PolicyConfigurationFiles

From SELinux Wiki
Jump to: navigation, search

Policy Configuration Files

Each file discussed in this section is relative to the policy name as follows:

/etc/selinux/<policy_name>

The majority of files are installed by the Reference Policy, semanage(8) or semodule(8) commands. It is possible to build custom monolithic policies that only use the files installed in this area (i.e. do not use semanage or semodule). For example the simple monolithic policy described in the Notebook source tarball could run at init 3 (i.e. no X-Windows) and only require the following configuration files:

policy/policy.29 - The binary policy loaded into the kernel.
context/files/file_contexts - To allow the filesystem to be relabeled.

If the simple policy is to run at init 5, (i.e. with X-Windows) then an additional two files are required:

context/dbus_contexts - To allow the dbus messaging service to run under SELinux.
context/x_contexts - To allow the X-Windows service to run under SELinux (or XSELinux could be disabled as discussed in the SELinux X-Windows Support section.

seusers File

The seusers(5) file is used by login programs (normally via the libselinux library) and maps GNU / Linux users (as defined in the user / passwd files) to SELinux users (defined in the policy). A typical login sequence would be:

  • Using the GNU / Linux user_id, lookup the seuser_id from this file. If an entry cannot be found, then use the __default__ entry.
  • To determine the remaining context to be used as the security context, read the contexts/users/[seuser_id] file file. If this file is not present, then:
  • Check for a default context in the contexts/default_contexts file. If no default context is found, then:
  • Read the contexts/failsafe_context file to allow a fail safe context to be set.

Note: The system_u user is defined in this file, however there must be no system_u GNU / Linux user configured on the system.

The format of the seusers file is the same as the files described in the modules/active/seusers.final section, where an example semanage user command is also shown.

Example seusers file contents:

# seusers file for non-MCS/MLS systems.

system_u:system_u
root:root
fred:user_u
__default__:user_u
# seusers file for an MLS system. Note that the system_u user 
# has access to all security levels and therefore should not be 
# configured as a valid GNU / Linux user.

system_u:system_u:s0-s15:c0.c255
root:root:s0-s15:c0.c255
fred:user_u:s0
__default__:user_u:s0

Supporting libselinux API functions are:

getseuser
getseuserbyname

booleans and booleans.local File

Generally these booleans(5) files are not present if semanage(8) is being used to manage booleans (see the modules/active/booleans.local File section). However if semanage is not being used or there is an SELinux-aware application that uses the libselinux functions listed below, then these files may be present (they could also be present in older Reference policies):

security_set_boolean_list(3) - Writes a boolean.local file if flag permanent = '1'.
security_load_booleans(3) - Will look for a booleans or booleans.local file here unless a specific path is specified.

Both files have the same format and contain one or more boolean names. The format is:

boolean_name value

Where:

boolean_name The name of the boolean.
value The default setting for the boolean that can be one of the following:
true | false | 1 | 0


Note that if SETLOCALDEFS is set in the SELinux config file, then selinux_mkload_policy(3) will check for a booleans.local file in the selinux_booleans_path(3), and also a local.users file in the selinux_users_path(3).

booleans.subs_dist File

The booleans.subs_dist file (if present) will allow new boolean names to be allocated to those in the active policy. This file was added because many older booleans began with 'allow' that made it difficult to determine what they did. For example the boolean allow_console_login becomes more descriptive as login_console_enabled. If the booleans.subs_dist file is present, then either name maybe used. selinux_booleans_subs_path(3) will return the active policy path to this file and selinux_boolean_sub(3) will will return the translated name.

Each line within the substitution file booleans.subs_dist is:

policy_bool_name new_name

Where:

policy_bool_name
The policy boolean name.
new_name
The new boolean name.

