Chapter 5.


Controlling and Maintaining SELinux


SELinux presents both a new security paradigm and a new set of practices and tools for administrators


and some end users. The tools and techniques discussed in this chapter focus on standard operations


performed by administrators, end users, and analysts. More complex operations, such as compiling a


policy after a local change, are covered in Chapter 7 Compiling SELinux Policy.


5.1. End User Control of SELinux


In general, end users have little interaction with SELinux when Red Hat Enterprise Linux is running


the targeted policy. This is because users are running in the domain of


unconfined_t


along with the


rest of the system except the targeted daemons. This means that when you as an end user come across


a need to use a special SELinux tool or even to check and change the context for a file, it is likely


to be when you are working with one of the targeted daemons. You can read more about the targeted


daemons in Section 3.1 What is the Targeted Policy?.


In most situations, standard DAC controls stop you from doing what you are not permitted before you


are stopped by SELinux, and you'll never generate an


avc: denied


message.


These sections cover the general tasks and practices that an end user might need to do on Red Hat


Enterprise Linux. Users of all privilege levels need to do these tasks as well.


5.1.1. Move or Copy Files


In file system operations, security context must now be considered in terms of the label of the file, the


process touching it, and the directories where the operation is happening. Because of this, moving and


copying files with


mv


and


cp


may have unexpected results.


Unless you tell it otherwise,


cp


follows the default behavior of creating a new file based on the domain


of the creating process and the type of the target directory. Unless there is a specific rule setting the


label, the file inherits the type from the target directory. The


 Z user:role:type


option allows you


to specify what label you want the new file to have.


touch bar foo


ls  Z bar foo


 rw rw r  


auser


auser


user_u:object_r:user_home_t


bar


 rw rw r  


auser


auser


user_u:object_r:user_home_t


foo


# Doing a cp creates a file in the new location with the default


# type based on the creating process and target directory.


In


# this case, there not being a specific rule about cp and /tmp,


# the new file has the type of the parent directory:


cp bar /tmp


ls  Z /tmp/bar


 rw rw r  


auser


auser


user_u:object_r:tmp_t


/tmp/bar


# The  Z option allows you to specify the label for the new file:


cp  Z user_u:object_r:user_home_t foo /tmp


ls  Z /tmp/foo


 rw rw r  


auser


auser


user_u:object_r:user_home_t


/tmp/foo


The type


tmp_t


is the default type for temporary files.








footer






  


 


 


        

 


 

  

    

      
      
 Home 
      | About Us | Network 
      | Services | Support 
      | FAQ | Control Panel 
      | Order Online |
      Sitemap | Contact

      

      adult web hosting

      
 

    

  

  




Our partners: 
PHP: Hypertext Preprocessor Best Web Hosting
Java Web Hosting
Inexpensive Web Hosting 
Jsp Web Hosting 




Cheapest Web Hosting
Jsp Hosting
Cheap Hosting



Visionwebhosting.net Business web hosting division of Web 
Design Plus. All rights reserved