Modifying File Contexts in SELinux

Posted on the 08 June 2021 by Satish Kumar @satish_kumar86

We now know how to set SELinux contexts, both directly through tools such as chcon as well as through the restorecon application, which queries the SELinux context list to know what context a file should have. Yet restorecon is not the only application that considers this context list.

Using setfiles, rlpkg, and fixfiles

The setfiles application is an older one, which requires the path to the context list file itself to reset contexts. It is often used under the hood of other applications, so most administrators do not need to call setfiles directly anymore:

# setfiles /etc/selinux/targeted/contexts/files/file_contexts /srv/web

Another set of tools are therlpkg(Gentoo) andfixfiles(CentOS and related distributions) applications. Both these applications have a nice feature: they can be used to reset the contexts of the files of an application rather than having to iterate over the files manually and runrestoreconagainst them.

In the next example, we’re using these tools to restore the contexts of the files provided by thenginxpackage:

# rlpkg nginx
# fixfiles -R nginx restore

Another feature of both applications is that they can be used to relabel the entire filesystem without the need to perform a system reboot, like so:

# rlpkg -a -r
# fixfiles -f -F relabel

Of course, this is not as fine-grained as the commands before.

Relabeling the entire filesystem

Therlpkgandfixfilescommands as listed in the previous section are not the only available approachesfor relabeling the entire filesystem when working with a CentOS (or related) distribution. SELinux offers two other methods to ask the system to perform a full filesystem relabeling operation during (re)boot: placing a touch file (which the system reads at boot time) or configuring a boot parameter.

The touch file is called.autorelabeland should be placed in the root filesystem. Once set, the system needs to be rebooted:

# touch /.autorelabel
# reboot

We trigger the same behavior if we add theautorelabel=1parameter to the boot parameter list (like where we can set theselinux=andenforcing=parameters as discussed earlier).

Asking the system to perform a full filesystem relabeling operation will take a while. When finished, the system will reboot again. Touch files will be removed automatically after the relabeling operation has finished.

Automatically setting context with restorecond

Contexts canalso be applied by therestoreconddaemon. The purpose of this daemon is to enforce the expression list rules onto a configurable set of locations, defined in the/etc/selinux/restorecond.conffile.

The following set of files and directories is an example list of locations configured in therestorecond.conffile so thatrestorecondautomatically applies the SELinux contexts on these files and directories whenever it detects a context change in them:


In this case, if a process creates a file that matches any of the previously created paths, the Linux inotify subsystem will notifyrestorecondof it.restorecondwill then relabel the file according to the expression list, applying the correct label regardless of the process (and context) that created the file.

The useofrestorecondis primarily for historical reasons, when SELinux didn’t support named file transitions. At that time, writingresolv.confin/etccould not be differentiated from writing to thepasswdfile in/etc. The introduction of named file transitions has considerably reduced the need forrestorecond.

Setting SELinux context at boot with tmpfiles

If the Linux distribution usessystemd, then you can usesystemd-tmpfilesto automatically set SELinuxcontext at boot.systemduses thetmpfilesapplication to automatically create and manage volatile locations on the system, such as locations inside/runwhen/runis atmpfs-mounted filesystem (an in-memory filesystem).

Administrators can configuretmpfilesto automatically create files, directories, device files, symbolic links, and others at boot, and to reset the permissions on resources. It is through this reset operation that we can usetmpfilesto set the right SELinux context at boot time.

The example we gave used a directory called/tmp/tmp-inst, which had to have the000permission set, and which will host the user-oriented/tmpviews. Rather than having to create and set this permission each time, we can configuretmpfilesto do this for us, and define the right SELinux context up front:

# semanage fcontext -a -t tmp_t -f d "/tmp/tmp-inst"

In /etc/tmpfiles.d, we create a file called selinux-polyinstantiation.conf with the following content:

d /tmp/tmp-inst 000 root root

The name of the file can be chosen freely, but make sure it uses the.confsuffix. Every time the system boots,systemd-tmpfileswill ensure that the/tmp/tmp-instdirectory is created with the appropriate permissions.

If a location does not need to be created, but only its SELinux context reset, then you can use thez(one resource) orZ(recursively) options in thetmpfilesconfiguration. This is used, for instance, by the default SELinuxtmpfilesconfiguration,selinux-policy.conf, in/usr/lib/tmpfiles.d:

z /sys/devices/system/cpu/online - - -

The - used is to inform tmpfiles not to adjust the permissions and ownership, and only to reset the SELinux context.

Back to Featured Articles on Logo Paperblog