Modifying file contexts in SELinux

June 08, 2021

We now know how to set SELinux contexts, both directly through tools such as chcon as well as through the restorecon application, which queries the SELinux context list to know what context a file should have. Yet restorecon is not the only application that considers this context list.

Using setfiles, rlpkg, and fixfiles

The setfiles application is an older one, which requires the path to the context list file itself to reset contexts. It is often used under the hood of other applications, so most administrators do not need to call setfiles directly anymore:

# setfiles /etc/selinux/targeted/contexts/files/file_contexts /srv/web

Another set of tools are the rlpkg (Gentoo) and fixfiles (CentOS and related distributions) applications. Both these applications have a nice feature: they can be used to reset the contexts of the files of an application rather than having to iterate over the files manually and run restorecon against them.

In the next example, we’re using these tools to restore the contexts of the files provided by the nginx package:

# rlpkg nginx
# fixfiles -R nginx restore

Another feature of both applications is that they can be used to relabel the entire filesystem without the need to perform a system reboot, like so:

# rlpkg -a -r
# fixfiles -f -F relabel

Of course, this is not as fine-grained as the commands before.

Relabeling the entire filesystem

The rlpkg and fixfiles commands as listed in the previous section are not the only available approaches for relabeling the entire filesystem when working with a CentOS (or related) distribution. SELinux offers two other methods to ask the system to perform a full filesystem relabeling operation during (re)boot: placing a touch file (which the system reads at boot time) or configuring a boot parameter.

The touch file is called .autorelabel and should be placed in the root filesystem. Once set, the system needs to be rebooted:

# touch /.autorelabel
# reboot

We trigger the same behavior if we add the autorelabel=1 parameter to the boot parameter list (like where we can set the selinux= and enforcing= parameters as discussed earlier).

Asking the system to perform a full filesystem relabeling operation will take a while. When finished, the system will reboot again. Touch files will be removed automatically after the relabeling operation has finished.

Automatically setting context with restorecond

Contexts can also be applied by the restorecond daemon. The purpose of this daemon is to enforce the expression list rules onto a configurable set of locations, defined in the /etc/selinux/restorecond.conf file.

The following set of files and directories is an example list of locations configured in the restorecond.conf file so that restorecond automatically applies the SELinux contexts on these files and directories whenever it detects a context change in them:

/etc/services
/etc/resolv.conf
/etc/samba/secrets.tdb
...
/root/.ssh/*

In this case, if a process creates a file that matches any of the previously created paths, the Linux inotify subsystem will notify restorecond of it. restorecond will then relabel the file according to the expression list, applying the correct label regardless of the process (and context) that created the file.

The use of restorecond is primarily for historical reasons, when SELinux didn’t support named file transitions. At that time, writing resolv.conf in /etc could not be differentiated from writing to the passwd file in /etc. The introduction of named file transitions has considerably reduced the need for restorecond.

Setting SELinux context at boot with tmpfiles

If the Linux distribution uses systemd, then you can use systemd-tmpfiles to automatically set SELinux context at boot. systemd uses the tmpfiles application to automatically create and manage volatile locations on the system, such as locations inside /run when /run is a tmpfs-mounted filesystem (an in-memory filesystem).

Administrators can configure tmpfiles to automatically create files, directories, device files, symbolic links, and others at boot, and to reset the permissions on resources. It is through this reset operation that we can use tmpfiles to set the right SELinux context at boot time.

The example we gave used a directory called /tmp/tmp-inst, which had to have the 000 permission set, and which will host the user-oriented /tmp views. Rather than having to create and set this permission each time, we can configure tmpfiles to do this for us, and define the right SELinux context up front:

# semanage fcontext -a -t tmp_t -f d "/tmp/tmp-inst"

In /etc/tmpfiles.d, we create a file called selinux-polyinstantiation.conf with the following content:

d /tmp/tmp-inst 000 root root

The name of the file can be chosen freely, but make sure it uses the .conf suffix. Every time the system boots, systemd-tmpfiles will ensure that the /tmp/tmp-inst directory is created with the appropriate permissions.

If a location does not need to be created, but only its SELinux context reset, then you can use the z (one resource) or Z (recursively) options in the tmpfiles configuration. This is used, for instance, by the default SELinux tmpfiles configuration, selinux-policy.conf, in /usr/lib/tmpfiles.d:

z /sys/devices/system/cpu/online - - -

The - used is to inform tmpfiles not to adjust the permissions and ownership, and only to reset the SELinux context.

Related Articles

No Results Found

The page you requested could not be found. Try refining your search, or use the navigation above to locate the post.

Lorem ipsum dolor sit amet consectetur

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

twenty + twenty =