SELinux Process Context

Support for security such as Firewalls and securing linux
Post Reply
weisdaclick
Posts: 1
Joined: 2018/05/01 19:00:32

SELinux Process Context

Post by weisdaclick » 2018/05/01 19:17:24

Hello All, new here :?

I a trying to get my head around SELinux and have digested most of the content of the books out there and online info. I can't seem to get my head around something though - how to set the SELinux context of a process (domain).

I have created a simple script and I want to run the script with a certain context, the only way I can do it so far is via a unit:

# cat myscript.service
[Unit]
Description=myscript
After=syslog.target systemd-user-sessions.service

[Service]
ExecStart=/usr/local/bin/myscript.sh
SELinuxContext=unconfined_u:system_r:home_bin_t:s0

[Install]
WantedBy=multi-user.target



I also added it to the policy:

# semanage fcontext -l
...
/usr/local/bin/myscript.sh all files system_u:object_r:home_bin_t:s0
...



# ps -efZ |grep myscript
unconfined_u:system_r:home_bin_t:s0 root 18575 1 0 20:08 ? 00:00:00 /bin/bash /usr/local/bin/myscript.sh



So this works, but surely there is another way?

I have also tried other contexts and they don't work, I'm guessing this one does as it is one of the customizable_types ???

I am also wondering about the myriad of contexts available, most are related to specific services/applications but is there a nice list somewhere of useful ones for the developer/coder to use - aisde from doing an seinfo -t ???

hunter86_bg
Posts: 1222
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: SELinux Process Context

Post by hunter86_bg » 2018/05/02 18:45:51

As far as I know the SELinux domain depends of the binary's SELinux Type, but I may be wrong.
Yet, from System Administrators' perspective - I never had such a task.

Could you try to label the script as 'system_u:object_r:home_bit_t' and then start your script and check the SELinux Context of the domain.

Also, You should reconsider using 'unconfined_u' SELinux user.

Post Reply