Example:

# booleans.subs_dist

# policy_bool_name          new_name
allow_auditadm_exec_content auditadm_exec_content
allow_console_login         login_console_enabled
allow_cvs_read_shadow       cvs_read_shadow
allow_daemons_dump_core     daemons_dump_core

When security_get_boolean_names(3) or security_set_boolean(3) is called with a boolean name and the booleans.subs_dist file is present, the name will be looked up and if using the new_name, then the policy_bool_name will be used (as that is what is defined in the active policy).

Supporting libselinux API functions are:

selinux_booleans_subs_path
selinux_booleans_sub
security_get_boolean_names
security_set_boolean

setrans.conf File

The setrans.conf(8) file is used by the mcstransd(8) daemon (available in the mcstrans rpm). The daemon enables SELinux-aware applications to translate the MCS / MLS internal policy levels into user friendly labels.

There are a number of sample configuration files within the mcstrans package that describe the configuration options in detail that are located at /usr/share/mcstrans/examples.

The daemon will not load unless a valid MCS or MLS policy is active.

The translations can be disabled by added the following line to the file:

disable = 1

This file will also support the display of information in colour. The configuration file that controls this is called secolor.conf and is described in the secolor.conf section.

The file format is described in setrans.conf(8) with the following giving an overview:

# Syntax

# A domain is a self consistent domain of translation (English, German, Paragraph Markings ...)
Domain=NAME1

# Within a domain are a number of fixed translations
# format is raw_range=trans_range
s3:c200.c511=Confidential
# repeat as required...

# Within a domain are variable translations that are a Base + ModifierGroup + ModifierGroup
Base=Sensitivity Levels
# raw_range=name
s1=Unclassified
# Aliases have the same name but a different translation.
# The first one is used to compute translations
s1=U
# inverse bits should appear in the base of any level that uses inverse bits
s2:c200.c511=Restricted
# repeat as required...

# Modifier Groups should be in the order of appearance in the translated range.
ModifierGroup=GROUP1
# Allowed white space can be defined
Whitespace=- ,/
# Join defines the character between multiple members of this group
Join=/
# A Prefix can be defined per group
Prefix=Releasable to
# Inverse categories (releasabilities) should always be set as Default categories in every ModifierGroup
Default=c200.c511
# format is raw_categories=name
# ~ turns off inverse bits
~c200.c511=EVERYBODY

# Aruba - bit 201
~c200,~c201=ABW
~c200,~c201=AA
# Afghanistan - bit 202
~c200,~c202=AFG
~c200,~c202=AF
# repeat as required...

# Another Modifier Group
ModifierGroup=GROUP2
# With different white space
Whitespace= 
# And different Join
Join=,
# A Suffix can be defined per group
Suffix=Eyes only
# Default categories need to be consistent
Default=c200.c511

# New domain 
Domain=NAME2

# any text can be put in a separate file
Include=PATH
Include=PATH
<pre>

'''Example file contents:'''
<pre>
# setrans.conf
#
# Multi-Level Security translation table for SELinux
# 
# Uncomment the following to disable translation library
# disable=1
#
# SystemLow and SystemHigh
s0=SystemLow
s15:c0.c1023=SystemHigh
s0-s15:c0.c1023=SystemLow-SystemHigh

# Unclassified level
s1=Unclassified

# Secret level with compartments
s2=Secret
s2:c0=A
s2:c1=B

# ranges for Unclassified
s0-s1=SystemLow-Unclassified
s1-s2=Unclassified-Secret
s1-s15:c0.c1023=Unclassified-SystemHigh

# ranges for Secret with compartments
s0-s2=SystemLow-Secret
s2:c1-s15:c0.c1023=Secret:B-SystemHigh
s2:c0,c1-s15:c0.c1023=Secret:AB-SystemHigh

