# 7.2 SEContext

What is SEcontext? It means Security Enhanced Context. This again is part of SELinux, and can be turned off and on with the ```setenforce``` and ```getenforce``` commands. The Context part of SELinux is all about labels. All processes and files/directories have these labels attached to them.

You can see these labels with the ```ls -Z``` command, or ```ll -Z``` for more details. Go ahead and try it out in your home directory. If you want to see more examples, you can create (```touch file1```) a file to inspect it.

It should look something like this:
```bash
[root@rhcsa ~]# ll -Z
-rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 file1
```

There are 4 labels on file1 and are described below:
|label|description|
|:-|:-|
|unconfined_u | user label
|object_r | role label
|admin_home_t | type label
|s0 | level label

We will not go into too much detail regarding these labels. If you want more information about this, you can read this article: [context_labeling](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security-enhanced_linux/sect-security-enhanced_linux-working_with_selinux-selinux_contexts_labeling_files)

We will be using the type label the most.

So how do we change this type label? 

We are going to use the ssh service for this again. Let's try and change the context for the configuration file of the ssh service. Go to the ```/etc/ssh/``` directory using the ```cd``` command. 

Let's check the context in this directory.

```bash
[root@rhcsa ~]# cd /etc/ssh/
[root@rhcsa ssh]# ll -Z
-rw-r--r--. root root     system_u:object_r:etc_t:s0       moduli
-rw-r--r--. root root     system_u:object_r:etc_t:s0       ssh_config
-rw-------. root root     system_u:object_r:etc_t:s0       sshd_config
-rw-r-----. root ssh_keys system_u:object_r:sshd_key_t:s0  ssh_host_ecdsa_key
-rw-r--r--. root root     system_u:object_r:sshd_key_t:s0  ssh_host_ecdsa_key.pub
-rw-r-----. root ssh_keys system_u:object_r:sshd_key_t:s0  ssh_host_ed25519_key
-rw-r--r--. root root     system_u:object_r:sshd_key_t:s0  ssh_host_ed25519_key.pub
-rw-------. root root     system_u:object_r:sshd_key_t:s0  ssh_host_rsa_key
-rw-r--r--. root root     system_u:object_r:sshd_key_t:s0  ssh_host_rsa_key.pub
```

Next, let's use the ```chcon``` command together with the ```-t``` option to change the context of the sshd_config file to ```admin_home_t```.

```bash
[root@rhcsa ssh]# chcon -t admin_home_t sshd_config
[root@rhcsa ssh]# ll -Z
-rw-r--r--. root root     system_u:object_r:etc_t:s0       moduli
-rw-r--r--. root root     system_u:object_r:etc_t:s0       ssh_config
-rw-------. root root     system_u:object_r:admin_home_t:s0       sshd_config
-rw-r-----. root ssh_keys system_u:object_r:sshd_key_t:s0  ssh_host_ecdsa_key
-rw-r--r--. root root     system_u:object_r:sshd_key_t:s0  ssh_host_ecdsa_key.pub
-rw-r-----. root ssh_keys system_u:object_r:sshd_key_t:s0  ssh_host_ed25519_key
-rw-r--r--. root root     system_u:object_r:sshd_key_t:s0  ssh_host_ed25519_key.pub
-rw-------. root root     system_u:object_r:sshd_key_t:s0  ssh_host_rsa_key
-rw-r--r--. root root     system_u:object_r:sshd_key_t:s0  ssh_host_rsa_key.pub
```

So as you can see the sshd_config now has the ```admin_home_t``` context. 

Now, to verify that SELinux is doing its job, we can try to restart the ssh service. Which should not be allowed, because of the context being incorrect.

```bash
[root@rhcsa ssh]# getenforce
Enforcing
[root@rhcsa ssh]# systemctl restart sshd
Job for sshd.service failed because the control process exited with error code. See "systemctl status sshd.service" and "journalctl -xe" for details.
[root@rhcsa ssh]# setenforce 0
[root@rhcsa ssh]# getenforce
Permissive
[root@rhcsa ssh]# systemctl restart sshd
[root@rhcsa ssh]# setenforce 1
[root@rhcsa ssh]# getenforce
Enforcing
```

As shown above, turning SELinux to Permissive mode has allowed us to restart the service. Which means that SELinux was blocking the action we were trying to do.

Now we should restore the ```sshd_config``` context to its correct context, so that the ssh service functions as it should. We can do this with the ```chcon``` command, but there is a better tool for this. We can use the command ```restorecon```, which will restore it to the context that it should have. This prevents typo's and incorrect context configuration.

```bash
[root@rhcsa ssh]# restorecon sshd_config 
[root@rhcsa ssh]# ll -Z
-rw-r--r--. root root     system_u:object_r:etc_t:s0       moduli
-rw-r--r--. root root     system_u:object_r:etc_t:s0       ssh_config
-rw-------. root root     system_u:object_r:etc_t:s0       sshd_config
-rw-r-----. root ssh_keys system_u:object_r:sshd_key_t:s0  ssh_host_ecdsa_key
-rw-r--r--. root root     system_u:object_r:sshd_key_t:s0  ssh_host_ecdsa_key.pub
-rw-r-----. root ssh_keys system_u:object_r:sshd_key_t:s0  ssh_host_ed25519_key
-rw-r--r--. root root     system_u:object_r:sshd_key_t:s0  ssh_host_ed25519_key.pub
-rw-------. root root     system_u:object_r:sshd_key_t:s0  ssh_host_rsa_key
-rw-r--r--. root root     system_u:object_r:sshd_key_t:s0  ssh_host_rsa_key.pub
```