Document copy, move, compress and so on the SELinux attribute relation detailed

Document copy, move, compress and so on the SELinux attribute relation detailed

1. Temporary modification of File type properties

Incorrect file Type property is the main cause of common selinux denial of access

1) Modify the SELinux properties of the file:

[email protected] ~]# Touch Test.file # #新建文件

[Email protected] ~]# ls-z Test.file # #查看文件的SELinux属性

-rw-r--r--. Root root Unconfined_u:object_r:admin_home_t:s0 test.file

[Email protected] ~]# chcon-t samba_share_t test.file # #修改文件的默认SELinux属性

[Email protected] ~]# ls-z test.file

-rw-r--r--. Root root Unconfined_u:object_r:samba_share_t:s0 test.file

[Email protected] ~]# Restorecon-f-v test.file # #恢复修改过的SELinux属性为默认属性

Restorecon Reset/root/test.file Context unconfined_u:object_r:samba_share_t:s0->system_u:object_r:admin_home_t : S0

[Email protected] ~]# ls-z test.file

-rw-r--r--. Root root System_u:object_r:admin_home_t:s0 test.file

2) Modify the SELinux attribute of the directory (all operations are compared to the file with one "-r" for recursion):

[Email protected] ~]# Mkdir/web

[[email protected] ~]# touch/web/file{1,2}

[Email protected] ~]# Ls-dz/web # #查看目录的SELinux属性

Drwxr-xr-x. Root root Unconfined_u:object_r:default_t:s0/web

[Email protected] ~]# ls-lz/web/# #查看目录下文件的SELinux属性

-rw-r--r--. Root root unconfined_u:object_r:default_t:s0 file1

-rw-r--r--. Root root unconfined_u:object_r:default_t:s0 file2

[Email protected] ~]# Chcon-r-T httpd_sys_content_t/web/# #临时修改目录的SELinux属性为httpd_sys_content_t

[Email protected] ~]# ls-dz/web/

Drwxr-xr-x. Root root unconfined_u:object_r:httpd_sys_content_t:s0/web/

[Email protected] ~]# ls-lz/web/

-rw-r--r--. Root root unconfined_u:object_r:httpd_sys_content_t:s0 file1

-rw-r--r--. Root root unconfined_u:object_r:httpd_sys_content_t:s0 file2

[Email protected]ocalhost ~]# restorecon-r-v/web/# #恢复为默认SELinux属性

Restorecon Reset/web Context Unconfined_u:object_r:httpd_sys_content_t:s0->unconfined_u:object_r:default_t:s0

Restorecon Reset/web/file2 Context Unconfined_u:object_r:httpd_sys_content_t:s0->unconfined_u:object_r:default _t:s0

Restorecon Reset/web/file1 Context Unconfined_u:object_r:httpd_sys_content_t:s0->unconfined_u:object_r:default _t:s0

[Email protected] ~]# ls-lz/web/

-rw-r--r--. Root root unconfined_u:object_r:default_t:s0 file1

-rw-r--r--. Root root unconfined_u:object_r:default_t:s0 file2

[Email protected] ~]# ls-dz/web/

Drwxr-xr-x. Root root unconfined_u:object_r:default_t:s0/web/

2. Permanently modify the file's type properties

To permanently modify the file and directory type properties, use the following command:

Semanage fcontext-{a|d|l|m} [-frst] filespec ##-a Add,-D Delete,-l display,-m modify

Restorecon-v filespec # #由于 the "semanage fcontext" command simply loads the property definition item into the

"/etc/selinux/targeted/contexts/files/file_contexts.local" file,

The use of this command is to permanently modify the SELinux properties of the file.

1) The SELinux property modification of the file

[email protected] tmp]# Touch test.file

[Email protected] tmp]# ls-z test.file

-rw-r--r--. Root root Unconfined_u:object_r:user_tmp_t:s0 test.file

[email protected] tmp]# yum install Policycoreutils-python # #安装semanage管理工具提供软件

[Email protected] tmp]# semanage fcontext-a-T samba_share_t/tmp/test.file # #将测试文件的selinux属性设置为 "samba_share_t"

[Email protected] tmp]# ls-z/tmp/test.file # #测试文件的selinux属性未发生变化

-rw-r--r--. Root root Unconfined_u:object_r:user_tmp_t:s0/tmp/test.file

[Email protected] tmp]# restorecon-v/tmp/test.file # #使semanage设置的selinux属性永久的生效

Restorecon Reset/tmp/test.file Context Unconfined_u:object_r:user_tmp_t:s0->unconfined_u:object_r:samba_share_ T:s0

[Email protected] tmp]# ls-z/tmp/test.file # #测试文件的selinux属性已改

-rw-r--r--. Root root Unconfined_u:object_r:samba_share_t:s0/tmp/test.file

2) The SELinux attribute of the directory is modified: (the newly created file automatically inherits the SELinux attribute after the completed directory)