Supporting libselinux API functions are:

selinux_translations_path
selinux_raw_to_trans_context
selinux_trans_to_raw_context

secolor.conf File

The secolor.conf(5) file controls the colour to be associated to the components of a context when information is displayed by an SELinux colour-aware application (currently none, although there are two examples in the Notebook source tarball under the libselinux/examples directory). The file format is as follows:

color color_name = #color_mask

context_component string fg_color_name bg_color_name 

Where:

color The color keyword.
color_name A descriptive name for the colour (e.g. red).
color_mask A colour mask starting with a hash (#) that describes the RGB colours with black being #000000 and white being #ffffff.
context_component The colour translation supports different colours on the context string components (user, role, type and range). Each component is on a separate line.
string This is the context_component string that will be matched with the raw context component passed by selinux_raw_context_to_color(3)

A wildcard '*' may be used to match any undefined string for the user, role and type context_component entries only

A wildcard '*' may be used to match any undefined string for the user, role and type context_component entries only.

fg_color_name The color_name string that will be used as the foreground colour.

A color_mask may also be used.

bg_color_name The color_name string that will be used as the background colour.

A color_mask may also be used.


Example file contents:

color black = #000000
color green = #008000
color yellow = #ffff00
color blue = #0000ff
color white = #ffffff
color red = #ff0000
color orange = #ffa500
color tan = #D2B48C

user * = black white
role * = white black
type * = tan orange
range s0-s0:c0.c1023 = black green
range s1-s1:c0.c1023 = white green
range s3-s3:c0.c1023 = black tan
range s5-s5:c0.c1023 = white blue
range s7-s7:c0.c1023 = black red
range s9-s9:c0.c1023 = black orange
range s15:c0.c1023 = black yellow

Supporting libselinux API functions are:

selinux_colors_path
selinux_raw_context_to_color - this call returns the foreground
and background colours of the context string as the specified
RGB 'color' hex digits as follows:
     user      :    role       :       type    :     range
#000000 #ffffff #ffffff #000000 #d2b48c #ffa500 #000000 #008000
 black   white   white   black   tan     orange  black   green 

policy/policy.<ver> File

This is the binary policy file that is loaded into the kernel to enforce policy and is built by either checkpolicy or semodule. Life is too short to describe the format but the libsepol source could be used as a reference or for an overview the "SELinux Policy Module Primer" notes.

By convention the file name extension is the policy database version used to build the policy, however is is not mandatory as the true version is built into the policy file. The different policy versions are discussed in the Policy Versions section.

contexts/customizable_types File

The customizable_types(5) file contains a list of types that will not be relabeled by the setfiles(8) or restorecon(8) commands. The commands check this file before relabeling and excludes those in the list unless the -F flag is used (see the man pages).

The file format is as follows:

type

Where:

type The type defined in the policy that needs to excluded from relabeling. An example is when a file has been purposely relabeled with a different type to allow an application to work.


Example file contents:

# contexts/customizable_types
mount_loopback_t
public_content_rw_t
public_content_t
swapfile_t
sysadm_untrusted_content_t
sysadm_untrusted_content_tmp_t

Supporting libselinux API functions are:

is_context_customizable
selinux_customizable_types_path
selinux_context_path

contexts/default_contexts File

The default_contexts(5) file is used by SELinux-aware applications that need to set a security context for user processes (generally the login applications) where:

  1. The GNU / Linux user identity should be known by the application.
  2. If a login application, then the SELinux user (seuser), would have been determined as described in the seusers file section.
  3. The login applications will check the contexts/users/[seuser_id]] file first and if no valid entry, will then look in the [seuser_id] file for a default context to use.

The file format is as follows:

role:type[:range] role:type[:range] ...

Where:

role:type[:range] The file contains one or more lines that consist of role:type[:range] pairs (including the MLS / MCS level or range if applicable).

The entry at the start of a new line corresponds to the partial role:type[:range] context of (generally) the login application.

The other role:type[:range] entries on that line represent an ordered list of valid contexts that may be used to set the users context.


