SELinux : SELinux Context2021/07/22 |
Access Controls to files or directories are controled by additional informations that is called SELinux Context.
SELinux Context has following syntax.
⇒ [SELinux User]:[Role]:[Type]:[Level]
|
|||||||||
[1] | For displaying SELinux Contexts for files or processes, add [Z] option to commands. |
# files/directories [root@dlp ~]# ls -lZ /root total 4 -rw-------. 1 root root system_u:object_r:admin_home_t:s0 1350 Jul 16 09:16 anaconda-ks.cfg ---------:--------:-------------:------ User : Role : Type : Level # processes [root@dlp ~]# ps axZ LABEL PID TTY STAT TIME COMMAND system_u:system_r:init_t:s0 1 ? Ss 0:01 /usr/lib/systemd/sy system_u:system_r:kernel_t:s0 2 ? S 0:00 [kthreadd] system_u:system_r:kernel_t:s0 3 ? I< 0:00 [rcu_gp] system_u:system_r:kernel_t:s0 4 ? I< 0:00 [rcu_par_gp] system_u:system_r:kernel_t:s0 5 ? I 0:00 [kworker/0:0-events system_u:system_r:kernel_t:s0 6 ? I< 0:00 [kworker/0:0H-event ..... ..... system_u:system_r:local_login_t:s0-s0:c0.c1023 1108 ? Ss 0:00 login -- root system_u:system_r:getty_t:s0-s0:c0.c1023 1113 tty1 Ss+ 0:00 /sbin/agetty -o -p unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1471 ? Ss 0:00 /usr/lib/ system_u:system_r:init_t:s0 1476 ? S 0:00 (sd-pam) unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1482 ttyS0 Ss 0:00 -bash unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1506 ttyS0 R+ 0:00 ps ax # own ID [root@dlp ~]# id -Z unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 |
[2] | Each Linux User is mapped to an SELinux User by SELinux Policy. It's possible to show the mapping list like follows. |
[root@dlp ~]# semanage login -l Login Name SELinux User MLS/MCS Range Service __default__ unconfined_u s0-s0:c0.c1023 * root unconfined_u s0-s0:c0.c1023 * * if [semanage] command does not exist, install it [root@dlp ~]# dnf -y install policycoreutils-python-utils
|
For the example above (RHEL/CentOS Default), [root] is mapped to [unconfined_u]. Other common users are mapped to [__default__] once and finally mapped to [unconfined_u].
[unconfined_u] users are assigned [unconfined_t] Role, and Processes which are started by [unconfined_u] users are run as [unconfined_t] Domain.
Processes that [unconfined_t] Domain are assigned are not controled by SELinux.
|
[root@dlp ~]# ps axZ | grep unconfined_t unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1471 ? Ss 0:00 /usr/lib/systemd/systemd --user unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1482 ttyS0 Ss 0:00 -bash unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1526 ttyS0 R+ 0:00 ps axZ unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1527 ttyS0 S+ 0:00 grep --color=auto unconfined_t |
Sponsored Link |