7.2 SEContext

What is SEcontext? It means Security Enhanced Context. This again is part of SELinux, and can be turned off and on with the setenforce and getenforce commands. The Context part of SELinux is all about labels. All processes and files/directories have these labels attached to them.

You can see these labels with the ls -Z command, or ll -Z for more details. Go ahead and try it out in your home directory. If you want to see more examples, you can create (touch file1) a file to inspect it.

It should look something like this:

[root@rhcsa ~]# ll -Z
-rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 file1

There are 4 labels on file1 and are described below:

label

description

unconfined_u

user label

object_r

role label

admin_home_t

type label

s0

level label

We will not go into too much detail regarding these labels. If you want more information about this, you can read this article: context_labeling

We will be using the type label the most.

So how do we change this type label?

We are going to use the ssh service for this again. Let’s try and change the context for the configuration file of the ssh service. Go to the /etc/ssh/ directory using the cd command.

Let’s check the context in this directory.

[root@rhcsa ~]# cd /etc/ssh/
[root@rhcsa ssh]# ll -Z
-rw-r--r--. root root     system_u:object_r:etc_t:s0       moduli
-rw-r--r--. root root     system_u:object_r:etc_t:s0       ssh_config
-rw-------. root root     system_u:object_r:etc_t:s0       sshd_config
-rw-r-----. root ssh_keys system_u:object_r:sshd_key_t:s0  ssh_host_ecdsa_key
-rw-r--r--. root root     system_u:object_r:sshd_key_t:s0  ssh_host_ecdsa_key.pub
-rw-r-----. root ssh_keys system_u:object_r:sshd_key_t:s0  ssh_host_ed25519_key
-rw-r--r--. root root     system_u:object_r:sshd_key_t:s0  ssh_host_ed25519_key.pub
-rw-------. root root     system_u:object_r:sshd_key_t:s0  ssh_host_rsa_key
-rw-r--r--. root root     system_u:object_r:sshd_key_t:s0  ssh_host_rsa_key.pub

Next, let’s use the chcon command together with the -t option to change the context of the sshd_config file to admin_home_t.

[root@rhcsa ssh]# chcon -t admin_home_t sshd_config
[root@rhcsa ssh]# ll -Z
-rw-r--r--. root root     system_u:object_r:etc_t:s0       moduli
-rw-r--r--. root root     system_u:object_r:etc_t:s0       ssh_config
-rw-------. root root     system_u:object_r:admin_home_t:s0       sshd_config
-rw-r-----. root ssh_keys system_u:object_r:sshd_key_t:s0  ssh_host_ecdsa_key
-rw-r--r--. root root     system_u:object_r:sshd_key_t:s0  ssh_host_ecdsa_key.pub
-rw-r-----. root ssh_keys system_u:object_r:sshd_key_t:s0  ssh_host_ed25519_key
-rw-r--r--. root root     system_u:object_r:sshd_key_t:s0  ssh_host_ed25519_key.pub
-rw-------. root root     system_u:object_r:sshd_key_t:s0  ssh_host_rsa_key
-rw-r--r--. root root     system_u:object_r:sshd_key_t:s0  ssh_host_rsa_key.pub

So as you can see the sshd_config now has the admin_home_t context.

Now, to verify that SELinux is doing its job, we can try to restart the ssh service. Which should not be allowed, because of the context being incorrect.

[root@rhcsa ssh]# getenforce
Enforcing
[root@rhcsa ssh]# systemctl restart sshd
Job for sshd.service failed because the control process exited with error code. See "systemctl status sshd.service" and "journalctl -xe" for details.
[root@rhcsa ssh]# setenforce 0
[root@rhcsa ssh]# getenforce
Permissive
[root@rhcsa ssh]# systemctl restart sshd
[root@rhcsa ssh]# setenforce 1
[root@rhcsa ssh]# getenforce
Enforcing

As shown above, turning SELinux to Permissive mode has allowed us to restart the service. Which means that SELinux was blocking the action we were trying to do.

Now we should restore the sshd_config context to its correct context, so that the ssh service functions as it should. We can do this with the chcon command, but there is a better tool for this. We can use the command restorecon, which will restore it to the context that it should have. This prevents typo’s and incorrect context configuration.

[root@rhcsa ssh]# restorecon sshd_config 
[root@rhcsa ssh]# ll -Z
-rw-r--r--. root root     system_u:object_r:etc_t:s0       moduli
-rw-r--r--. root root     system_u:object_r:etc_t:s0       ssh_config
-rw-------. root root     system_u:object_r:etc_t:s0       sshd_config
-rw-r-----. root ssh_keys system_u:object_r:sshd_key_t:s0  ssh_host_ecdsa_key
-rw-r--r--. root root     system_u:object_r:sshd_key_t:s0  ssh_host_ecdsa_key.pub
-rw-r-----. root ssh_keys system_u:object_r:sshd_key_t:s0  ssh_host_ed25519_key
-rw-r--r--. root root     system_u:object_r:sshd_key_t:s0  ssh_host_ed25519_key.pub
-rw-------. root root     system_u:object_r:sshd_key_t:s0  ssh_host_rsa_key
-rw-r--r--. root root     system_u:object_r:sshd_key_t:s0  ssh_host_rsa_key.pub