semanage

Security context query and modification of default directory

Supplementary instructions

semanage command is used to query and modify the security context of the SELinux default directory. SELinux policy and rule management related commands: seinfo command, sesearch command, getsebool command, setsebool command, semanage command.

grammar

semanage {login|user|port|interface|fcontext|translation} -l
semanage fcontext -{a|d|m} [-frst] file_spec

Options

-l: Query.
fcontext: Mainly used in security context.
-a: Add, you can increase the default security context type settings of some directories.
-m: Modify.
-d: delete.

Example

Check the default security settings of /var/www/html in this article:

semanage fcontext -l
SELinux fcontext type Context
....(previously omitted)....
/var/www(/.*)? all files system_u:object_r:httpd_sys_content_t:s0
....(omitted later)....

As shown in the above example, we can query the security article of each directory! The directory setting can use regular expressions to specify a range. So what if we want to increase the security of some custom directories? For example, if I want to set /srv/samba to be of type public_content_t, how should I set it?

Use the semanage command to set the default security of the /srv/samba directory. This article is public_content_t:

mkdir /srv/samba
ll -Zd /srv/samba
drwxr-xr-x root root root:object_r:var_t /srv/samba

As shown above, the default situation should be var_t!

semanage fcontext -l | grep '/srv'
/srv/.* all files system_u:object_r:var_t:s0
/srv/([^/]*/)?ftp(/.*)? all files system_u:object_r:public_content_t:s0
/srv/([^/]*/)?www(/.*)? all files system_u:object_r:httpd_sys_content_t:s0
/srv/([^/]*/)?rsync(/.*)? all files system_u:object_r:public_content_t:s0
/srv/gallery2(/.*)? all files system_u:object_r:httpd_sys_content_t:s0
/srv directory system_u:object_r:var_t:s0 //Look here!

The above is the security information in this article under the default /srv, but it is not specified to /srv/samba.

semanage fcontext -a -t public_content_t "/srv/samba(/.*)?"
semanage fcontext -l | grep '/srv/samba'
/srv/samba(/.*)? all files system_u:object_r:public_content_t:s0

cat /etc/selinux/targeted/contexts/files/file_contexts.local
# This file is auto-generated by libsemanage
# Please use the semanage command to make changes
/srv/samba(/.*)? system_u:object_r:public_content_t:s0 #Write this file

restorecon -Rv /srv/samba* #Try to restore default values
ll -Zd /srv/samba
drwxr-xr-x root root system_u:object_r:public_content_t /srv/samba/ #There is a default value. It is easier to modify it with the restorecon command in the future!

The semanage command has many functions. The only one mainly used here is the usage of the fcontext option. As shown above, you can use semanage to query all directory default values, and you can also use it to increase default value settings!