SELinux Contexts

1. Display Contexts
   

   [root@deyu ~]# ps axZ | grep sshd
   system_u:system_r:sshd_t:s0-s0:c0.c1023 2054 ? Ss     0:00 /usr/sbin/sshd
   #user:role:type:range
   #for a process, the type is also called the domain of the process
   
   [root@deyu ~]# ls -Z anaconda-ks.cfg 
   -rw-------. root root system_u:object_r:admin_home_t:s0 anaconda-ks.cfg
   

2. File's context depends on where it was created
   

   [root@deyu ~]# cal > ~/index.html
   [root@deyu ~]# cal > /var/www/html/index.html
   [root@deyu ~]# ls -Z ~/index.html /var/www/html/index.html 
   -rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 /root/index.html
   -rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/index.html
   [root@deyu ~]# ls -Zd ~ /var/www/html
   dr-xr-x---. root root system_u:object_r:admin_home_t:s0 /root
   drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html
   

3. 測試httpd檔案
   

   [root@deyu ~]# /etc/init.d/httpd restart
   Stopping httpd:                                            [  OK  ]
   Starting httpd:                                            [  OK  ]
   [root@deyu ~]# curl http://127.0.0.1/index.html
       December 2011   
   Su Mo Tu We Th Fr Sa
                1  2  3
    4  5  6  7  8  9 10
   11 12 13 14 15 16 17
   18 19 20 21 22 23 24
   25 26 27 28 29 30 31
   
   [root@deyu ~]# mv index.html /var/www/html/index.html 
   mv: overwrite `/var/www/html/index.html'? y
   
   [root@deyu ~]# curl http://127.0.0.1/index.html
   <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
   <html><head>
   <title>403 Forbidden</title>
   </head><body>
   <h1>Forbidden</h1>
   <p>You don't have permission to access /index.html
   on this server.</p>
   <hr>
   <address>Apache/2.2.15 (CentOS) Server at 127.0.0.1 Port 80</address>
   </body></html>
   

4. Change index.html SELinux security context
   

   [root@deyu ~]# ls -Z /var/www/html/index.html 
   -rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 /var/www/html/index.html
   [root@deyu ~]# chcon -t httpd_sys_content_t /var/www/html/index.html
   [root@deyu ~]# ls -Z /var/www/html/index.html 
   -rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/index.html
   [root@deyu ~]# curl http://127.0.0.1/index.html
       December 2011   
   Su Mo Tu We Th Fr Sa
                1  2  3
    4  5  6  7  8  9 10
   11 12 13 14 15 16 17
   18 19 20 21 22 23 24
   25 26 27 28 29 30 31
   

5. Restore the context of index.html
   

   [root@deyu ~]# cal > ~/index.html
   [root@deyu ~]# mv index.html /var/www/html/index.html 
   mv: overwrite `/var/www/html/index.html'? y
   [root@deyu ~]# restorecon -Rv /var/www/html/index.html
   restorecon reset /var/www/html/index.html context unconfined_u:object_r:admin_home_t:s0->system_u:object_r:httpd_sys_content_t:s0
   
   [root@deyu ~]# curl http://127.0.0.1/index.html
       December 2011   
   Su Mo Tu We Th Fr Sa
                1  2  3
    4  5  6  7  8  9 10
   11 12 13 14 15 16 17
   18 19 20 21 22 23 24
   25 26 27 28 29 30 31