CentOS Stream 10
Sponsored Link

SELinux : SELinux Context2025/01/02
 

Access Controls to files or directories are controled by additional informations that is called SELinux Context.
SELinux Context has following syntax.

⇒ [SELinux User]:[Role]:[Type]:[Level]

SELinux User :
SELinux User Attribute
Each Linux User is mapped to an SELinux User by SELinux Policy.
Role :
RBAC (Role Based Access Control) Attribute
It defines SELinux User's Roles.
It controls Accesses which defined role can access to Domains by SELinux Policy.
Type :
TE (Type Enforcement) Attribute
It defines Domains for processes, and also defines Types for Files.
Level :
MLS (Multi Level Security) and MCS (Multi Category Security) Attribute
Level has [sensitivity]:[category] syntax.
[targeted] Policy that is the default Policy on RHEL/CentOS forces MCS and it is used only [s0] sensitivity on the Policy. But for Category, it is supported c0-c1023.
MLS forces the Bell-La Padula Mandatory Access Model.
If you'd like to use it, it needs to install MLS Policy package on RHEL/CentOS.

[1] For displaying SELinux Contexts for files or processes, add [Z] option to commands.
# files/directories

[root@dlp ~]#
ls -lZ /root 

total 4
-rw-------. 1 root root system_u:object_r:admin_home_t:s0 981 Dec 14 18:35 anaconda-ks.cfg
                        ---------:--------:-------------:------
                         User    :  Role  : Type        : Level
# processes

[root@dlp ~]#
ps axZ 

LABEL                               PID TTY      STAT   TIME COMMAND
system_u:system_r:init_t:s0           1 ?        Ss     0:00 /usr/lib/systemd/sy
system_u:system_r:kernel_t:s0         2 ?        S      0:00 [kthreadd]
system_u:system_r:kernel_t:s0         3 ?        S      0:00 [pool_workqueue_rel
system_u:system_r:kernel_t:s0         4 ?        I<     0:00 [kworker/R-rcu_gp]
system_u:system_r:kernel_t:s0         5 ?        I<     0:00 [kworker/R-sync_wq]
system_u:system_r:kernel_t:s0         6 ?        I<     0:00 [kworker/R-slub_flu
.....
.....
system_u:system_r:policykit_t:s0   1076 ?        Ssl    0:00 /usr/lib/polkit-1/p
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1642 ? Ss   0:00 /usr/lib/
system_u:system_r:init_t:s0        1644 ?        S      0:00 (sd-pam)
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1658 ttyS0 Ss   0:00 -bash
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1690 ttyS0 R+   0:00 ps ax
# own ID

[root@dlp ~]#
id -Z 

unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[2] Each Linux User is mapped to an SELinux User by SELinux Policy.
It's possible to show the mapping list like follows.
[root@dlp ~]#
semanage login -l 


Login Name           SELinux User         MLS/MCS Range        Service

__default__          unconfined_u         s0-s0:c0.c1023       *
root                 unconfined_u         s0-s0:c0.c1023       *
* if [semanage] command does not exist, install it

[root@dlp ~]#
dnf -y install policycoreutils-python-utils
 

For the example above (RHEL/CentOS Default), [root] is mapped to [unconfined_u]. Other common users are mapped to [__default__] once and finally mapped to [unconfined_u].

[unconfined_u] users are assigned [unconfined_t] Role, and Processes which are started by [unconfined_u] users are run as [unconfined_t] Domain.

Processes that [unconfined_t] Domain are assigned are not controled by SELinux.
[root@dlp ~]#
ps axZ | grep unconfined_t 

unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1204 ? Ss   0:00 /usr/lib/systemd/systemd --user
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1213 ttyS0 Ss   0:00 -bash
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1249 ttyS0 R+   0:00 ps axZ
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1250 ttyS0 S+   0:00 grep --color=auto unconfined_t
Matched Content