Four main commands are used to relabel file-related objects: chcon(8), restorecon(8),setfiles(8), and fixfiles(8). All these commands relabel files, but they each have a specific use. Typically, chcon and restorecon are used for small labeling changes, whereas setfiles and fixfiles are used for larger changes.
The chcon command sets the same security context, or a portion of a security context, for one or more files based on user input. It is the most basic labeling command and its use is analogous to chmod(1). For instance, consider the following example:
$ mkdir public_html
$ ls -dZ public_html/
drwxrwxr-x joe joe joe:object_r:user_home_dir_t public_html/
$ chcon -t httpd_user_content_t public_html/
$ ls -dZ public_html/
drwxrwxr-x joe joe joe:object_r:httpd_user_content_t public_html/
In this example, we changed the security context of a newly created directory, which was automatically assigned the security context joe:object_r:user_home_dir_t, to joe:object_r:httpd_user_content_t. The -t option alone specifies that the type of file should be changed while the rest of the security context is retained.
The restorecon command is similar to chcon but sets the security context of file-related objects based on the default file context files for the current policy. The user, therefore, does not specify a security context. Instead, restorecon matches the filename with an entry in the file contexts files and applies the specified security context. In some sense, it is restoring the correct security context. For example, consider the following:
$ mkdir public_html
$ ls -Zd public_html/
drwxrwxr-x joe joe joe:object_r:user_home_dir_t public_html/
$ /sbin/restorecon public_html/
$ ls -Zd public_html/
drwxrwxr-x joe joe user_u:object_r:httpd_user_content_t public_html/
This example is functionally the same as the previous example using chcon but only because the file context files for this policy has the following entry:
/home/[^/]*/public_html(/.+)? user_u:object_r:httpd_user_content_t
The file context entry specifies that directories in user home directories named public_html/ should be labeled user_u:object_r:httpd_user_content_t.
We can also use the restorecon command to check whether the labels on file-related objects match the specification in the file contexts files. For example:
$ mkdir public_html
$ /sbin/restorecon -nv public_html/
/sbin/restorecon reset /home/joe/public_html context
joe:object_r:user_home_dir_t->user_u:object_r:httpd_user_content_t
No comments:
Post a Comment