Just how does SELinux protect files (and directories) from unauthorized use? The answer is by using SELinux contexts.
Each file can have a context applied that will affect the ability of a process to access the file. Processes themselves have an SELinux context applied, and this context essentially places the processes in a security group.
Each process runs with a security context. To see this, use the -Z option to the ps command as shown here (where the head command is used simply to limit the output of the command):
root@localhost:~# ps -eZ | grep httpd | head -2 system_u:system_r:httpd_t:s0 root 1109 1 0 2018 ? 00:51:56 /usr/sbin/httpd system_u:system_r:httpd_t:s0 apache 1412 1109 0 Dec24 ? 00:00:09 /usr/sbin/httpd
The security context (system_u:system_r:httpd_t:s0) is complicated, but for understanding the basics of SELinux, the important part is httpd_t, which is like a security group or domain. As part of this security domain, the /usr/sbin/httpd process can only access files that are allowed by the security policy for httpd_t. This policy is typically written by someone who is an SELinux expert, and that expert should have proven experience regarding which processes should be able to access specific files and directories on the system.
Files and directories also have an SELinux security context that is defined by the policy. To see a security context for a specific file, use the -Z option to the ls command:
root@localhost:~# ls -Z /var/www/html/index.html unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/index.html
Note here that the SELinux context contains so much data that the filename cannot fit on the same line. As you might be able to conclude, a process running with the security context system_u:system_r:httpd_t:s0 is able to access files that have been labeled with the u:object_r:httpd_sys_content_t:s0 context. It isn’t always so simple as SELinux Booleans can have a major impact on how contexts are applied, but this is essentially the idea. Remember that you don’t need to be an SELinux expert for the Linux+ exam (which is a good thing because it is a very large topic).
How did the context of u:object_r:httpd_sys_content_t:s0 get applied to the /var/www/html/index.html file? Typically, SELinux security contexts are applied automatically, depending on where the file is placed. So, a new file placed in the /var/www/html directory would also be labeled with the context u:object_r:httpd_sys_content_t:s0.
In some cases, you might need to apply this context manually. For example, if you were to move a file from another location, it might retain its original security context. In such cases, use the chcon command to change the context of a file or directory:
root@localhost:~# chcon -t user_home_t /var/www/html/index.html
You can also take advantage of the SELinux rules that define the default security contexts for a majority of the system files. The restorecon command is used to reset the default security context on a file or directory based on its current location and these SELinux rules. Here is an example:
root@localhost:~# restorecon /var/www/html/index.html
A commonly used option to the restorecon command is the -R option, which performs the changes recursively on a directory structure.