Example file contents:

# contexts/default_contexts

system_r:crond_t:s0 system_r:system_crond_t:s0
system_r:local_login_t:s0 user_r:user_t:s0
system_r:remote_login_t:s0 user_r:user_t:s0
system_r:sshd_t:s0 user_r:user_t:s0
system_r:sulogin_t:s0 sysadm_r:sysadm_t:s0
system_r:xdm_t:s0 user_r:user_t:s0

Supporting libselinux API functions are:

# Note that the contexts/users/[seuser_id] file is also read
# by some of these functions.

selinux_contexts_path
selinux_default_context_path
get_default_context
get_ordered_context_list
get_ordered_context_list_with_level
get_default_context_with_level
get_default_context_with_role
get_default_context_with_rolelevel
query_user_context
manual_user_enter_context

An example use in this Notebook (to get over a small feature) is that when the initial basic policy was built, no default_contexts file entries were required as only one role:type of unconfined_r:unconfined_t had been defined, therefore the login process did not need to decide anything (as the only user context was unconfined_u:unconfined_r:unconfined_t).

However when adding the loadable module that used another type (ext_gateway_t) but with the same role and user (e.g. unconfined_u:unconfined_r:ext_gateway_t), then it was found that the login process would always set the logged in user context to unconfined_u:unconfined_r:ext_gateway_t (i.e. the login application now had a choice and choose the wrong one, probably because the types are sorted and 'e' comes before 'u').

The end result was that as soon as enforcing mode was set, the system got bitter and twisted. To resolve this the default_contexts file entries were set to:

unconfined_r:unconfined_t unconfined_r:unconfined_t

The login process could now set the context correctly to unconfined_r:unconfined_t. Note that adding the same entry to the contexts/users/unconfined_u configuration file instead could also have achieved this.

contexts/dbus_contexts File

This file is for the dbus messaging service daemon (a form of IPC) that is used by a number of GNU / Linux applications such as GNOME and KDE desktops. If SELinux is enabled, then this file needs to exist in order for these applications to work. The dbus-daemon(1) man page details the contents and the Free Desktop web site has detailed information at:

http://dbus.freedesktop.org

Example file contents:

# contexts/dbus_contexts

<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN" "http://www.freedesktop.org/standards/dbus/
1.0/busconfig.dtd">
<busconfig>
<selinux>
</selinux>
</busconfig>
<pre>

'''Supporting libselinux API function is:'''
<pre>
selinux_context_path

contexts/default_type File

The default_type(5) file allows SELinux-aware applications such as newrole(1) to select a default type for a role if one is not supplied.

The file format is as follows:

role:type

Where:

role:type The file contains one or more lines that consist of role:type entries. There should be one line for each role defined within the policy.

Example file contents:

# contexts/default_type

auditadm_r:auditadm_t
secadm_r:secadm_t
sysadm_r:sysadm_t
staff_r:staff_t
unconfined_r:unconfined_t
user_r:user_t

Supporting libselinux API functions are:

selinux_default_type_path
get_default_type

contexts/failsafe_context File

The failsafe_context(5) is used when a login process cannot determine a default context to use. The file contents will then be used to allow an administrator access to the system.

The file format is as follows:

role:type[:range]

Where:

role:type[:range] A single line that has a valid context to allow an administrator access to the system, including the MLS / MCS level or range if applicable.


Example file contents:

# contexts/failsafe_context - Taken from the targeted policy.

unconfined_r:unconfined_t
# contexts/failsafe_context - Taken from the MLS policy.

sysadm_r:sysadm_t:s0

Supporting libselinux API functions are:

selinux_context_path
selinux_failsafe_context_path
get_default_context
get_default_context_with_role
get_default_context_with_level
get_default_context_with_rolelevel
get_ordered_context_list
get_ordered_context_list_with_level

contexts/initrc_context File

This is used by the run_init(8) command to allow system services to be started in the same security context as init. This file could also be used by other SELinux-aware applications for the same purpose.

The file format is as follows:

user:role:type[:range]

Where:

user:role:type[:range] The file contains one line that consists of a security context, including the MLS / MCS level or range if applicable.


