8.2.1.3. Using file labels
SELinux uses file labels to specify an SELinux context for each file. To display the context labels, use the -Z or --context options to ls :
$ ls -Z /etc
-rw-r--r-- root root system_u:object_r:etc_t a2ps.cfg
-rw-r--r-- root root system_u:object_r:etc_t a2ps-site.cfg
drwxr-xr-x root root system_u:object_r:etc_t acpi
-rw-r--r-- root root system_u:object_r:adjtime_t adjtime
drwxr-xr-x root root system_u:object_r:etc_t alchemist
-rw-r--r-- root root system_u:object_r:etc_aliases_t aliases
-rw-r----- root smmsp system_u:object_r:etc_aliases_t aliases.db
drwxr-xr-x root root system_u:object_r:etc_t alsa
drwxr-xr-x root root system_u:object_r:etc_t alternatives
-rw-r--r-- root root system_u:object_r:etc_t anacrontab
-rw------- root root system_u:object_r:etc_t at.deny
-rw-r--r-- root root system_u:object_r:automount_etc_t auto.master
-rw-r--r-- root root system_u:object_r:automount_etc_t auto.misc
-rwxr-xr-x root root system_u:object_r:automount_etc_t auto.net
-rwxr-xr-x root root system_u:object_r:automount_etc_t auto.smb
...(Lines snipped)...
The context label displayed on each line contains the text system_u:object_r: followed by the file type assigned to the file. In the output above, the aliases file has been given the file type etc_aliases_t (which is unique to that file), indicating that the SELinux policy treats that file specially.
All file types end in _t for easy identification.
Files contained in your home directory are usually given the type user_home_t . The default policy will not permit web pages in ~/public_html to be accessed through the web server, even if the httpd_enable_homedirs boolean is turned on, unless the files being shared have the type httpd_sys_content_t . To change file contexts, use the chcon command:
$ chcon -R -t httpd_sys_content_t ~/public_html
The -R option causes chcon to recursively change the context of directories within ~/public_html , and -t httpd_sys_content_t sets the file type.
The file context types most commonly used with chcon are shown in Table 8-2 .
Table 8-2. Common nondefault file context types
| Type | Description | Examples |
|---|---|---|
| httpd_sys_content_t | Files that may be served by httpd | Web pages, graphics, CSS files, client-side ECMAScript/JavaScript |
| httpd_sys_script_exec_t | CGI scripts that may be executed by httpd | Web scripts written in any external scripting language (e.g., scripts written in Perl when you are not using mod_perl) |
| httpd_unconfined_script_exec_t | CGI scripts that will not be constrained by SELinux | Dangerous!but may be required for some complex CGI scripts |
| httpd_sys_script_ro_t | Datafiles that may be read (but not written) by CGI scripts | Static CGI script datafiles |
| httpd_sys_script_ra_t | Datafiles that may be read and appended (but not overwritten or truncated) by CGI scripts | Script logfiles, guestbooks, nonrevisable order queues, survey and quiz records |
| httpd_sys_script_rw_t | Datafiles that may be read/written by CGI scripts | User profiles, session status, and other CGI datafiles |
| samba_share_t | Enables sharing of the file by Samba (not required for home directories) | Group Samba shares |
| public_content_t | Enables sharing of the file (read only) by Samba, httpd, NFS, and rsync | Files shared by multiple servers |
| public_content_rw_t | Enables sharing of the file (read/write) by Samba, httpd, FTP, and rsync | Files shared and updatable through multiple servers |