51 lines
1.0 KiB
Markdown
51 lines
1.0 KiB
Markdown
## context
|
|
```
|
|
# ls -Z /bin/file
|
|
unconfined_u:object_r:user_home_t:s0 /bin/file
|
|
```
|
|
list selinux context of file or directory
|
|
user (unconfined_u), role (object_r), type (user_home_t), and level (s0)
|
|
|
|
### change type context
|
|
```
|
|
# semanage fcontext -a -t bin_t /bin/file
|
|
```
|
|
apply change
|
|
```
|
|
# restorecon -vR /bin
|
|
Relabeled /bin/file from unconfined_u:object_r:user_home_t:s0 to unconfined_u:object_r:bin_t:s0
|
|
|
|
```
|
|
|
|
### change user context
|
|
```
|
|
# semanage fcontext -m -t bin_t -s system_u /bin/file
|
|
```
|
|
apply change
|
|
```
|
|
# restorecon -vF /bin/file
|
|
Relabeled /usr/bin/file from unconfined_u:object_r:bin_t:s0 to system_u:object_r:bin_t:s0
|
|
# restorecon -R for recursive
|
|
```
|
|
|
|
## Containers
|
|
|
|
### volumes
|
|
` :z ` shared content label
|
|
` :Z ` private unshared label
|
|
` :ro,z ` combine read only and SElinux label
|
|
|
|
### udica
|
|
[git](https://github.com/containers/udica)
|
|
```
|
|
$ podman inspect $(podman ps -f name=<container name> -q) > container.json
|
|
# udica -j container.json my_container
|
|
```
|
|
|
|
## denied access
|
|
|
|
see recent denials
|
|
```
|
|
# ausearch -m avc -ts recent
|
|
```
|