{"id":4486,"date":"2022-12-20T18:08:47","date_gmt":"2022-12-20T21:08:47","guid":{"rendered":"http:\/\/lode.uno\/linux-man\/index.php\/2022\/12\/20\/selabel_file-man5\/"},"modified":"2022-12-20T18:08:47","modified_gmt":"2022-12-20T21:08:47","slug":"selabel_file-man5","status":"publish","type":"post","link":"https:\/\/lode.uno\/linux-man\/2022\/12\/20\/selabel_file-man5\/","title":{"rendered":"selabel_file (man5)"},"content":{"rendered":"

selabel_file<\/h1>\n

NAME<\/a>
SYNOPSIS<\/a>
DESCRIPTION<\/a>
OPTIONS<\/a>
FILES<\/a>
FILE FORMAT<\/a>
File Contexts Format<\/a>
Substitution File Format<\/a>
NOTES<\/a>
SEE ALSO<\/a> <\/p>\n

\n

NAME <\/a> <\/h2>\n

selabel_file \u2212 userspace SELinux labeling interface and configuration file format for the file contexts backend<\/p>\n

SYNOPSIS <\/a> <\/h2>\n

#include <\/b><\/p>\n

int selabel_lookup(struct selabel_handle *<\/b>hnd<\/i>,<\/b><\/p>\n

char **<\/b>context<\/i>,
const char *<\/b>path<\/i>, int<\/b> mode<\/i>);<\/b><\/p>\n

int selabel_lookup_raw(struct selabel_handle *<\/b>hnd<\/i>,<\/b><\/p>\n

char **<\/b>context<\/i>,
const char *<\/b>path<\/i>, int<\/b> mode<\/i>);<\/b><\/p>\n

DESCRIPTION <\/a> <\/h2>\n

The file contexts backend maps from pathname\/mode combinations into security contexts. It is used to find the appropriate context for each file when relabeling a file system. The returned context<\/i> must be freed using freecon<\/b>(3).
selabel_lookup<\/b>(3) describes the function with its return and error codes, however the following errno<\/i> is clarified further for the file contexts backend:<\/p>\n\n\n
<\/td>\n\n

ENOENT<\/b><\/p>\n<\/td>\n

<\/td>\n\n

No context corresponding to the path<\/i> and mode<\/i> was found – This will also be returned when the file contexts series of files have a context of <><\/b> against the path<\/i> (see the FILE FORMAT<\/b> section).<\/p>\n<\/td>\n<\/tr>\n<\/table>\n

The path<\/i> argument should be set to the full pathname of the file whose assigned context is being checked. The mode<\/i> argument should be set to the mode bits of the file, as determined by lstat<\/b>(2). mode<\/i> may be zero, however full matching may not occur.<\/p>\n

Any messages generated by selabel_lookup<\/b>(3) are sent to stderr<\/i> by default, although this can be changed by selinux_set_callback<\/b>(3).<\/p>\n

selabel_lookup_raw<\/b>(3) behaves identically to selabel_lookup<\/b>(3) but does not perform context translation.<\/p>\n

The FILES<\/b> section details the configuration files used to determine a file context.<\/p>\n

OPTIONS <\/a> <\/h2>\n

In addition to the global options described in selabel_open<\/b>(3), this backend recognizes the following options:<\/p>\n

SELABEL_OPT_PATH<\/b><\/p>\n

A non-null value for this option specifies a path to a file that will be opened in lieu of the standard file contexts file. This value is also used as the base name for determining the names of local customization files.<\/p>\n

SELABEL_OPT_BASEONLY<\/b><\/p>\n

A non-null value for this option indicates that any local customizations to the file contexts mapping should be ignored.<\/p>\n

SELABEL_OPT_SUBSET<\/b><\/p>\n

A non-null value for this option is interpreted as a path prefix, for example “\/etc”. Only file context specifications with starting with a first component that prefix matches the given prefix are loaded. This may increase lookup performance, however any attempt to look up a path not starting with the given prefix may fail. This optimization is no longer required due to the use of file_contexts.bin<\/i> files and is deprecated.<\/p>\n

FILES <\/a> <\/h2>\n

The file context files used to retrieve the default context depends on the SELABEL_OPT_PATH<\/b> parameter passed to selabel_open<\/b>(3). If NULL<\/i>, then the SELABEL_OPT_PATH<\/b> value will default to the active policy file contexts location (as returned by selinux_file_context_path<\/b>(3)), otherwise the actual SELABEL_OPT_PATH<\/b> value specified is used.<\/p>\n

If SELABEL_OPT_BASEONLY<\/b> is set, then the following files will be processed:<\/p>\n\n\n\n
<\/td>\n\n

