56
Chapter 5. Controlling and Maintaining SELinux
Moving files with
mv
retains the type the file started with. This may cause problems, for example,
if you move files with the type
user_home_t
into
~/public_html
,
httpd
is not able to serve
them until you relabel the file. You can read about file relabeling in Section 5.1.3 Relabel a File or
Directory's Security Context.
Command
Behavior
mv
The file retains its original label. This may cause problems,
confusion, or minor insecurity. For example, the program
tmpwatch
running in the domain
sbin_t
might not be
allowed to delete an aged file in
/tmp
because of the file's
type.
cp
A plain copy creates the new file following the default
behavior based on the domain of the creating process (
cp
)
and the type of the target directory.
cp Z user:role:type
The new file is relabeled as it is created based on the
command line option. The extended GNU option
context
is the same as
Z
.
Table 5 1. Behavior of
mv
and
cp
5.1.2. Check the Security Context of a Process, User, or File Object
In Red Hat Enterprise Linux, the
Z
option is equivalent to
context
, and can be used with
ps
,
id
,
ls
, and
cp
, which is explained in Table 5 1.
The
ps
command can create a lot of output, so this example is showing only a small sample. Most
of the processes are running in
unconfined_t
, with a few exceptions. You can tell a process started
from a root login by the role setting on the label, for example with one of the
bash
processes:
ps Z
LABEL
PID TTY
TIME CMD
user_u:system_r:unconfined_t
18543 pts/7
00:00:00 bash
user_u:system_r:unconfined_t
22846 pts/7
00:00:00 ps
ps eZ
...
user_u:system_r:unconfined_t
1041 ?
00:00:00 udevd
user_u:system_r:unconfined_t
1511 ?
00:00:00 kjournald
user_u:system_r:unconfined_t
1512 ?
00:00:00 kjournald
user_u:system_r:syslogd_t
1873 ?
00:00:01 syslogd
user_u:system_r:unconfined_t
1877 ?
00:00:00 klogd
user_u:system_r:unconfined_t
1888 ?
00:00:34 irqbalance
user_u:system_r:portmap_t
1899 ?
00:00:00 portmap
user_u:system_r:unconfined_t
1919 ?
00:00:00 rpc.statd
user_u:system_r:unconfined_t
1952 ?
00:00:00 rpc.idmapd
...
user_u:system_r:unconfined_t
17252 ?
00:00:01 sshd
root:system_r:unconfined_t
17254 pts/1
00:00:00 bash
user_u:system_r:unconfined_t
17390 ?
00:00:04 gconfd 2
...
user_u:system_r:unconfined_t
1160 ?
00:00:00 firefox
user_u:system_r:unconfined_t
1541 ?
00:00:00 \
run mozilla.sh
user_u:system_r:unconfined_t
1558 ?
00:01:37 firefox bin
footer
Our partners:
PHP: Hypertext Preprocessor Best Web Hosting
Java Web Hosting
Inexpensive Web Hosting
Jsp Web Hosting
Cheapest Web Hosting
Jsp Hosting
Cheap Hosting
Visionwebhosting.net Business web hosting division of Web
Design Plus. All rights reserved