SELinux : SELinux Context
2016/03/27 |
Access Controls to files or directories are controled by additional informations which is called SELinux Context.
SELinux Context has following syntax.
⇒ [SELinux User]:[Role]:[Type]:[Level]
|
|||||||||
[1] | For displaying SELinux Contexts for files or processes, add "Z" option to commands. |
# files/directories [root@dlp ~]# ls -Z /root -rw-------. root root system_u:object_r:admin_home_t:s0 anaconda-ks.cfg --------:--------:------------:------ User : Role : Type : Level # processes [root@dlp ~]# ps axZ LABEL PID TTY STAT TIME COMMAND system_u:system_r:init_t:s0 1 ? Ss 0:01 /usr/lib/systemd/syst system_u:system_r:kernel_t:s0 2 ? S 0:00 [kthreadd] system_u:system_r:kernel_t:s0 3 ? S 0:00 [ksoftirqd/0] ..... ..... system_u:system_r:postfix_master_t:s0 916 ? Ss 0:00 /usr/libexec/postfix/ system_u:system_r:postfix_pickup_t:s0 917 ? S 0:00 pickup -l -t unix -u system_u:system_r:postfix_qmgr_t:s0 918 ? S 0:00 qmgr -l -t unix -u system_u:system_r:kernel_t:s0 941 ? S< 0:00 [kworker/1:1H] system_u:system_r:kernel_t:s0 966 ? S< 0:00 [kworker/0:1H] system_u:system_r:kernel_t:s0 1246 ? S< 0:00 [kworker/0:2H] # own ID [root@dlp ~]# id -Z unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 |
[2] | Each Linux User is mapped to an SELinux User by SELinux Policy. It's possible to show the mapping list like follows. |
[root@dlp ~]# semanage login -l Login Name SELinux User MLS/MCS Range Service __default__ unconfined_u s0-s0:c0.c1023 * root unconfined_u s0-s0:c0.c1023 * system_u system_u s0-s0:c0.c1023 * * if semanage command does not exist, install like follows [root@dlp ~]# yum -y install policycoreutils-python
|
For the example above (RHEL/CentOS Default), "root" is mapped to "unconfined_u".
System users like "bin" or "daemon" and others are mapped to "system_u".
Other common users are mapped to "__default__" once and finally mapped to "unconfined_u".
"unconfined_u" users are assigned "unconfined_r" Role, and Processes which are started by "unconfined_u" users are run as "unconfined_t" Domain.
Processes which "unconfined_t" Domain are assigned are not controled by SELinux.
|
[root@dlp ~]# ps axZ | grep unconfined_t unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1435 ttyS0 Ss 0:00 -bash unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1556 ttyS0 R+ 0:00 ps axZ unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1557 ttyS0 S+ 0:00 grep --color=auto unconfined_t |