1.<\/p>\n<\/td>\n

<\/td>\n\n

The mandatory file contexts file that is either the fully qualified file name from SELABEL_OPT_PATH.value<\/i> or if NULL<\/i>, then the path returned by selinux_file_context_path<\/b>(3).<\/p>\n<\/td>\n<\/tr>\n

<\/td>\n\n

2.<\/p>\n<\/td>\n

<\/td>\n\n

The optional local and distribution substitution files that perform path aliasing on the \u2019in memory\u2019 version of the file contexts file.<\/p>\n<\/td>\n<\/tr>\n<\/table>\n

These files have the same name as the mandatory file contexts file with the extensions .subs<\/i> and .subs_dist<\/i> added.<\/p>\n

If the SELABEL_OPT_BASEONLY<\/b> is not set, then the following files will be processed:<\/p>\n\n\n\n
<\/td>\n\n

1.<\/p>\n<\/td>\n

<\/td>\n\n

The mandatory file contexts file that is either the fully qualified file name from SELABEL_OPT_PATH.value<\/i> or if NULL<\/i>, then the path returned by selinux_file_context_path<\/b>(3).<\/p>\n<\/td>\n<\/tr>\n

<\/td>\n\n

2.<\/p>\n<\/td>\n

<\/td>\n\n

The optional local customizations file that has the same name as the mandatory file contexts file with the extension .local<\/i> added.<\/p>\n<\/td>\n<\/tr>\n<\/table>\n

selinux_file_context_local_path<\/b>(3) will return the default path to this file.<\/p>\n\n\n
<\/td>\n\n

3.<\/p>\n<\/td>\n

<\/td>\n\n

The optional user home directory customizations file that has the same name as the mandatory file contexts file with the extension .homedirs<\/i> added.<\/p>\n<\/td>\n<\/tr>\n<\/table>\n

selinux_file_context_homedir_path<\/b>(3) will return the default path to this file.<\/p>\n\n\n
<\/td>\n\n

4.<\/p>\n<\/td>\n

<\/td>\n\n

The optional local and distribution substitution files that perform any path aliasing on the \u2019in memory\u2019 version of the file contexts file (and the .local<\/i> and\/or .homedirs<\/i> if present). These files have the same name as the mandatory file contexts file with the extensions .subs<\/i> and .subs_dist<\/i> added.<\/p>\n<\/td>\n<\/tr>\n<\/table>\n

selinux_file_context_subs_path<\/b>(3) and selinux_file_context_subs_dist_path<\/b>(3) will return the default paths to these files.<\/p>\n

The default file context series of files are:<\/p>\n

\/etc\/selinux\/{SELINUXTYPE}\/contexts\/files\/file_contexts
\/etc\/selinux\/{SELINUXTYPE}\/contexts\/files\/file_contexts.local
\/etc\/selinux\/{SELINUXTYPE}\/contexts\/files\/file_contexts.homedirs
\/etc\/selinux\/{SELINUXTYPE}\/contexts\/files\/file_contexts.subs
\/etc\/selinux\/{SELINUXTYPE}\/contexts\/files\/file_contexts.subs_dist<\/i><\/p>\n

Where {SELINUXTYPE}<\/i> is the entry from the selinux configuration file config<\/i> (see selinux_config<\/b>(5)).<\/p>\n

Only the file_contexts<\/i> file is mandatory, the remainder are optional.<\/p>\n

The entries within the file contexts series of files are shown in the FILE FORMAT<\/b> section.<\/p>\n

FILE FORMAT <\/a> <\/h2>\n

File Contexts Format <\/a> <\/h2>\n

Each line within the file_contexts<\/i> and the two customization files (.local<\/i> and .homedirs<\/i>) is as follows:<\/p>\n

pathname [file_type] context<\/i><\/p>\n

Where:<\/p>\n

pathname<\/i><\/p>\n

An entry that defines the pathname that may be in the form of a regular expression.<\/p>\n

file_type<\/i><\/p>\n

An optional file type consisting of:<\/p>\n

\u2212b<\/i> – Block Device \u2212c<\/i> – Character Device
\u2212d<\/i> – Directory \u2212p<\/i> – Named Pipe
\u2212l<\/i> – Symbolic Link \u2212s<\/i> – Socket
\u2212\u2212<\/i> – Ordinary file<\/p>\n

context<\/i><\/p>\n

This entry can be either:<\/p>\n\n\n\n
<\/td>\n\n

a.<\/p>\n<\/td>\n

<\/td>\n\n

The security context that will be assigned to the file (i.e. returned as context<\/i>).<\/p>\n<\/td>\n<\/tr>\n

