SELinux Contexts for Users, Processes, and Files
SELinux contexts include a type or domain and a security level mapped with subject and object information. For example, a file can have a context defining the type of identity that can access it, the role under which the identity can access it, and the security type to which it belongs. SELinux uses context information to allow or deny access requests.
SELinux Contexts for Users
The id command with the -Z option shows the user's security context.
$id -Z
The output of this command is identical for all local user accounts. By default, SELinux maps all local user accounts with the unconfined_u user, including root. It does not place any restrictions on this user. It gives them full access to the system.
In addition to the unconfined user, SELinux includes seven confined users. Confined users have limited access to the resources. This controlled access prevents the system from potential damage in the event of security compromise. The seinfo command lists all SELinux users. The setools-console package package provides this command. This package is not part of the default installation. However, you need to install the setools-console package to use this command. The following command installs it.
#dnf install setools-console
After installing the setools-console package, you can list all SELinux users using the following command.
#seinfo -u
Use the following command to view the mapping between SELinux users and Linux user accounts.
#semanage login -l
In the output:-
- The first column displays the name of the system user account.
- The second column shows the mapped SELinux user.
- The third column shows the associated security level (MLS/MCS Range).
- The fourth column displays the contexts for the Linux user (the * represents all services).
- The __default__ represents all non-root users.
- By default, it maps both root and non-root users with the same unconfined_u user.
SELinux Contexts for Processes
Use the -Z flag with the ps command to view the security context for processes.
#ps -eZ
In the output,
- the system_u is the subject. It is a SELinux username mapped with the Linux user root.
- The system_r is the object.
- The init_t and kernel_t are domain types. It shows the (init_t) type of protection applied to the process and the level of security (s0).
- All unprotected processes run in the unconfined_t domain.
SELinux Contexts for Files
The ls command with the -Z switch shows the context for files and directories. The following commands show the context for the /etc/shadow and the /etc/passwd files.
#ls -lZ /etc/passwd #ls -lZ /etc/shadow
In the output, the system_u is the subject, object_r is the object, and s0 is the security level for both files. The passwd_file_t is the file type for the /etc/passwd file. For the /etc/shadow file, it is the shadow_t.
The file_contexts and file_contexts.local files store contexts for system-installed and user-created files. Both files are available in the /etc/selinux/targeted/contexts/files directory.
This tutorial is part of the tutorial " SELinux Explained with Examples.". Other parts of this tutorial are as follows:
Chapter 1 Basic concepts and fundamentals of SELinux
Chapter 2 SELinux and AppArmor Differences and Terminology
Chapter 3 SELinux Modes Explained with Examples
Chapter 4 SELinux Contexts for Users, Processes, and Files
Chapter 5 Copying, Moving, and Archiving Files with SELinux Contexts
Chapter 6 SELinux Explained with Examples in Easy Language
Chapter 7 SELinux Booleans Explained with Examples
Chapter 8 Troubleshooting SELinux explained with Booleans
Conclusion
This tutorial explained how to view and read the SELinux security contexts for users, processes, and files. Viewing and understanding security contexts are essential for managing SELinux effectively.
By ComputerNetworkingNotes Updated on 2026-02-08