 
    -rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 /var/www/html/index.html
    [root@deyu ~]# chcon -t httpd_sys_content_t /var/www/html/index.html
    [root@deyu ~]# ls -Z /var/www/html/index.html 
    -rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/index.html
    [root@deyu ~]# curl http://127.0.0.1/index.html
        December 2011   
    Su Mo Tu We Th Fr Sa
                 1  2  3
     4  5  6  7  8  9 10
    11 12 13 14 15 16 17
    18 19 20 21 22 23 24
    25 26 27 28 29 30 31
    
  5. Restore the context of index.html
    [root@deyu ~]# cal > ~/index.html
    [root@deyu ~]# mv index.html /var/www/html/index.html 
    mv: overwrite `/var/www/html/index.html'? y
    [root@deyu ~]# restorecon -Rv /var/www/html/index.html
    restorecon reset /var/www/html/index.html context unconfined_u:object_r:admin_home_t:s0->system_u:object_r:httpd_sys_content_t:s0
    
    [root@deyu ~]# curl http://127.0.0.1/index.html
        December 2011   
    Su Mo Tu We Th Fr Sa
                 1  2  3
     4  5  6  7  8  9 10
    11 12 13 14 15 16 17
    18 19 20 21 22 23 24
    25 26 27 28 29 30 31
    



2015-04-13