Overview
By the end of this article you should be able to answer the following questions:
Announcement
You can find all my latest posts on medium.$ su – david
$ id
$ ls -lZ /tmp/testfile.txt
$ ps -efZ
$ netstat -Z
user:role:type:level
A lot of commands have an option “-Z” that that is specifically for displaying an object’s security context. Here’s a quick overview of the main ones.
Viewing a user’s SELinux context
This is done using the id command:
[root@localhost ~]# id uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 [root@localhost ~]# id -Z unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Viewing a file’s/folder’s security context
As shown earlier this is done using the ls command:
$ touch testfile.txt $ ls -lZ testfile.txt -rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 testfile.txt
Viewing a process’s security context
A processes SELinux context can be viewed using the ps command:
$ ps -Z LABEL PID TTY TIME CMD unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1662 pts/0 00:00:00 bash unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2059 pts/0 00:00:00 systemctl unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2060 pts/0 00:00:00 less unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2352 pts/0 00:00:00 ps
as well as the netstat command:
$ netstat -Z | head Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name Security Context tcp 0 64 192.168.1.124:ssh PowershellPC:23838 ESTABLISHED 1658/sshd: root@pts fined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Active UNIX domain sockets (w/o servers) Proto RefCnt Flags Type State I-Node PID/Program name Security Context Path unix 2 [ ] DGRAM 10539 1/systemd system_u:system_r:init_t:s0 /run/systemd/shutdownd unix 5 [ ] DGRAM 6267 1/systemd system_u:system_r:init_t:s0 /run/systemd/journal/socket . . ...etc
Notice in all cases, they show all 4 parts, using “:” as a delimiter, and they show all the parts in the order of: user:role:type:level
.
You’ll notice that the user security contect attribute, always ends with “_u” suffix, and in a similar fashion for role we have (_r), and for type we have (_t). However for the level have a prefix of “s”, which indicates (s)ensitivity.