LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 07-04-2011, 03:35 PM   #1
bluegospel
Member
 
Registered: Jan 2010
Distribution: centOS
Posts: 404

Rep: Reputation: 53
Set SELinux context recursively per files vs directories


Hi. Is there a way I can change the security context of only the directories, & only files, recursively, in bash?
 
Old 07-04-2011, 03:51 PM   #2
Metsie
LQ Newbie
 
Registered: Oct 2008
Distribution: Debian testing & SL6
Posts: 7

Rep: Reputation: 2
Allways change context with semanage, this sets persistant changes! Changes will live a relabel.

Code:
semanage fcontext -a -t httpd_sys_content_t --ftype -- "/var/www/sub1(/.*)?"
will only change files

--ftype -d
will only change directories

After this:
Code:
restorecon -RF /var/www/sub1
to restore context

Ofcourse the context (httpd_sys_content_t) and path ((/var/www/sub1(/.*)?") have to be set good!
Good luck

ps. the (/.*)? makes it recursive!

Last edited by Metsie; 07-04-2011 at 03:53 PM. Reason: Added explanation recursive part
 
1 members found this post helpful.
Old 07-04-2011, 03:59 PM   #3
bluegospel
Member
 
Registered: Jan 2010
Distribution: centOS
Posts: 404

Original Poster
Rep: Reputation: 53
Quote:
Allways change context with semanage
Oh, I've always used
Quote:
chcon --reference /file/w/desired/context/ /file/to/switch/context
Don't do that?

Last edited by bluegospel; 07-04-2011 at 04:01 PM. Reason: remove part of commentary from quote
 
Old 07-04-2011, 04:14 PM   #4
Metsie
LQ Newbie
 
Registered: Oct 2008
Distribution: Debian testing & SL6
Posts: 7

Rep: Reputation: 2
chcon changes context, but after a relabel this changes will be lost.

Relabeling can happen for many reasons, for example when you change selinux policy (you will normally never do this). It can also happen when you brick your machine, and you want to fix it. This can be done by creating an empty file /.autorelabel
Code:
touch /.autorelabel
as root and reboot.

chcon --reference only sets the filecontext of the target, to be the same as the file you refer to.

ps. Don't set the file /.autorelabel if you always used chcon to set filecontext!!! ALL CHANGES will be lost.

Last edited by Metsie; 07-04-2011 at 04:17 PM. Reason: dont create file autorelabel
 
1 members found this post helpful.
Old 07-04-2011, 04:33 PM   #5
bluegospel
Member
 
Registered: Jan 2010
Distribution: centOS
Posts: 404

Original Poster
Rep: Reputation: 53
Okay, thanks. I'm reading the man pages now to get a better understanding.
 
Old 07-04-2011, 04:38 PM   #6
bluegospel
Member
 
Registered: Jan 2010
Distribution: centOS
Posts: 404

Original Poster
Rep: Reputation: 53
Is there some place I can find out more about "file_spec" as in

"semanage fcontext -{a|d|m} [-frst] file_spec" in the synopsis section of the semanage man page?
 
Old 07-05-2011, 01:37 AM   #7
Metsie
LQ Newbie
 
Registered: Oct 2008
Distribution: Debian testing & SL6
Posts: 7

Rep: Reputation: 2
file_spec is just the location of the file.
There you can enter a specific file or dir, or you can use regular expressions if you put double quotes around it (see my previous example).
 
Old 07-05-2011, 03:40 PM   #8
bluegospel
Member
 
Registered: Jan 2010
Distribution: centOS
Posts: 404

Original Poster
Rep: Reputation: 53
Hi. I'm running Apache 5.5 on CentOS. Can someone give me a good breakdown, or at least point me to a summary, of the datatype and the parts of the following data types (there appears to be 3 parts separated by colons, and with my vert limited knowledge I'll refer to this data as SELinux context--I'm probably very wrong). That is, what is this piece of data & what are the three parts of, for example:

Quote:
system_ubject_r:httpd_sys_script_exec_t
or
system_ubject_r:httpd_sys_content_t
or
rootbject_r:httpd_sys_content_t
Not sure how to fix that^

Last edited by bluegospel; 07-05-2011 at 03:42 PM. Reason: put literals in quotes
 
Old 07-05-2011, 04:54 PM   #9
bluegospel
Member
 
Registered: Jan 2010
Distribution: centOS
Posts: 404

Original Poster
Rep: Reputation: 53
Found my answer: http://en.wikipedia.org/wiki/Security-Enhanced_Linux (about half-way down).
 
Old 07-05-2011, 06:07 PM   #10
bluegospel
Member
 
Registered: Jan 2010
Distribution: centOS
Posts: 404

Original Poster
Rep: Reputation: 53
Quote:
Code:

semanage fcontext -a -t httpd_sys_content_t --ftype -- "/var/www/sub1(/.*)?"

After this:
Code:

restorecon -RF /var/www/sub1
Here, you're changing the "type," part of the security context. What are the other parts of the SELinux context--name and role--what purposes do they serve?
 
Old 07-05-2011, 06:52 PM   #11
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.8, Centos 5.10
Posts: 17,260

Rep: Reputation: 2328Reputation: 2328Reputation: 2328Reputation: 2328Reputation: 2328Reputation: 2328Reputation: 2328Reputation: 2328Reputation: 2328Reputation: 2328Reputation: 2328
See chap 43 http://www.linuxtopia.org/online_boo...ion/index.html.
In short, there are 5 'parts' to the security label
Code:
user_u:object_r:type_t:s0:c0
user_u = user associated with this
object_r = object 'role'
type_t = security type enforcement
s0 = security classification eg unclassified, confidential, secret, top secret
c0 = security compartment eg methods, resources
 
Old 07-05-2011, 09:05 PM   #12
bluegospel
Member
 
Registered: Jan 2010
Distribution: centOS
Posts: 404

Original Poster
Rep: Reputation: 53
Quote:
In short, there are 5 'parts' to the security label. . .
Interesting. Thanks!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
List all files in a directory recursively, without the directories? b10m3ch4 Linux - General 4 11-12-2009 06:07 PM
Using chmod to recursively change directories / files [GOD]Anck Linux - Software 6 11-10-2008 07:16 PM
deleting files recursively, but not directories tantan Linux - General 2 03-07-2007 07:01 AM
How to Recursively Set Permissions for Directories Only edwin11 Linux - Software 4 12-30-2005 10:54 AM
List all files and recursively open directories. unreal128 Linux - General 2 07-16-2005 03:06 PM


All times are GMT -5. The time now is 01:23 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration