Using SELinux for Security Context Labeling

Posted on

SELinux or Security-Enhanced Linux is one of the security mechanism which is implemented in the kernel level. The security mechanism itself is called the Mandatory Access Control (MAC) which is introduced for the first time in CentOS 4 and in every next version until this article is released to CentOS 7.

Every file and every process where SELinux is implemented has its own security context.  We can also label files or processes when they don’t even have any security context yet. To be able to give security context label to either files or processes we have to look out for the condition or the situation based on the files or processes itself.

To be able to look for the security context label, we have to run the following command :

ls –lZ

The above command, ‘ls’ is used to list directory content.

The first parameter -l is a parameter which is used to display the files or directories in a long listing format.

The other additional parameter -Z is an additional parameter which is used to display additional information concerning files or directories which are displayed. The additional information are in form of any security context of either the files or directories.

So, when we use the above command, we will able to find out the security context label. Below is the condition of the files or directories based on the command output :

  1. The file or processes doesn’t even have any security context label.

It can be concluded based on the output which is shown as below :

username@hostname:/var# ls -lZ
total 64
drwxr-xr-x   2 username    username     ?  4096 May  1 07:55 backups
drwxr-xr-x  30 username    username     ?  4096 Apr  7 08:00 cache
drwxrwsrwt   2 username    username ?  4096 May  3 09:48 crash
drwxr-xr-x 105 username    username     ?  4096 Apr  8 14:52 lib
drwxrwsr-x   2 username    username   ?  4096 Apr 11  2014 local
lrwxrwxrwx   1 username    username     ?     9 Jun 10  2014 lock -> /run/lock
drwxrwxr-x  28 username    syslog   ?  4096 May  3 11:11 log
drwxrwsr-x   2 username    mail     ?  4096 May  3 22:00 mail
drwxr-xr-x   2 username    username     ?  4096 Apr 17  2014 opt
lrwxrwxrwx   1 username    username     ?     4 Jun 10  2014 run -> /run
drwxr-xr-x   8 username    username     ?  4096 Jan  9 08:52 spool
drwxrwxrwt  87 username    username     ? 16384 May  3 22:07 tmp
drwxrwxr-x   3 username    username    ?  4096 Jun 15  2014 www
username@hostname:/var#

We can see that the security context label is displayed in question mark (?). It means that the files or folders itself haven’t been labeled with security contenxt.  So, we have to give a security context label by executing the following command :

[username@hostname ]# chcon -Rv -t security_context_label    files or folders

The chcon command is a command which is used to change file security context.

The additional parameter -R is a parameter to apply the command recursively on files and directories which is associated within the path.

The additional parameter -v is a parameter for displaying output for every file or folder which is processed

The last parameter is -t which is used to set the type in the target security context.

The security_context_label itself comprised of four components which is the user field, role field, type field and level field. The first three components are mandatory which must be defined and the last one is optional. We will try to give security context label based on the above directory listing as follows :

For an example :

chcon -t var_t local
chcon: can't apply partial context to unlabeled file ‘logs’
[username@localhost ~]$

The above error rise because we are trying to apply partial security context label to files or folders.  Actually there are three parts which need to be defined but the above context only has one definition which is var_t  and it is being considered as the type field since we use -t as the additional parameter.  So we can start again to execute the same command using a different pattern as follows :

First of all, we have to switch to root account :

[username@localhost ~]$ sudo su –
[sudo] password for username :
[root@localhost ~]$

After that, we can execute the command as shown below :

[username@localhost ~]$ chcon system_u:object_r:var_t local
[username@localhost ~]$

As we can see at the above command execution, there are information given for each mandatory field which is the user field, role field and the type field.

User field            : system_u

Role field             : object_r

Type field            : var_t

We can differentiate the value for each component based on the end of the character which is symbolize each component.

The user field value, system_u ends with u with can be associated with user field.

The role field value, object_r ends with r with can be associated with role field.

The type field value, var_t ends with t with can be associated with role field.

It is actually an idea that came up by myself when I wrote this article to simplify and make an connection between the attribute and the value of each component. But I am pretty sure that the pattern of the value is given as is after considering this kind of thought or ideas from the creator of the SELinux itself.

  1. The file or processes already have security context label but we want to change it into another label.

When we are going to change the security context label, we just define and execute the command which is look exactly like when we want to give or to define the security context label for files or directories for the first time.

Let us try with an example  :

Below is an example of directory listing of the /home/username :

[username@localhost ~]$ ls -lZ
-rw-rw-r--  username username ?                                database.txt
-rw-rw-r--  username username ?                                epel-release-6-8.noarch.rpm
drwxr-xr-x. username username unconfined_u:object_r:user_home_t:s0 faq
drwxr-xr-x  username username ?                                files
drwxrwxr-x. username username unconfined_u:object_r:user_home_t:s0 master
-rw-r-----  username username ?                                openssl-devel-1.0.1e-30.el6_6.2.x86_64.rpm
-rw-rw-r--. username username unconfined_u:object_r:user_home_t:s0 pgdg-centos93-9.3-1.noarch.rpm
-rw-rw-r--. username username unconfined_u:object_r:user_home_t:s0 pgdg-centos93-9.3-1.noarch.rpm.1
-rw-rw-r--. username username unconfined_u:object_r:user_home_t:s0 pgdg-centos93-9.3-1.noarch.rpm.2
-rw-rw-r--. username username unconfined_u:object_r:user_home_t:s0 pgdg-centos94-9.4-1.noarch.rpm
drwxr-xr-x  username username ?                                pgsql
drwxr-xr-x. username username unconfined_u:object_r:user_home_t:s0 phpMyAdmin-4.3.5-all-languages
-rw-rw-r--. username username unconfined_u:object_r:user_home_t:s0 phpMyAdmin-4.3.5-all-languages.tar.bz2
-rw-r-----  username username ?                                postgresql-9.4.4-3-linux-binaries.tar.gz
-rw-r-----  username username ?                                postgresql-9.4.4.tar.gz
drwxr-xr-x. username username unconfined_u:object_r:user_home_t:s0 public_html
-rw-r--r--. username username unconfined_u:object_r:user_home_t:s0 public_html.tar.gz
-rw-r--r--  username username ?                                remi-release-6.rpm
[root@localhost ~]#

Switch first to root account :

[username@localhost ~]$ sudo su –
[sudo] password for username :
[root@localhost ~]$

After that we can actually change the security context label for the file as follows :

[root@localhost ~]# chcon user_u:object_t:user_home_t database.txt
[root@localhost ~]#

Showing the result of the above command :

[root@localhost ~]# ls -lZ database.txt
-rw-rw-r--. username username user_u:object_t:user_home_t database.txt
[root@localhost ~]#

3 thoughts on “Using SELinux for Security Context Labeling

Leave a Reply