Introduction
Setting, resetting, and governing file labels are the most common tasks administrators have to perform on an SELinux-enabled system. The policies that are provided by policy developers as well as Linux distributions offer sane defaults to use, but many implementations harbor different locations for services and files. Companies often install their custom scripts and logfiles in nondefault locations, and many daemons can be configured to support multiple instances on the same system—each of them using a different base directory.
System administrators will know how to set context definitions through the semanage
application and then reset the contexts of the target files using setfiles
or restorecon
:
~# semanage fcontext –a –t httpd_sys_content_t "/srv/web/zone/htdocs(/.*)?" ~# restorecon –RF /srv/web/zone/htdocs
This, however, is a local definition, which, if necessary, needs to be exported and imported in order to transfer it to other systems:
~# semanage export -f local_selinux.mods ~# semanage import -f local_selinux.mods
By moving context definitions into the SELinux policy realm, such definitions can be easily installed on multiple systems and managed centrally as we've seen for SELinux policy modules.