FileLabelRecipe

From SELinux Wiki

(Difference between revisions)
Jump to: navigation, search
Revision as of 15:05, 27 October 2009 (edit)
ChrisPeBenito (Talk | contribs)

← Previous diff
Current revision (18:28, 31 August 2010) (edit) (undo)
Jaxelson (Talk | contribs)
(added category)
 
(2 intermediate revisions not shown.)
Line 1: Line 1:
-If you want to change the context of a file the ''chcon'' program. However, changes made this way will not preserved if the file is relabeled by using ''restorecon'' or using the /.autorelabel file and rebooting. The ''semanage'' program is used to make customizations to the SELinux policy configuration.+The chcon program can change the context of a file; however, changes made with chcon are not preserved if the file is relabeled with restorecon, or if the entire file system is relabeled using "touch /.autorelabel" and then rebooting. The semanage program can make persistent customizations to the SELinux policy configuration.
-For example, if you want to set the file '''/path/to/myfile''' to have the type '''myfile_t''', the following semanage command can be run:+To run semanage, you must be the Linux root user and in a role allowed to run semanage, such as sysadm_r or unconfined_r. The following example uses semanage to set the myfile_t type for the "/path/to/myfile" file:
# semanage fcontext -a -t myfile_t /path/to/myfile # semanage fcontext -a -t myfile_t /path/to/myfile
-You must be the root Linux user and in a role allowed to run semanage, such as sysadm_r or unconfined_r.+This semanage command adds an entry in the system file contexts. This entry will be persistent, even after the distribution policy is updated. If you change policies, for example, from targeted to MLS, you must re-run the above command to add the entry to the new policy. Run the restorecon command to apply the changes added via "semanage fcontext":
- +
-This will add an entry in the system file contexts. This entry will be persistent, even when the distribution policy is updated. However, if you change policies, e.g. from targeted to mls, you will have to re-run the above command to add it to the new policy. This can be tested by running the ''restorecon'' command and examining the file's context afterward:+
# restorecon /path/to/myfile # restorecon /path/to/myfile
# ls -Z /path/to/myfile # ls -Z /path/to/myfile
system_u:object_r:myfile_t /path/to/myfile system_u:object_r:myfile_t /path/to/myfile
 +
 +[[Category:Recipes]]

Current revision

The chcon program can change the context of a file; however, changes made with chcon are not preserved if the file is relabeled with restorecon, or if the entire file system is relabeled using "touch /.autorelabel" and then rebooting. The semanage program can make persistent customizations to the SELinux policy configuration.

To run semanage, you must be the Linux root user and in a role allowed to run semanage, such as sysadm_r or unconfined_r. The following example uses semanage to set the myfile_t type for the "/path/to/myfile" file:

# semanage fcontext -a -t myfile_t /path/to/myfile

This semanage command adds an entry in the system file contexts. This entry will be persistent, even after the distribution policy is updated. If you change policies, for example, from targeted to MLS, you must re-run the above command to add the entry to the new policy. Run the restorecon command to apply the changes added via "semanage fcontext":

# restorecon /path/to/myfile
# ls -Z /path/to/myfile
system_u:object_r:myfile_t /path/to/myfile
Personal tools