Red Hat Enterprise Linux 5 Administration Unleashed

Working with Security Contexts 46923FIGURE 23.3SELinux Troubleshooting ToolIf you are not working on the local desktop but have SSH access to the system with Xforwarding, you can execute the sealert -b command to remotely view the graphicaltroubleshooting browser.An example of using the SELinux Troubleshooting Tool is given in the “ModifyingSecurity Contexts” section later in this chapter.Working with Security ContextsWhen SELinux is enabled, all files and objects have a security context. Security contextsfor processes are called domains such as httpd_t for the Apache web server daemonprocesses. Security contexts for files are called file contexts and are stored in the extendedattributes of the files. The security context has four parts to it separated by colons:user:role:type:mlsUnless the MLS policy is being used, the last mls field is not used. The user field is theSELinux user who created the file. The role field is the role of the object or file, and thetype field is the type of rule associated with the object or file. An example of a securitycontext for the targeted policy would be the following:system_u:object_r:etc_tIn this example, the file is a system file as indicated by the system_u user field, is a fileobject labeled with object_r, and is governed by the etc_r rule type because it is a file inthe /etc/ directory.