How to use the command `semanage fcontext` (with examples)
semanage fcontext
is a command used to manage persistent SELinux security context rules on files and directories. It allows administrators to view, add, delete, and modify these rules, which define how SELinux labels files and directories.
Use case 1: List all file labeling rules
Code:
sudo semanage fcontext --list
Motivation: Listing all file labeling rules can be helpful to have an overview of the SELinux security context rules applied to various files and directories in the system.
Explanation: This command lists all the file labeling rules, including the patterns, file types, and contexts. The --list
argument specifies that we want to list the rules.
Example output:
/usr/bin(/.*)? all files system_u:object_r:bin_t:s0
/usr/sbin(/.*)? all files system_u:object_r:sbin_t:s0
/var/lib/(mysql|pgsql|mongod|pgsql)/.*\.so(\.[0-9]+)? all files system_u:object_r:var_lib_t:s0
...
Use case 2: List all user-defined file labeling rules without headings
Code:
sudo semanage fcontext --list --locallist --noheading
Motivation: Sometimes, it is necessary to exclude the default system-defined labeling rules and focus only on the user-defined labeling rules. This can be useful when managing custom setups or specific configurations.
Explanation: This command lists all the user-defined file labeling rules without displaying the headings or any system-defined rules. The --locallist
argument filters the list to show only user-defined rules, and --noheading
removes the column headers.
Example output:
/file/path(/[A-Za-z0-9_-]+)? regular file system_u:object_r:custom_file_t:s0
/another/path(/.*)? directory system_u:object_r:custom_dir_t:s0
Use case 3: Add a user-defined rule that labels any path which matches a PCRE regex
Code:
sudo semanage fcontext --add --type samba_share_t '/mnt/share(/.*)?'
Motivation: When setting up a Samba share, it may be necessary to label the directory or files associated with the share with a specific context. This command allows us to add a user-defined rule that labels any path matching the provided PCRE regex with the specified type, in this case, samba_share_t
.
Explanation: This command adds a user-defined rule using the --add
argument. The --type
argument specifies the SELinux context type we want to assign to the path. The path is provided as a PCRE regex pattern enclosed in single quotes.
Example output: No output will be displayed if the command is executed successfully.
Use case 4: Delete a user-defined rule using its PCRE regex
Code:
sudo semanage fcontext --delete '/mnt/share(/.*)?'
Motivation: Removing unnecessary or incorrect user-defined labeling rules can help maintain a clean and accurate SELinux configuration.
Explanation: This command deletes a user-defined rule that matches the provided PCRE regex pattern. The rule will be completely removed from the SELinux security context configuration.
Example output: No output will be displayed if the command is executed successfully.
Use case 5: Relabel a directory recursively by applying the new rules
Code:
restorecon -R -v path/to/directory
Motivation: After modifying SELinux file labeling rules, it’s necessary to apply those changes to existing files and directories. This command recursively relabels a directory and all its contents, applying the new SELinux security context rules.
Explanation: This command uses the restorecon
utility to relabel a directory and its contents. The -R
option ensures that the operation is performed recursively. The -v
option provides verbose output, showing the progress and relabeled files/directories.
Example output:
Relabeled 'path/to/directory/file1' to system_u:object_r:custom_file_t:s0
Relabeled 'path/to/directory/file2' to system_u:object_r:custom_file_t:s0
...
Conclusion:
The semanage fcontext
command is a powerful tool for managing SELinux security context rules. By using it, administrators can view, add, delete, and modify file labeling rules, ensuring that the SELinux policy is correctly applied to files and directories on the system. Additionally, the restorecon
command complements semanage fcontext
by allowing administrators to apply changes made to the file labeling rules.