Using semanage

In the scenario I've just presented, either chcon or restorecon will suit your needs just fine. The active SELinux policy mandates what security contexts in certain directories are supposed to look like. As long as you're using chcon or restorecon within directories that are defined in the active SELinux policy, you're good. But let's say that you've created a directory elsewhere that you want to use to serve out web content files. You would need to set the httpd_sys_content_t type on that directory and all of the files within it. However, if you use chcon or restorecon for that, the change won't survive a system reboot. To make the change permanent, you'll need to use semanage.

Let's say that, for some strange reason, I want to serve web content out of a directory that I've created in the /home directory:

[donnie@localhost home]$ pwd
/home

[donnie@localhost home]$ sudo mkdir webdir
[sudo] password for donnie:

[donnie@localhost home]$ ls -Zd webdir
drwxr-xr-x. root root unconfined_u:object_r:home_root_t:s0 webdir
[donnie@localhost home]$

Because I had to use my sudo powers to create the directory here, it's associated with the root user's home_root_t type, instead of the normal user_home_dir_t type. Any files that I create within this directory will have the same type:

[donnie@localhost webdir]$ ls -Z
-rw-r--r--. root root unconfined_u:object_r:home_root_t:s0 index.html
[donnie@localhost webdir]$

The next step is to use semanage to add a permanent mapping of this directory and the httpd_sys_content_t type to the active policy's context list:

[donnie@localhost home]$ sudo semanage fcontext -a -t httpd_sys_content_t "/home/webdir(/.*)?"

[donnie@localhost home]$ ls -Zd /home/webdir
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 /home/webdir
[donnie@localhost home]$

Okay, here's the breakdown of the semanage command:

  • fcontext: Because semanage has many purposes, we have to specify that we want to work with a file context.
  • -a: This specifies that we're adding a new record to the context list for the active SELinux policy.
  • -t: This specifies the type that we want to map to the new directory. In this case, we're creating a new mapping with the httpd_sys_content type.
  • /home/webdir(/.*)?: This bit of gibberish is what's known as a regular expression. I can't go into the nitty-gritty details of regular expressions here, so suffice it to say that Regular Expressions is a language that we use to match text patterns. (And yes, I did mean to say is instead of are, since Regular Expressions is the name of the overall language.) In this case, I had to use this particular regular expression in order to make this semanage command recursive because semanage doesn't have the -R option switch. With this regular expression, I'm saying that I want  anything that gets created in this directory to have the same SELinux type as the directory itself.

The final step is to do a restorecon -R on this directory to ensure that the proper labels have been set:

[donnie@localhost home]$ sudo restorecon -R webdir

[donnie@localhost home]$ ls -Zd /home/webdir
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 /home/webdir
[donnie@localhost home]$

Yeah, I know. You're looking at this and saying, "But this ls -Zd output looks the same as it did after you did the semanage command." And you're right. After running the semanage command, the type seems to be set correctly. But the semanage-fcontext man page says to run restorecon anyway, so I did.

For more information on how to use semanage to manage security contexts, refer to the relevant man page by entering man semanage-fcontext.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.129.23.30