Example file contents:

# contexts/initrc_context - Taken from the targeted policy.

system_u:system_r:initrc_t:s0
# contexts/initrc_context - Taken from the MLS policy 
# Note that the init process has full access via the 
# range s0-s15:c0.c255.

system_u:system_r:initrc_t:s0-s15:c0.c255

Supporting libselinux API functions are:

selinux_context_path

contexts/lxc_contexts File

This file supports labeling lxc containers within the libvirt library (see libvirt source src/security/security_selinux.c). This is similar to the virtual_domain_context and virtual_image_context files used by libvirt qemu services.

The file format is as follows:

process = "security_context"
file = "security_context"
content = "security_context"
sandbox_kvm_process = "security_context"
sandbox_lxc_process = "security_context"

Where:

process A single process entry that contains the lxc domain security context, including the MLS / MCS level or range if applicable.
file A single file entry that contains the lxc file security context, including the MLS / MCS level or range if applicable.
content A single content entry that contains the lxc content security context, including the MLS / MCS level or range if applicable.
sandbox_kvm_process

sandbox_lxc_process

These entries may be present, however in F-20 they are not currently used.


Example file contents:

# contexts/lxc_contexts

process = "system_u:system_r:svirt_lxc_net_t:s0"
content = "system_u:object_r:virt_var_lib_t:s0"
file = "system_u:object_r:svirt_sandbox_file_t:s0"
sandbox_kvm_process = "system_u:system_r:svirt_qemu_net_t:s0"
sandbox_kvm_process = "system_u:system_r:svirt_qemu_net_t:s0"
sandbox_lxc_process = "system_u:system_r:svirt_lxc_net_t:s0"

Supporting libselinux API functions are:

selinux_context_path
selinux_lxc_context_path

contexts/netfilter_contexts File

This file will support the Secmark labeling for Netfilter / iptable rule matching of network packets, however it is currently unused (see the modules/active/netfilter_contexts file section for further information).

Supporting libselinux API functions are:

selinux_context_path
selinux_netfilter_context_path

contexts/removable_context File

The removable_context(5) file contains a single default label that should be used for removable devices that are not defined in the contexts/files/media file.

The file format is as follows:

user:role:type[:range]

Where:

user:role:type[:range] The file contains one line that consists of a security context, including the MLS / MCS level or range if applicable.

Example file contents:

# contexts/removable_contexts

system_u:object_r:removable_t:s0

Supporting libselinux API functions are:

selinux_removable_context_path

contexts/securetty_types File

The securetty_types(5) file is used by the newrole(1) command to find the type to use with tty devices when changing roles or levels.

The file format is as follows:

type

Where:

type Zero or more type entries that are defined in the policy for tty devices.

Example file contents:

# contexts/securetty_types

sysadm_tty_device_t
user_tty_device_t
staff_tty_device_t

Supporting libselinux API functions are:

selinux_securetty_types_path

contexts/sepgsql_contexts File

This file contains the default security contexts for SE-PostgreSQL database objects and is descibed in selabel_db(5).

The file format is as follows:

Each line within the database contexts file is as follows:

object_type object_name context

Where:

object_type This is the string representation of the object type.
object_name These are the object names of the specific database objects.

The entry can contain '*' for wildcard matching or '?' for substitution. Note that if the '*' is used, then be aware that the order of entries in the file is important. The '*' on its own is used to ensure a default fallback context is assigned and should be the last entry in the object_type block.

context The security context that will be applied to the object.


Example file contents:

# contexts/sepgsql_contexts file

# object_type object_name  context
db_database   my_database  system_u:object_r:my_sepgsql_db_t:s0
db_database       *        system_u:object_r:sepgsql_db_t:s0
db_schema        *.*       system_u:object_r:sepgsql_schema_t:s0

contexts/systemd_contexts File

This file is not currently used in F-20 but seems to contain file contexts to be used by tasks run via systemd(8) in a later release. There are some patches in the systemd mail archive that relate to this file.