[Email protected] ~]# mkdir/html

[[email protected] ~]# touch/html/file{1,2}

[Email protected] ~]# ls-dz/html

Drwxr-xr-x. Root root unconfined_u:object_r:default_t:s0/html

[Email protected] ~]# ls-lz/html/

-rw-r--r--. Root root unconfined_u:object_r:default_t:s0 file1

-rw-r--r--. Root root unconfined_u:object_r:default_t:s0 file2

[Email protected] ~]# semanage fcontext-a-T httpd_sys_content_t "/html (/.*)?" # #正则表达式 "/html (/.*)?" Represents the/html directory and where

Any file or sub-directory

[Email protected] ~]# restorecon-r-v/html/# #使semanage设置的selinux属性永久的生效

Restorecon reset/html Context Unconfined_u:object_r:default_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0

Restorecon Reset/html/file2 Context Unconfined_u:object_r:default_t:s0->unconfined_u:object_r:httpd_sys_ Content_t:s0

Restorecon Reset/html/file1 Context Unconfined_u:object_r:default_t:s0->unconfined_u:object_r:httpd_sys_ Content_t:s0

[Email protected] ~]# ls-lz/html/# #验证修改结果

-rw-r--r--. Root root unconfined_u:object_r:httpd_sys_content_t:s0 file1

-rw-r--r--. Root root unconfined_u:object_r:httpd_sys_content_t:s0 file2

[Email protected] ~]# ls-dz/html/

Drwxr-xr-x. Root root unconfined_u:object_r:httpd_sys_content_t:s0/html/

3) If you want to restore the/html file properties, use the following command:

[Email protected] ~]# semanage fcontext-d "/html (/.*)?" # #删除自定义的selinux属性

[Email protected] ~]# restorecon-f-r-v/html/# #永久生效

Restorecon reset/html Context Unconfined_u:object_r:httpd_sys_content_t:s0->system_u:object_r:default_t:s0

Restorecon Reset/html/file2 Context unconfined_u:object_r:httpd_sys_content_t:s0->system_u:object_r:default_t: S0

Restorecon Reset/html/file1 Context unconfined_u:object_r:httpd_sys_content_t:s0->system_u:object_r:default_t: S0

[[email protected] ~]# ls-lz/html # #验证文件的selinux属性已经从 "httpd_sys_content_t" to the default "default_t"

-rw-r--r--. Root root system_u:object_r:default_t:s0 file1

-rw-r--r--. Root root system_u:object_r:default_t:s0 file2

[Email protected] ~]# ls-dz/html

Drwxr-xr-x. Root root system_u:object_r:default_t:s0/html

4) file_t and default_t

file_t: File does not have SELinux attribute

default_t: The SELinux attribute of a file or directory does not match the pattern defined by the File-context profile

Two types of files or directories, restricted domain programs are inaccessible

3. The effect of moving files on the SELinux attribute

In SELinux environment, files and directories are moved and the original SELinux attributes remain unchanged.

To prepare the test file:

[email protected] ~]# Touch test.file

[Email protected] ~]# ls-z test.file

-rw-r--r--. Root root Unconfined_u:object_r:admin_home_t:s0 test.file

[Email protected] ~]# ls-dz/var/www/html/

Drwxr-xr-x. Root root system_u:object_r:httpd_sys_content_t:s0/var/www/html/

Mobile testing:

[Email protected] ~]# MV test.file/var/www/html/

[[email protected] ~]# ls-z/var/www/html/test.file # #移动后selinux属性依然是 "admin_home_t", did not inherit "httpd_sys_content_t"

-rw-r--r--. Root root Unconfined_u:object_r:admin_home_t:s0/var/www/html/test.file

Attention:

In the contrast between move and copy, replication is more conducive to maintaining the SELinux properties of the file so that it can be accessed normally.

4. Detecting the default properties of a file

With Matchpathcon, you can verify that the file SELinux attribute tag is correct in the directory.

To prepare the test file:

[Email protected] ~]# touch/var/www/html/file{1,2,3} # #创建三个文件

[Email protected] ~]# ls-z/var/www/html/file*

-rw-r--r--. Root root Unconfined_u:object_r:httpd_sys_content_t:s0/var/www/html/file1

-rw-r--r--. Root root Unconfined_u:object_r:httpd_sys_content_t:s0/var/www/html/file2

-rw-r--r--. Root root Unconfined_u:object_r:httpd_sys_content_t:s0/var/www/html/file3

To modify a test:

[Email protected] ~]# chcon-t Samba_share_t/var/www/html/file1 # #临时修改selinux属性

[Email protected] ~]# ls-z/var/www/html/file1

-rw-r--r--. Root root Unconfined_u:object_r:samba_share_t:s0/var/www/html/file1

[Email protected] ~]# matchpathcon-v/var/www/html/file? # #检测selinux属性的正确性, prompting file1 for "samba_share_t" should

To "httpd_sys_content_t"

/var/www/html/file1 has context Unconfined_u:object_r:samba_share_t:s0, should is System_u:object_r:httpd_sys_ Content_t:s0

/var/www/html/file2 verified.

