basics
user:role:type:level(optional)
contexts are generally set when files are created, based on parent directory’s context, however it can be set according to the context of the file-creating process’s context (transition policy).
you can use ls -Zl to view security contexts of files.
using httpd as an example:
#httpd_exec_t
ls -Zl /usr/sbin/httpd
#httpd_config_t
ls -Zd /etc/httpd/
#httpd_log_t
ls -Zd /var/log/httpd/
#httpd_unit_file_t
ls -Zl /usr/lib/systemd/system/httpd.service
#httpd_t
ps axZ |grep httpd
some starter commands
#temporarily disable SELinux
sudo setenforce 0
#view SELinux status
sestatus
#check ports enabled in SELinux
sudo semanage port -l | grep http_port_t
#check all se policy booleans
getsebool -a
#set boolean
#whenever you run this, /etc/selinux/targeted is regenerated
sudo setsebool -P httpd_read_user_content 1
debugging
#install tools
sudo yum install setroubleshoot
#after install, restart auditd
sudo service auditd restart
#get suggestions
sudo sealert -a /var/log/audit/audit.log
even better
setenforce 0
#run your application to catch all errors in the audit
#then turn it into a policy
ausearch -c 'httpd' --raw | audit2allow -M my-httpd
semodule -X 300 -i my-httpd.pp
setenforce 1
#view policy in human readable form
cat my-httpd.te
changing context
default contxts stored in /etc/selinux/targeted/contexts/files/
#create folder with certain context
mkdir -Z user_u:object_r:tmp_t:s0 new_directory
#change context
chcon -t httpd_sys_rw_content_t debug.log
#take reference to change context
chcon --reference=ref target
#restore context
restorecon test.wsgi
#you can also use chcon; but using semanage has the advantage: if someone mess up with the contexts, you can simply restore
#change then restore
semanage fcontext -a -e /var/www/html /foo
#restore everything in directory
restorecon -vR directory
resources
This is the best video on this topic. https://www.youtube.com/watch?v=_WOKRaM-HI4