The file format is as follows:

service_class = security_context

Where:

service_class One or more entries that relate to the systemd service (e.g. runtime, transient).
security_context The security context, including the MLS / MCS level or range if applicable of the service to be run.


Example file contents:

# contexts/systemd_contexts 

runtime=system_u:object_r:systemd_runtime_unit_file_t:s0

Supporting libselinux API functions are:

selinux_context_path
selinux_systemd_contexts_path

contexts/userhelper_context File

This file contains the default security context used by the system-config-* applications when running from root.

The file format is as follows:

security_context

Where:

security_context The file contains one line that consists of a full security context, including the MLS / MCS level or range if applicable.


Example file contents:

# /contexts/userhelper_context - Taken from the standard reference policy.

system_u:sysadm_r:sysadm_t
# contexts/userhelper_context - Taken from the MLS/MCS reference policy.

system_u:sysadm_r:sysadm_t:s0

Supporting libselinux API functions are:

selinux_context_path

contexts/virtual_domain_context File

The virtual_domain_context(5) file is used by the virtulization API (libvirt) and provides the qemu domain contexts available in the policy (see libvirt source src/security/security_selinux.c). There may be two entries in this file, with the second entry being an alternative domain context.

Example file contents:

# contexts/virtual_domain_context - From targeted policy.

system_u:system_r:svirt_t:s0

Supporting libselinux API functions are:

selinux_virtual_domain_context_path

contexts/virtual_image_context File

The virtual_image_context(5) file is used by the virtulization API (libvirt) and provides the image contexts that are available in the policy (see libvirt source src/security/security_selinux.c). The first entry is the image file context and the second entry is the image content context.

Example file contents:

# contexts/virtual_image_context - From targeted policy.

system_u:system_r:svirt_image_t:s0
system_u:system_r:svirtcontent_t:s0

Supporting libselinux API functions are:

selinux_virtual_image_context_path

contexts/x_contexts File

The x_contexts(5) file provides the default security contexts for the X-Windows SELinux security extension. The usage is discussed in the SELinux X-Windows Support section. The MCS / MLS version of the file has the appropriate level or range information added.

A typical entry is as follows:

# object_type object_name context
selection     PRIMARY     system_u:object_r:clipboard_xselection_t

Where:

object_type These are types of object supported and valid entries are: client, property, poly_property, extension, selection, poly_selection and events.
object_name These are the object names of the specific X-server resource such as PRIMARY, CUT_BUFFER0 etc. They are generally defined in the X-server source code (protocol.txt and BuiltInAtoms in the dix directory of the xorg-server source package).

This can contain '*' for 'any' or '?' for 'substitute' (see the CUT_BUFFER? entry where the '?' would be substituted for a number between 0 and 7 that represents the number of these buffers).

context This is the security context that will be applied to the object. For MLS/MCS systems there would be the additional MLS label.


Example file contents:

#
# Config file for XSELinux extension
#

### Rules for X Clients
# The default client rule defines a context to be used for all clients
# connecting to the server from a remote host.
#
client*system_u:object_r:remote_t

#
### Rules for X Properties
# Property rules map a property name to a context. A default property
# rule indicated by an asterisk should follow all other property rules.
#
# Properties that normal clients may only read
property _SELINUX_*system_u:object_r:seclabel_xproperty_t

# Clipboard and selection properties
property CUT_BUFFER?system_u:object_r:clipboard_xproperty_t

# Default fallback type
property * system_u:object_r:xproperty_t

#
### Rules for X Extensions
# Extension rules map an extension name to a context. A default extension
# rule indicated by an asterisk should follow all other extension rules.
#
# Restricted extensions
extension SELinuxsystem_u:object_r:security_xextension_t

# Standard extensions
extension * system_u:object_r:xextension_t

#
### Rules for X Selections
# Selection rules map a selection name to a context. A default selection
# rule indicated by an asterisk should follow all other selection rules.
#
# Standard selections
selection PRIMARYsystem_u:object_r:clipboard_xselection_t
selection CLIPBOARDsystem_u:object_r:clipboard_xselection_t

