Using Fixfiles and Setting Mount Contexts for SELinux
Sequence 1. Using fixfiles
The fixfiles can be used to reset the contexts of the files of a particular application rather than having to iterate over the files manually and run
restorecon
against them. The
fixfiles
command has three modes, one of which must be specified when running the command:
-
check
Show any file-related objects whose security context does not match what is specified in the file context files. -
restore
Relabel any file-related objects whose security context does not match what is specified in the file context files. -
relabel
Like restore, but also optionally removes any files in the/tmp
directory first.Options: -B If specified with onboot, it will record the current date in the /.autorelabel file, so that it can be used later to speed up labeling. If used with restore, restore will only affect files that were modified today. -l logfile Save the output to the specified logfile -F Force reset of context to match file_context for customizable files -f Clear /tmp directory with out prompt for removal. -R rpmpackagename[,rpmpackagename...] Use the rpm database to discover all files within the specified packages and restore the file contexts. (-a will get all files in the RPM database). -C PREVIOUS_FILECONTEXT Run a diff on the PREVIOUS_FILECONTEXT file to the currently installed one, and restore the context of all affected files. -N time Only act on files created after the specified date. Date must be specified in "YYYY-MM-DD HH:MM" format.
- Check the contexts
# fixfiles check
- Restore context for all
openssh
files. Will skip virtual filesystem (/sys)
# fixfiles -R openssh restore
- Relabel the entire file system without system reboot - Force:
# fixfiles -f -F relabel
The fixfiles command is actually a shell script that uses either
restorecon
or setfiles depending on the requested use. Instead of requiring the user to specify which files or directories to relabel or check,fixfiles
works on all mounted filesystems that support extended attribute labeling.
- Relabel the entire file system without system reboot:
# fixfiles relabel
[root@localhost ~]# fixfiles relabel
Files in the /tmp directory may be labeled incorrectly, this command
can remove all files in /tmp. If you choose to remove files from /tmp,
a reboot will be required after completion.
Do you wish to clean out the /tmp directory [N]
- Setup the machine to relabel on the next reboot.
# fixfiles onboot
Sequence 2. Context Mounts
[the_ad id="2469"] To mount a file system with the specified context, overriding existing contexts if they exist, or to specify a different, default context for a file system that does not support extended attributes, use
mount -o context=SELinux_user:role:type:level
. Context changes are not written to disk. In case of NFS, this default context uses the
nfs_t
type. Without additional mount options, this may prevent sharing NFS volumes using other services, such as the Apache HTTP Server.
- Mounts an NFS volume so that it can be shared using the Apache HTTP Server:
# mount server:/export /local/mount/point -o \
context="system_u:object_r:httpd_sys_content_t:s0"
The context specified with this option does not persist between mounts.
- In common policies, this default context uses the
file_t type
. If it is desirable to use a different default context, mount the file system with the defcontext option.
# mount /dev/sda2 /test/ -o defcontext="system_u:object_r:samba_share_t:s0"
- To make context mounts persistent across remounting and reboots, add entries for the file systems in the /etc/fstab file or an automounter map, and use the required context as a mount option:
server:/export /local/mount/ nfs
context="system_u:object_r:httpd_sys_content_t:s0" 0 0
Complete this lab successfully and avail 80% discount on any course on this website. Drop a mail with screenshot at admin@theskillpedia.com and we will share the discount coupon with you.
Take a look at the Courses offered with Course Contents at https://www.theskillpedia.com/category/course-contents/ [the_ad id="2469"]