We can use the ls-Z command to view the context information of our file, that is, SELinux information. We found that system_u: object_r: admin_home_t: is more than the traditional ls command: let's analyze the meaning of the statement "system_u: object_r: admin_home_t: s0". The statement is divided
We can use the ls-Z command to view the context information of our file, that is, SELinux information. We found that system_u: object_r: admin_home_t: is more than the traditional ls command: let's analyze the meaning of the statement "system_u: object_r: admin_home_t: s0". The statement is divided
We can use the ls-Z command to view the context information of our file, that is, SELinux information. We found that system_u: object_r: admin_home_t: is more than the traditional ls command: let's analyze the meaning of the s0 statement.
System_u: object_r: admin_home_t: s0
This statement is divided into four segments. The first segment system_u represents the user, the second segment object_r represents the role, the third segment represents the most important information in SELinux, and admin_home represents the type, the last s0 is related to MLS and MCS.
① System_u indicates SElinux user, root indicates root account identity, user_u indicates normal users have no privilege user, system_u indicates system process, and the user can confirm the identity type, which is generally used with roles. Different roles have different permissions. Although you can use the su command to switch between users, The SElinux user does not change, and the identity remains unchanged when switching between accounts, in the targeted policy environment, user identification does not have a substantial effect.
② Object_r is generally a file directory role, and system_r is generally a process role. In the targeted policy environment, the user's role is generally system_r. User roles are similar to user groups. Different roles have different identity permissions. A user can have multiple roles, but only one role can be used at a time. In the targeted policy environment, the role does not have a substantial role. In the targeted policy environment, all the process files are played by the system_r role.
③ The admin_home file and process both have a type. SElinux restricts access permissions based on a combination of types.
ls -Z -d /usr/share/nginx/htmldrwxr-xr-x. root root system_u:object_r:usr_t:s0 /usr/share/nginx/htmlls -z -d /data/web/defaultdrwxr-xr-x. root root unconfined_u:object_r:default_t:s0 /data/web/default//==============================================================================//chcon -R -u system_u /data/web/default/chcon -R -t usr_t /data/web/default/
SYNOPSIS chcon [OPTION]... CONTEXT FILE... chcon [OPTION]... [-u USER] [-r ROLE] [-l RANGE] [-t TYPE] FILE... chcon [OPTION]... --reference=RFILE FILE...DESCRIPTION Change the security context of each FILE to CONTEXT. With --reference, change the security context of each FILE to that of RFILE. -h, --no-dereference affect symbolic links instead of any referenced file --reference=RFILE use RFILE's security context rather than specifying a CONTEXT value -R, --recursive operate on files and directories recursively -v, --verbose output a diagnostic for every file processed -u, --user=USER set user USER in the target security context -r, --role=ROLE set role ROLE in the target security context -t, --type=TYPE set type TYPE in the target security context -l, --range=RANGE set range RANGE in the target security context The following options modify how a hierarchy is traversed when the -R option is also specified. If more than one is specified, only the final one takes effect. -H if a command line argument is a symbolic link to a directory, traverse it -L traverse every symbolic link to a directory encountered -P do not traverse any symbolic links (default) --help display this help and exit --version output version information and exit