# Default fallback type
selection *system_u:object_r:xselection_t

#
### Rules for X Events
# Event rules map an event protocol name to a context. A default event
# rule indicated by an asterisk should follow all other event rules.
#
# Input events
event X11:KeyPresssystem_u:object_r:input_xevent_t
event X11:KeyReleasesystem_u:object_r:input_xevent_t
event X11:ButtonPresssystem_u:object_r:input_xevent_t
event X11:ButtonReleasesystem_u:object_r:input_xevent_t
event X11:MotionNotifysystem_u:object_r:input_xevent_t
event XInputExtension:DeviceKeyPresssystem_u:object_r:input_xevent_t
event XInputExtension:DeviceKeyReleasesystem_u:object_r:input_xevent_t
event XInputExtension:DeviceButtonPresssystem_u:object_r:input_xevent_t
event XInputExtension:DeviceButtonReleasesystem_u:object_r:input_xevent_t
event XInputExtension:DeviceMotionNotifysystem_u:object_r:input_xevent_t
event XInputExtension:DeviceValuatorsystem_u:object_r:input_xevent_t
event XInputExtension:ProximityInsystem_u:object_r:input_xevent_t
event XInputExtension:ProximityOutsystem_u:object_r:input_xevent_t

# Client message events
event X11:ClientMessagesystem_u:object_r:client_xevent_t
event X11:SelectionNotifysystem_u:object_r:client_xevent_t
event X11:UnmapNotifysystem_u:object_r:client_xevent_t
event X11:ConfigureNotifysystem_u:object_r:client_xevent_t

# Default fallback type
event *system_u:object_r:xevent_t

Supporting libselinux API functions are:

selinux_x_context_path
selabel_open
selabel_close
selabel_lookup
selabel_stats

contexts/files/file_contexts File

The file_contexts(5) file is managed by the semodule(8) and semanage(8) commands[1] as the policy is updated (adding or removing modules or updating the base), and therefore should not be edited.

The file is used by a number of SELinux-aware commands (setfiles(8), fixfiles(8), matchpathcon(8), restorecon(8)) to relabel either part or all of the file system.

Note that users home directory file contexts are not present in this file as they are managed by the file_contexts.homedirs file as explained below.

The format of the file_contexts file is the same as the files described in the modules/active/file_contexts file section.

There may also be a file_contexts.bin present that is built and used by semanage(8). The format of this file conforms to the Perl compatible regular expression (PCRE) internal format.

Supporting libselinux API functions are:

selinux_file_context_path
selabel_open
selabel_close
selabel_lookup
selabel_stats

contexts/files/file_contexts.local File

This file is added by the semanage fcontext command as described in the modules/active/file_contexts.local file section to allow locally defined files to be labeled correctly. The file_contexts(5) man page also decribes this file.

Supporting libselinux API functions are:

selinux_file_context_local_path

contexts/files/file_contexts.homedirs File

This file is managed by the semodule(8) and semanage(8) commands as the policy is updated (adding or removing users and modules or updating the base), and therefore should not be edited.

It is generated by the genhomedircon(8) command (in fact by semodule -Bn that rebuilds the policy) and used to set the correct contexts on the users home directory and files.

It is fully described in the modules/active/file_contexts.homedirs file section. The file_contexts(5) man page also decribes this file.

There may also be a file_contexts.homedirs.bin present that is built and used by semanage(8). The format of this file conforms to the Perl compatible regular expression (PCRE) internal format.

Supporting libselinux API functions are:

selinux_file_context_homedir_path
selinux_homedir_context_path

contexts/files/file_contexts.subs and file_contexts.subs_dist File

These files allow substitution of file names (.subs for local use and .subs_dist for GNU / Linux distributions use) for the libselinux functions matchpatchcon(3) and selabel_lookup(3). The file_contexts(5) man page also decribes this file.

