We now know how to set SELinux contexts, both directly through tools such as chcon
as well as through the restorecon
application, which queries the SELinux context list to know what context a file should have. Yet restorecon
is not the only application that considers this context list.
Using setfiles, rlpkg, and fixfiles
The setfiles
application is an older one, which requires the path to the context list file itself to reset contexts. It is often used under the hood of other applications, so most administrators do not need to call setfiles
directly anymore:
# setfiles /etc/selinux/targeted/contexts/files/file_contexts /srv/web
Another set of tools are therlpkg
(Gentoo) andfixfiles
(CentOS and related distributions) applications. Both these applications have a nice feature: they can be used to reset the contexts of the files of an application rather than having to iterate over the files manually and runrestorecon
against them.
In the next example, we’re using these tools to restore the contexts of the files provided by thenginx
package:
# rlpkg nginx
# fixfiles -R nginx restore
Another feature of both applications is that they can be used to relabel the entire filesystem without the need to perform a system reboot, like so:
# rlpkg -a -r
# fixfiles -f -F relabel
Of course, this is not as fine-grained as the commands before.
Relabeling the entire filesystem
Therlpkg
andfixfiles
commands as listed in the previous section are not the only available approachesfor relabeling the entire filesystem when working with a CentOS (or related) distribution. SELinux offers two other methods to ask the system to perform a full filesystem relabeling operation during (re)boot: placing a touch file (which the system reads at boot time) or configuring a boot parameter.
The touch file is called.autorelabel
and should be placed in the root filesystem. Once set, the system needs to be rebooted:
# touch /.autorelabel
# reboot
We trigger the same behavior if we add theautorelabel=1
parameter to the boot parameter list (like where we can set theselinux=
andenforcing=
parameters as discussed earlier).
Asking the system to perform a full filesystem relabeling operation will take a while. When finished, the system will reboot again. Touch files will be removed automatically after the relabeling operation has finished.
Automatically setting context with restorecond
Contexts canalso be applied by therestorecond
daemon. The purpose of this daemon is to enforce the expression list rules onto a configurable set of locations, defined in the/etc/selinux/restorecond.conf
file.
The following set of files and directories is an example list of locations configured in therestorecond.conf
file so thatrestorecond
automatically applies the SELinux contexts on these files and directories whenever it detects a context change in them:
/etc/services
/etc/resolv.conf
/etc/samba/secrets.tdb
...
/root/.ssh/*
In this case, if a process creates a file that matches any of the previously created paths, the Linux inotify subsystem will notifyrestorecond
of it.restorecond
will then relabel the file according to the expression list, applying the correct label regardless of the process (and context) that created the file.
The useofrestorecond
is primarily for historical reasons, when SELinux didn’t support named file transitions. At that time, writingresolv.conf
in/etc
could not be differentiated from writing to thepasswd
file in/etc
. The introduction of named file transitions has considerably reduced the need forrestorecond
.
Setting SELinux context at boot with tmpfiles
If the Linux distribution usessystemd
, then you can usesystemd-tmpfiles
to automatically set SELinuxcontext at boot.systemd
uses thetmpfiles
application to automatically create and manage volatile locations on the system, such as locations inside/run
when/run
is atmpfs
-mounted filesystem (an in-memory filesystem).
Administrators can configuretmpfiles
to automatically create files, directories, device files, symbolic links, and others at boot, and to reset the permissions on resources. It is through this reset operation that we can usetmpfiles
to set the right SELinux context at boot time.
The example we gave used a directory called/tmp/tmp-inst
, which had to have the000
permission set, and which will host the user-oriented/tmp
views. Rather than having to create and set this permission each time, we can configuretmpfiles
to do this for us, and define the right SELinux context up front:
# semanage fcontext -a -t tmp_t -f d "/tmp/tmp-inst"
In /etc/tmpfiles.d
, we create a file called selinux-polyinstantiation.conf
with the following content:
d /tmp/tmp-inst 000 root root
The name of the file can be chosen freely, but make sure it uses the.conf
suffix. Every time the system boots,systemd-tmpfiles
will ensure that the/tmp/tmp-inst
directory is created with the appropriate permissions.
If a location does not need to be created, but only its SELinux context reset, then you can use thez
(one resource) orZ
(recursively) options in thetmpfiles
configuration. This is used, for instance, by the default SELinuxtmpfiles
configuration,selinux-policy.conf
, in/usr/lib/tmpfiles.d
:
z /sys/devices/system/cpu/online - - -
The -
used is to inform tmpfiles
not to adjust the permissions and ownership, and only to reset the SELinux context.