2

I am learning about SELinux and have a question:

There doesn't appear to be a direct correlation between the fields of the source and the target. For example Apache may run with Type httpd_t and the files under /var/www/html/ may have type label set to httpd_sys_content_t. These "labels" appear to be just human readable strings unless I am wrong.

So where is the mapping? How does the system know which target contexts are allowed to be accessed by processes with any specific source context?

semanage fcontext -a Will set a custom file context policy which can then be attached to matching files with restorecon, but this does not tell me what Type should be used.

What is the "purpose" of the User, Role, and Level fields? Which fields have to match for an action to be allowed?

On a related note: How does a process get labeled with a specific source context?

Improve this question
1

1 Answer 1

Reset to default
2

The fields are explained here Contexts

However, for average users that don't use MLS which is most of us, are only concerned with type enforcements (httpd_t).

SELinux contexts have several fields: user, role, type, and security level. The SELinux type information is perhaps the most important when it comes to the SELinux policy, as the most common policy rule which defines the allowed interactions between processes and system resources uses SELinux types and not the full SELinux context. SELinux types end with _t. For example, the type name for the web server is httpd_t. The type context for files and directories normally found in /var/www/html/ is httpd_sys_content_t. The type contexts for files and directories normally found in /tmp and /var/tmp/ is tmp_t. The type context for web server ports is http_port_t.

  • [3]

You can consider httpd_sys_content_t a sub file-context type of httpd_t, its defined in file-contexts.

In general I'd recommend as a quick lookup to search code on the refpolicy repo for info on how builtin-types are defined. Its one of the quickest ways to get answers imo.

Next to using

seinfo --all|grep httpd_sys_content_t

or

sesearch -t httpd_t -A

or

sesearch -s httpd_t -A

or

semanage fcontext -l | grep httpd_sys_content_t

Even better, grab the sources for the policy of your distro and grep the source-tree for that type to get more accurate info that applies to your distros revision of the policy.

The macros can be a little intimidating when they appear in refpolicy sources, but you can search for their definition as well.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.