<\/td>\n\n

b.<\/p>\n<\/td>\n

<\/td>\n\n

A value of <><\/b> can be used to indicate that the matching files should not be re-labeled and causes selabel_lookup<\/b>(3) to return \u22121 with errno<\/i> set to ENOENT<\/b>.<\/p>\n<\/td>\n<\/tr>\n<\/table>\n

Example:<\/p>\n

# .\/contexts\/files\/file_contexts
# pathname file_type context
\/. \/.. \/.cache system_u:object_r:default_t:s0
\/[^\/]+ \u2212\u2212 system_u:object_r:etc_runtime_t:s0
\/tmp\/. \/tmp\/.. \/tmp\/.esd-1000 \/tmp\/.font-unix \/tmp\/.ICE-unix \/tmp\/.Test-unix \/tmp\/.urpmi-1000 \/tmp\/.X0-lock \/tmp\/.X11-unix \/tmp\/.xfsm-ICE-77ORX1 \/tmp\/.XIM-unix <><\/p>\n

Substitution File Format <\/a> <\/h2>\n

Each line within the substitution files (.subs<\/i> and .subs_dist<\/i>) has the form:<\/p>\n

subs_pathname pathname<\/i><\/p>\n

Where:<\/p>\n

pathname<\/i><\/p>\n

A path that matches an entry in one or more of the file contexts policy configuration file.<\/p>\n

subs_pathname<\/i><\/p>\n

The path that will be aliased (considered equivalent) with pathname by the look up process.<\/p>\n

Example:<\/p>\n

# .\/contexts\/files\/file_contexts.subs
# pathname subs_pathname
\/myweb \/var\/www
\/myspool \/var\/spool\/mail<\/p>\n

Using the above example, when selabel_lookup<\/b>(3) is passed a path of \/myweb\/index.html<\/i> the function will substitute the \/myweb<\/i> component with \/var\/www<\/i>, therefore the path used is:<\/p>\n

\/var\/www\/index.html<\/i><\/p>\n

NOTES <\/a> <\/h2>\n\n\n\n\n
<\/td>\n\n

1.<\/p>\n<\/td>\n

<\/td>\n\n

If contexts are to be validated, then the global option SELABEL_OPT_VALIDATE<\/b> must be set before calling selabel_open<\/b>(3). If this is not set, then it is possible for an invalid context to be returned.<\/p>\n<\/td>\n<\/tr>\n

<\/td>\n\n

2.<\/p>\n<\/td>\n

<\/td>\n\n

If the size of file contexts series of files contain many entries, then selabel_open<\/b>(3) may have a delay as it reads in the files, and if requested validates the entries.<\/p>\n<\/td>\n<\/tr>\n

<\/td>\n\n

3.<\/p>\n<\/td>\n

<\/td>\n\n

Depending on the version of SELinux it is possible that a file_contexts.template<\/i> file may also be present, however this is now deprecated.<\/p>\n<\/td>\n<\/tr>\n<\/table>\n

The template file has the same format as the file_contexts<\/i> file and may also contain the keywords HOME_ROOT<\/b>, HOME_DIR<\/b>, ROLE<\/b> and USER<\/b>. This functionality has now been moved to the policy store and managed by semodule<\/b>(8) and genhomedircon<\/b>(8).<\/p>\n

SEE ALSO <\/a> <\/h2>\n

selinux<\/b>(8), selabel_open<\/b>(3), selabel_lookup<\/b>(3), selabel_stats<\/b>(3), selabel_close<\/b>(3), selinux_set_callback<\/b>(3), selinux_file_context_path<\/b>(3), freecon<\/b>(3), selinux_config<\/b>(5), lstat<\/b>(2), selinux_file_context_subs_path<\/b>(3), selinux_file_context_subs_dist_path<\/b>(3), selinux_file_context_homedir_path<\/b>(3), selinux_file_context_local_path<\/b>(3), semodule<\/b>(8), genhomedircon<\/b>(8)<\/p>\n

\n","protected":false},"excerpt":{"rendered":"

selabel_file \u2212 userspace SELinux labeling interface and configuration file format for the file contexts backend <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[959],"tags":[961,1291,1459],"class_list":["post-4486","post","type-post","status-publish","format-standard","hentry","category-5-formatos-de-ficheros","tag-961","tag-man5","tag-selabel_file"],"gutentor_comment":0,"_links":{"self":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/posts\/4486","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/comments?post=4486"}],"version-history":[{"count":0,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/posts\/4486\/revisions"}],"wp:attachment":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/media?parent=4486"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/categories?post=4486"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/tags?post=4486"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}