Chapter 5.
Controlling and Maintaining SELinux
SELinux presents both a new security paradigm and a new set of practices and tools for administrators
and some end users. The tools and techniques discussed in this chapter focus on standard operations
performed by administrators, end users, and analysts. More complex operations, such as compiling a
policy after a local change, are covered in Chapter 7 Compiling SELinux Policy.
5.1. End User Control of SELinux
In general, end users have little interaction with SELinux when Red Hat Enterprise Linux is running
the targeted policy. This is because users are running in the domain of
unconfined_t
along with the
rest of the system except the targeted daemons. This means that when you as an end user come across
a need to use a special SELinux tool or even to check and change the context for a file, it is likely
to be when you are working with one of the targeted daemons. You can read more about the targeted
daemons in Section 3.1 What is the Targeted Policy?.
In most situations, standard DAC controls stop you from doing what you are not permitted before you
are stopped by SELinux, and you'll never generate an
avc: denied
message.
These sections cover the general tasks and practices that an end user might need to do on Red Hat
Enterprise Linux. Users of all privilege levels need to do these tasks as well.
5.1.1. Move or Copy Files
In file system operations, security context must now be considered in terms of the label of the file, the
process touching it, and the directories where the operation is happening. Because of this, moving and
copying files with
mv
and
cp
may have unexpected results.
Unless you tell it otherwise,
cp
follows the default behavior of creating a new file based on the domain
of the creating process and the type of the target directory. Unless there is a specific rule setting the
label, the file inherits the type from the target directory. The
 Z user:role:type
option allows you
to specify what label you want the new file to have.
touch bar foo
ls  Z bar foo
 rw rw r  
auser
auser
user_u:object_r:user_home_t
bar
 rw rw r  
auser
auser
user_u:object_r:user_home_t
foo
# Doing a cp creates a file in the new location with the default
# type based on the creating process and target directory.
In
# this case, there not being a specific rule about cp and /tmp,
# the new file has the type of the parent directory:
cp bar /tmp
ls  Z /tmp/bar
 rw rw r  
auser
auser
user_u:object_r:tmp_t
/tmp/bar
# The  Z option allows you to specify the label for the new file:
cp  Z user_u:object_r:user_home_t foo /tmp
ls  Z /tmp/foo
 rw rw r  
auser
auser
user_u:object_r:user_home_t
/tmp/foo
The type
tmp_t
is the default type for temporary files.






footer




 

 

 

 

 Home | About Us | Network | Services | Support | FAQ | Control Panel | Order Online | Sitemap | Contact

adult web hosting

 

Our partners: PHP: Hypertext Preprocessor Best Web Hosting Java Web Hosting Inexpensive Web Hosting  Jsp Web Hosting

Cheapest Web Hosting Jsp Hosting Cheap Hosting

Visionwebhosting.net Business web hosting division of Web Design Plus. All rights reserved