Skip to content

Instantly share code, notes, and snippets.

Last active February 6, 2024 00:38
Show Gist options
  • Save shmup/df4debf1df4d5032051028aa5b87b3d9 to your computer and use it in GitHub Desktop.
Save shmup/df4debf1df4d5032051028aa5b87b3d9 to your computer and use it in GitHub Desktop.
linux perm/group/selinux notes
chgrp pissgroup file | change file's group to pissgroup
chmod 755 directory | set r/w/execute for owner, r/execute for group and others on dir
chown username:groupname file | change owner and group of file
getent group wheel | list all users of a group
gpasswd -a username piss | add user to the group piss (alternative)
gpasswd -d username piss | remove user from the group piss
groupadd piss | create a new group named piss
groupdel piss | delete the group named piss
groups username | list groups for user
usermod -a -G piss username | add user to the group piss
usermod -aG wheel username | add user to wheel group for sudo privileges
0 - no permissions
1 - execute
2 - write
3 - write and execute
4 - read
5 - read and execute
6 - read and write
7 - read, write, and execute
getenforce - check current SELinux mode
setenforce 0 - set SELinux into permissive mode (temporarily)
setenforce 1 - set SELinux back to enforcing mode
chcon -Rt httpd_sys_content_t /path/to/webcontent
- change the SELinux type of web content files (temporary)
restorecon -Rv /home/user/public_html
- apply SELinux context to file system
semanage fcontext -a -t httpd_sys_content_t '/home/user/public_html(/.*)?'
- add SELinux context to serve files from home directory
ls -lZ $HOME/proj1
display selinux context for files and dirs
ps -eZ | grep caddy
show context under caddy process
1. ensure jtm in caddy group
usermod -a -G caddy jtm
2. set proj1 dir group to jtm or caddy if other users need access
chgrp -R jtm $HOME/proj1
3. set dir perms for group access
chmod 750 $HOME/proj1
4. files inside need read by group
chmod 640 $HOME/proj1/*
5. adjust selinux for httpd service
semanage fcontext -a -t httpd_sys_content_t "$HOME/proj1(/.*)?"
restorecon -Rv $HOME/proj1
$ getent group wheel
⮱ wheel:x:10:piss
wheel - group name
x - indicates group has password set and stored in a shadow file (/etc/gshadow)
10 - the numerical group ID (GID) for the wheel group
piss - The username of a member of the wheel group
ls -lZ | list files with SELinux contexts
ls -ldZ /path/to/dir | display attributes/SELinux context for specified dir only
⮱ drwxr-xr-x. 1 jtm jtm unconfined_u:object_r:container_file_t:s0:c537,c936 20 Sep 18 00:25 dir
drwxr-xr-x. => file permissions (d=directory, r=read, w=write, x=execute)
1 => Number of hard links to the file/directory
jtm => Owner of the file/directory
jtm => Group owner of the file/directory
[security context, user:role:type:level]
system_u => User role in SELinux
object_r => Type role in SELinux
container_file_t => Type for container files in SELinux
[sensitivity level and category in SELinux Multi-Level Security (MLS)]
modification date/time
crawl => name
d | directory flag (absent for files)
r | read permission
w | write permission
x | execute/search permission (directories)
s | setuid/setgid bit (u/g position) + execute bit set; S if not executable.
t | sticky bit + execute bit set; T if not executable.
user | SELinux user identity part of context.
role | Role field in context.
type | Type field indicating the type of object or domain.
level | Sensitivity level and categories for MLS.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment