Exploring SELinux: Context
Jun 08, 2023 • 0 Minute Read
A key part of SELinux is understanding and using SELinux contexts. Everything on your system contains a context, and these contexts are used to determine which users, applications and services have access to which files, directories and applications. Even without an understanding of detailed policy creation, most SELinux users can manage their systems through using and altering contexts.There are three types of contexts in SELinux, which are best explained by viewing the SELinux permissions on a file. To view the SELinux context of a directory, use the
The first, blue portion is the user context. This has three available values:
ls command with a -Z flag. This is for the /var/www/ directory:
[vagrant@centos www]$ ls -Zdrwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 cgi-bindrwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 htmlsystem_u:object_r:httpd_sys_script_exec_t.These are the three contexts of a file. Let's take a deeper look:
User Context
The first, blue portion is the user context. This has three available values: 
user_u, system_u and root. Each of these denote which overall type of user can access this file -- not which user specifically. With a user context of user_u, average login users can access the file (with regards to normal file permissions); a value of system_u denotes a system user -- as in the example above; finally, root means that only the root user of the system can access the file.
Role Context
Role context, magenta in the example above, is used primarily for processes and domains. The average SELinux user may not need worry about this context. For files and directories, this is alwaysobject_u.
Type Context
Type context, purple, is arguably the most important context to concern yourself with when setting SELinux permissions and otherwise troubleshooting SELinux. Type context provides the fine-grain control associated with SELinux. Your system, even with only the default SELinux enabled and no changes made, has a number of type contexts. Use thesemanage fcontext -l command to view all available types. You may want to pipe to grep when reviewing contexts for specific files or services. The output uses regular expressions to denote if the given contexts are recursive.For example, here are all the directories with a type context of httpd_sys_content_t on a CentOS 7 installation:
[vagrant@centos ~]$ sudo semanage fcontext -l | grep "httpd_sys_content"/srv/([^/]*/)?www(/.*)? all files system_u:object_r:httpd_sys_content_t:s0/var/www(/.*)? all files system_u:object_r:httpd_sys_content_t:s0/etc/htdig(/.*)? all files system_u:object_r:httpd_sys_content_t:s0/srv/gallery2(/.*)? all files system_u:object_r:httpd_sys_content_t:s0/var/lib/trac(/.*)? all files system_u:object_r:httpd_sys_content_t:s0/var/lib/htdig(/.*)? all files system_u:object_r:httpd_sys_content_t:s0/var/www/icons(/.*)? all files system_u:object_r:httpd_sys_content_t:s0/usr/share/glpi(/.*)? all files system_u:object_r:httpd_sys_content_t:s0/usr/share/htdig(/.*)? all files system_u:object_r:httpd_sys_content_t:s0/usr/share/drupal.* all files system_u:object_r:httpd_sys_content_t:s0/usr/share/z-push(/.*)? all files system_u:object_r:httpd_sys_content_t:s0/var/www/svn/conf(/.*)? all files system_u:object_r:httpd_sys_content_t:s0/usr/share/icecast(/.*)? all files system_u:object_r:httpd_sys_content_t:s0/var/lib/cacti/rra(/.*)? all files system_u:object_r:httpd_sys_content_t:s0/usr/share/ntop/html(/.*)? all files system_u:object_r:httpd_sys_content_t:s0/usr/share/doc/ghc/html(/.*)? all files system_u:object_r:httpd_sys_content_t:s0/usr/share/openca/htdocs(/.*)? all files system_u:object_r:httpd_sys_content_t:s0/usr/share/selinux-policy[^/]*/html(/.*)? all files system_u:object_r:httpd_sys_content_t:s0Altering Context
We can change the context of certain directories, if we so wish. This can be done because we need to alter permissions or because we moved a file between locations -- while context is inherited for all files created within a folder, moved files retain their original context.Let's say we moved a new index.html file into our/var/www/html directory:
[vagrant@centos ~]$ sudo mv index.html /var/www/html/[vagrant@centos ~]$ cd /var/www/html/[vagrant@centos html]$ ls -Z-rw-rw-r--. vagrant vagrant unconfined_u:object_r:user_home_t:s0 index.htmluser_home_t type, not the httpd_sys_content_t context it needs. This can be changed with the restorecon command:
[vagrant@centos html]$ restorecon index.html[vagrant@centos html]$ ls -Z-rw-rw-r--. vagrant vagrant unconfined_u:object_r:httpd_sys_content_t:s0 index.htmlrestorecon uses SELinux's default contexts to ensure all files are the appropriate type. In this instance, it sees that index.html is part of the /var/www(/.*)? directory and ensures it inherits the appropriate contexts.Alternatively, say we moved the entire html/ directory over and need to change SELinux context for the whole thing. Assume, for whatever reason, our server does not have the necessary default SELinux policies for Apache. For this, we can use semanage to change the type context:
semanage fcontext -a -t httpd_sys_content_t '/var/www/html(/.*)?'-t flag denotes type. Additionally, notice the inclusion of (/.*)? -- this tells SELinux that the file and directories under the /var/www/html directory inherit this style, as well.Should we need to, we can also delete a directory's context:
semanage fcontext -d "/var/www/html(/.*)?"