Understanding SELinux File Labelling and SELinux Context

SELinux File Labeling

All files, directories, devices, and processes have a security context (or label) associated with them. For files, this context is stored in the extended attributes of the file system. Problems with SELinux often arise from the file system being mislabeled. If you see an error message containing, file_t that is usually a good indicator that you have a problem with file system labeling.

 

There are several ways to relabel the file system:

  • Create the /.autorelabel file and reboot.
  • The Status view in the SELinux GUI provides an option to relabel on next reboot.
  • Three command-line utilities, restorecon, setfiles, and fixfiles, relabel files.

 

SELinux Context

 

The SELinux context contains additional information such as SELinux user, role, type, and level. Access control decisions on processes, Linux users, and files are based on this context information. Access control is based on below information:

 

  • SELinux user: Linux users are mapped to SELinux users.
  • Role: An attribute of RBAC that acts as an intermediary between domains and SELinux users
  • Type: An attribute of TE that defines a domain for processes
  • Level: Optional information; an attribute of MLS and MCS

 

Viewing SELinux context information

 

View SELinux context information about files

 

To view the file system context information from the command line, use the “ls –Z” command:

# ls -Z
-rw-------. root root system_u:object_r:admin_home_t:s0 anaconda-ks.cfg
-rw-r--r--. root root system_u:object_r:admin_home_t:s0 initial-setup-ks.cfg

 

 NOTE:   This information is also stored in the /etc/selinux/[SELINUXTYPE]/contexts/files directory.

 

View SELinux context information about processes

 

To view the SELinux context information about processes, use the “ps –Z” command: 

# ps -Z
LABEL                              PID TTY          TIME CMD
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 6617 pts/0 00:00:00 sudo
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 6623 pts/0 00:00:00 su
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 6624 pts/0 00:00:00 bash
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 8188 pts/0 00:00:00 ps

 

View SELinux context information about users

 

To view the SELinux context associated with your Linux user, use the “id –Z” command: 

# id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

 

SELinux context is displayed by using the following syntax:

user:role:type:level

 

Changing the Context File Type

 

KVM virtual machine disk images are created in the /var/lib/libvirt/images directory by default. SELinux requires that image files have the virt_image_t label applied to them. You can use the “ls –dZ” command to confirm that this label is applied to the /var/lib/libvirt/images directory:

# ls -dZ /var/lib/libvirt/images
drwx--x--x. root root system_u:object_r:virt_image_t:s0 /var/lib/libvirt/images

 

You can use a different directory for your virtual machine images but you need to add the new directory to your SELinux policy and relabel it first. The following steps are used to add the /kvmimages directory to the targeted SELinux policy and relabel the directory:

# semanage fcontext -a -t virt_image_t "/kvmimages(/.*)?"

 

The above command adds the /kvmimages directory to the SELinux policy by appending a line to the following file:

# cat /etc/selinux/targeted/contexts/files/file_contexts.local
/kvmimages(/.*)?    system _u:object_r:virt_image_t:s0

 

You still need to set the new security context on the directory and all files in the directory. You can use any of the following commands to change the SELinux contexts on the /kvmimages directory,:

  • fixfiles: Fixes the security context on file systems
  • restorecon: Resets the security context on one or more files
  • setfiles: Initializes the security context on one or more files

 

Each of these commands reads the files in /etc/selinux/targeted/contexts/files directory. The following example shows the SELinux contexts before running the restorecon command:

# ls -dZ /kvmimages
drwx--x--x. root root system_u:object_r:unlabeled_t:s0 /var/lib/libvirt/images

 

Notice that the SELinux type is set to unlabeled_t. The following example runs the restorecon command to change the type as defined in the /etc/selinux/targeted/contexts/files/file_contexts.local file:

# restorecon -R -v /kvmimages

 

# ls -dZ /var/kvmimages
drwx--x--x. root root system_u:object_r:virt_image_t:s0 /kvmimages

 

There are also SELinux Booleans that affect KVM when launched by libvirt. Two of these Booleans are listed as follows:

  • virt_use_nfs: Allow virt to manage NFS files.
  • virt_use_samba: Allow virt to manage CIFS files.

 

These Booleans need to be enabled when using NFS or SAMBA shares, respectively, for storing virtual machine disk images. There are additional SELinux Booleans that affect KVM. Some of these are listed as follows:

# getsebool -a | grep virt
staff_use_svirt --> off
unprivuser_use_svirt --> off
virt_read_qemu_ga_data --> off
virt_rw_qemu_ga_data --> off
virt_sandbox_use_all_caps --> on
virt_sandbox_use_audit --> on
virt_sandbox_use_fusefs --> off
virt_sandbox_use_mknod --> off
virt_sandbox_use_netlink --> off
virt_sandbox_use_sys_admin --> off
virt_transition_userdomain --> off
virt_use_comm --> off
virt_use_execmem --> off
virt_use_fusefs --> off
virt_use_nfs --> on
virt_use_rawip --> off
virt_use_samba --> off
virt_use_sanlock --> off
virt_use_usb --> on
virt_use_xserver --> off

 

Was this answer helpful? 0 Users Found This Useful (0 Votes)