Controlling And Maintaining Selinux; End User Control Of Selinux - Red Hat ENTERPRISE LINUX 4 - SELINUX GUIDE Manual

Selinux guide

Hide thumbs Also See for ENTERPRISE LINUX 4 - SELINUX GUIDE:

Manual (410 pages)

System administration manual (400 pages)

Administration manual (200 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

Table of Contents

Controlling and Maintaining SELinux

SELinux presents both a new security paradigm and a new set of practices and tools for administrators

and some end-users. The tools and techniques discussed in this chapter focus on standard operations

performed by administrators, end-users, and analysts. More complex operations, such as compiling a

policy after a local change, are covered in Chapter 7 Compiling SELinux Policy.

5.1. End User Control of SELinux

In general, end users have little interaction with SELinux when Red Hat Enterprise Linux is running

the targeted policy. This is because users are running in the domain of

rest of the system except the targeted daemons. This means that when you as an end-user come across

a need to use a special SELinux tool or even to check and change the context for a ﬁle, it is likely

to be when you are working with one of the targeted daemons. You can read more about the targeted

daemons in Section 3.1 What is the Targeted Policy?.

In most situations, standard DAC controls stop you from doing what you are not permitted before you

are stopped by SELinux, and you'll never generate an

These sections cover the general tasks and practices that an end-user might need to do on Red Hat

Enterprise Linux. Users of all privilege levels need to do these tasks as well.

5.1.1. Move or Copy Files

In ﬁle system operations, security context must now be considered in terms of the label of the ﬁle, the

process touching it, and the directories where the operation is happening. Because of this, moving and

copying ﬁles with

Unless you tell it otherwise,

of the creating process and the type of the target directory. Unless there is a speciﬁc rule setting the

label, the ﬁle inherits the type from the target directory. The

to specify what label you want the new ﬁle to have.

touch bar foo

ls -Z bar foo

-rw-rw-r--

auser

-rw-rw-r--

auser

# Doing a cp creates a file in the new location with the default

# type based on the creating process and target directory.

# this case, there not being a specific rule about cp and /tmp,

# the new file has the type of the parent directory:

cp bar /tmp

ls -Z /tmp/bar

-rw-rw-r--

auser

# The -Z option allows you to specify the label for the new file:

cp -Z user_u:object_r:user_home_t foo /tmp

ls -Z /tmp/foo

-rw-rw-r--

auser

The type

is the default type for temporary ﬁles.

tmp_t

and

may have unexpected results.

follows the default behavior of creating a new ﬁle based on the domain

auser

user_u:object_r:user_home_t

auser

user_u:object_r:user_home_t

auser

user_u:object_r:tmp_t

auser

user_u:object_r:user_home_t

Chapter 5.

unconfined_t

message.

avc: denied

-Z user:role:type

/tmp/bar

along with the

option allows you

bar

foo

/tmp/foo

Table of Contents

Controlling And Maintaining Selinux; End User Control Of Selinux - Red Hat ENTERPRISE LINUX 4 - SELINUX GUIDE Manual

Controlling and Maintaining SELinux

5.1. End User Control of SELinux

Related Manuals for Red Hat ENTERPRISE LINUX 4 - SELINUX GUIDE

Related Content for Red Hat ENTERPRISE LINUX 4 - SELINUX GUIDE

Table of Contents