3.3. Modified Linux Commands

Many standard Linux commands must be modified for use on an SELinux system. The commands need to take into account extended attributes and security context information.

3.3.1. cp

cp accepts a -Z flag to set the security context of the newly created file. If not specified, the context of the new file will default to that of the destination directory.

3.3.2. id

id now displays the current user's security context information along with the user and group information. It will also accept a -Z flag to display only the security context.

3.3.3. ls

ls accepts a -Z flag also, to display the security context of each file in the listing.

3.3.4. mv

An important note when using the mv command is that the new file will retain its security context when moved. For example, moving a file from a user home directory to an http served directory will result in the file retaining its user_home_t type, which, under normal policy, will not be readable by the httpd daemon.

3.3.5. ps

ps also accepts a -Z flag which displays the security context of each running process.

3.3.6. cron

cron is modified to provide a standard security context for all cron jobs.

3.3.7. rsync

rsync must be able to support extended attributes with the -X flag for proper use under SELinux.

3.3.8. ssh

A modified ssh must be installed to set the correct security context when a user logs in remotely.

3.3.9. tar

tar should not be used under SELinux, as it will not embed the extended attributes SELinux uses to store its security context information. star is the replacement tool that must be used as a replacement for tar.

3.3.10. logrotate

logrotate is modified to preserve the security context of the log files as they are rotated.

3.3.11. Password Related Commands

Any commands that interface with the /etc/passwd or /etc/shadow files must be SELinux aware in order to use the SELinux API to obtain password information and preserve the security context of these files. Examples of these types of commands are useradd, groupadd, passwd, the pam library, and login.