4. How to assign / unassign a SELinux category to a file?

How to assign / unassign a SELinux category to a file?


  • Assuming there is a file called support.txt in user testuser's home directory:

    $ id
uid=501(testuser) gid=501(testuser) groups=501(testuser) context=user_u:system_r:unconfined_t:Support

$ cd /home/testuser

$ more support.txt
This is my Support file

    Check the current security context of support.txt:

    $ ls -Z support.txt
-rw-rw-r--  testuser testuser user_u:object_r:user_home_t:Support support.txt

    The above shows that the file support.txt was created in the user's home directory (user_home_t). One category has already been assigned to it: Support.

    Assign the Admin category to support.txt (the Admin category must exist):

    $ /usr/bin/chcat -- +Admin support.txt

    Verify that the Admin category has been added:

    $ ls -Z support.txt
-rw-rw-r--  testuser testuser user_u:object_r:user_home_t:Support,Admin support.txt

    Now add the Technical category and verify that it has been added:

    $ /usr/bin/chcat -- +Technical support.txt
$ ls -Z support.txt
-rw-rw-r--  testuser testuser user_u:object_r:user_home_t:s0:c1.c3 support.txt

    The above shows that categories c1 to c3 have been added. All categories are listed in /etc/selinux/targeted/setrans.conf:

    $ more /etc/selinux/targeted/setrans.conf
[output truncated]
s0:c1=Technical
s0:c2=Support
s0:c3=Admin

    To unassign a category to a file:

    $ /usr/bin/chcat -- -Technical support.txt

    Verify:

    $ ls -Z support.txt
-rw-rw-r--  testuser testuser user_u:object_r:user_home_t:Support,Admin support.txt
linux 595
Log in to reply
 

© Lightnetics 2024