/var/www/html/file3 verified.

[email protected] ~]# Touch test.file

[Email protected] ~]# ls-z

-rw-r--r--. Root root Unconfined_u:object_r:admin_home_t:s0 test.file

[Email protected] ~]# MV test.file/var/www/html/# #移动新文件测试

MV: Do you want to overwrite "/var/www/html/test.file"? Y

[Email protected] ~]# ls/var/www/html/test.file-z

-rw-r--r--. Root root Unconfined_u:object_r:admin_home_t:s0/var/www/html/test.file

[Email protected] ~]# restorecon-v/var/www/html/* # #修复selinux属性

Restorecon Reset/var/www/html/file1 Context unconfined_u:object_r:samba_share_t:s0-

>unconfined_u:object_r:httpd_sys_content_t:s0

Restorecon Reset/var/www/html/test.file Context unconfined_u:object_r:admin_home_t:s0-

>unconfined_u:object_r:httpd_sys_content_t:s0

[Email protected] ~]# matchpathcon-v/var/www/html/* # #提示verified表示校验成功

/var/www/html/file1 verified.

/var/www/html/file2 verified.

/var/www/html/file3 verified.

/var/www/html/test.file verified.

5.tar file with SELinux attribute tag

The tar command does not save the SELinux attribute that is part of the extended property, and the SELinux property information is saved using "--selinux" or "--xattrs".

Prepare the comparison steps:

[[email protected] ~]# Touch file{1..3} # #创建文件

[Email protected] ~]# ls-z

-rw-r--r--. Root root unconfined_u:object_r:admin_home_t:s0 file1

-rw-r--r--. Root root unconfined_u:object_r:admin_home_t:s0 file2

-rw-r--r--. Root root Unconfined_u:object_r:admin_home_t:s0 file3

[Email protected] ~]# tar zcf test.tar.gz./file* # #不加 "--selinux" option

[email protected] ~]# CP test.tar.gz/tmp/# #拷贝文件

[Email protected] ~]# cd/tmp/# #进入/tmp directory

[Email protected] tmp]# tar zxvf test.tar.gz # #解压

./file1

./file2

./file3

[[email protected] tmp]# ls-z # #验证, SELinux property is missing

-rw-r--r--. Root root unconfined_u:object_r:user_tmp_t:s0 file1

-rw-r--r--. Root root unconfined_u:object_r:user_tmp_t:s0 file2

-rw-r--r--. Root root Unconfined_u:object_r:user_tmp_t:s0 file3

-rw-r--r--. Root root Unconfined_u:object_r:user_tmp_t:s0 test.tar.gz

To preserve the SELinux attribute:

[[Email protected] tmp]# CD

[[email protected] ~]# Touch file{4..5}

[[email protected] ~]# ls-z file{4..5}

-rw-r--r--. Root root Unconfined_u:object_r:admin_home_t:s0 file4

-rw-r--r--. Root root Unconfined_u:object_r:admin_home_t:s0 file5

[Email protected] ~]# tar zcf test.se.tar.gz./file{4..5}--selinux # #压缩是保留selinux属性标记

[email protected] ~]# CP test.se.tar.gz/tmp/

[Email protected] ~]# cd/tmp/

[Email protected] tmp]# tar zxvf test.se.tar.gz

./file4

./file5

[Email protected] tmp]# ls-z # #验证file1, 2, 3 lost the original SELinux attribute, file4, 5 reserved The "admin_home_t" of the SELinux attribute; consider:

Why are the two compressed files at the beginning of test such a SELinux attribute?

-rw-r--r--. Root root unconfined_u:object_r:user_tmp_t:s0 file1

-rw-r--r--. Root root unconfined_u:object_r:user_tmp_t:s0 file2

-rw-r--r--. Root root Unconfined_u:object_r:user_tmp_t:s0 file3

-rw-r--r--. Root root Unconfined_u:object_r:admin_home_t:s0 file4

-rw-r--r--. Root root Unconfined_u:object_r:admin_home_t:s0 file5

-rw-r--r--. Root root Unconfined_u:object_r:user_tmp_t:s0 test.se.tar.gz

-rw-r--r--. Root root Unconfined_u:object_r:user_tmp_t:s0 test.tar.gz

This article is from the blog, "to learn the good system to work smoothly", please keep this source http://stlong.blog.51cto.com/5144113/1559628

Document copy, move, compress and so on the SELinux attribute relation detailed