RHEL 5 features SElinux installed by default. SElinux has the ability to protect every file on your system.
How is this done?
SELinux lables every file on your system with a security context. The security context is stored in the extended atrubits of the file. To view the security context for a file issue the following from a command prompt.
# ls -Z <file_name>
Replace the <file_name> with a file name. An example of the security context for resolv.conf.
Command:
# ls -Z /etc/reslov.conf
Output:
-rw-r–r– root root system_u:object_r:net_conf_t /etc/resolv.conf
The break down
Let’s focus on “system_u:object_r:net_conf_t”
On a typical setup SELinux uses 3 fields for a security context separated by colons.
user:role:type
In our example resolv.conf is a system file. We can tell this by looking at the user field of the security context. In our case system_u.
resolv.conf is an object file because it is labled as “object_r” in the role field and protected by the “net_conf_t” rule.
This is just a basic introduction into the world of SElinux, more information can be found here.
No comments yet
Comments feed for this article