The subs files contain a list of space separated path names such as:

/myweb /var/www 
/myspool /var/spool/mail 

Then (for example), when matchpatchcon(3) or selabel_lookup(3) is passed a path /myweb/index.html the functions will substitute the /myweb component with /var/www, with the final result being:

/var/www/index.html

Supporting libselinux API functions are:

selinux_file_context_subs_path
selinux_file_context_subs_dist_path
selabel_lookup
matchpathcon
matchpathcon_index

contexts/files/media File

The media(5) file is used to map media types to a file context. If the media_id cannot be found in this file, then the default context in the contexts/removable_contexts is used instead.

The file format is as follows:

media_id file_context

Where:

media_id The media identifier (those known are: cdrom, floppy, disk and usb).
file_context The context to be used for the device. Note that it does not have the MLS / MCS level).


Example file contents:

# contexts/files/media 
# Note the same file is generated for all types of policy.

cdrom system_u:object_r:removable_device_t
floppy system_u:object_r:removable_device_t
disk system_u:object_r:fixed_disk_device_t

Supporting libselinux API functions are:

selinux_media_context_path

contexts/users/[seuser_id] File

These optional files are named after the SELinux user they represent. Each file has the same format as the contexts/default_contexts file and is used to assign the correct context to the SELinux user (generally during login). The user_contexts(5) man page also decribes these entries.

Example file contents:

# contexts/users/unconfined_u - From the targeted policy.

system_r:crond_t:s0 unconfined_r:unconfined_t:s0
system_r:initrc_t:s0 unconfined_r:unconfined_t:s0
system_r:local_login_t:s0 unconfined_r:unconfined_t:s0
system_r:remote_login_t:s0 unconfined_r:unconfined_t:s0
system_r:sshd_t:s0 unconfined_r:unconfined_t:s0
system_r:sysadm_su_t:s0 unconfined_r:unconfined_t:s0
system_r:unconfined_t:s0 unconfined_r:unconfined_t:s0
system_r:initrc_su_t:s0 unconfined_r:unconfined_t:s0
unconfined_r:unconfined_t:s0 unconfined_r:unconfined_t:s0
system_r:xdm_t:s0 unconfined_r:unconfined_t:s0

Supporting libselinux API functions are:

selinux_user_contexts_path
selinux_users_path
selinux_usersconf_path
get_default_context
get_default_context_with_role 
get_default_context_with_level
get_default_context_with_rolelevel
get_ordered_context_list
get_ordered_context_list_with_level

logins/<linuxuser_id> File

These optional files are used by SELinux-aware login applications such as PAM (using the pam_selinux module) to obtain an SELinux user name and level based on the GNU / Linux login id and service name. It has been implemented for SELinux-aware applications such as FreeIPA (Identity, Policy Audit - see http://freeipa.org/page/Main_Page for details). The service_seusers(5) man page also decribes these entries.

The file name is based on the GNU/Linux user that is used at log in time (e.g. ipa).

If getseuser(3) fails to find an entry, then the seusers file is used to retrieve default information.

The file format is as follows:

service_name:seuser_id:level

Where:

service_name The name of the service.
seuser_id The SELinux user name.
level The run level


Example file contents:

# logins/ipa example entries

ipa_service:user_u:s0
another_service:unconfined_u:s0

Supporting libselinux API functions are:

getseuser

users/local.users File

Generally the local.users(5) file is not present if semanage(8) is being used to manage users, however if semanage is not being used then this file may be present (it could also be present in older Reference or Example policies).

The file would contain local user definitions in the form of user statements as defined in the modules/active/users.local section.

Note that if SETLOCALDEFS is set in the SELinux config file, then selinux_mkload_policy(3) will check for a local.users file in the selinux_users_path(3), and a booleans.local file in the selinux_booleans_path(3).


Previous
Home
Next



  1. As each module would have its own file_contexts component that is either added or removed from the policies overall /etc/selinux/<policy_name>/contexts/ files/file_contexts file.