Checking the Security Context of a Process, User, or File Object

Checking a Process ID

In Community Enterprise Linux, the -Z option is equivalent to --context, and can be used with the ps, id, ls, and cp commands. The behavior of the cp command with respect to SELinux is explained in Table 48.1, "Behavior of mv and cp Commands".

The following example shows a small sample of the output of the ps command. Most of the processes are running in the unconfined_t domain, with a few exceptions.

[user@localhost ~]$ ps auxZ
LABEL                           USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
system_u:system_r:init_t        root         1  0.0  0.1   2032   620 ?        Ss   15:09   0:00 init [5]
system_u:system_r:kernel_t      root         2  0.0  0.0      0     0 ?        S    15:09   0:00 [migration/0]
system_u:system_r:kernel_t      root         3  0.0  0.0      0     0 ?        SN   15:09   0:00 [ksoftirqd/0]
user_u:system_r:unconfined_t    user     3122  0.0  0.6   6908  3232 ?        S    16:47   0:01 /usr/libexec/gconfd-2 5
user_u:system_r:unconfined_t    user     3125  0.0  0.1   2540   588 ?        S    16:47   0:00 /usr/bin/gnome-keyring-daemon
user_u:system_r:unconfined_t    user     3127  0.0  1.4  33612  6988 ?        Sl   16:47   0:00 /usr/libexec/gnome-settings-daemon
user_u:system_r:unconfined_t    user     3144  0.1  1.4  16528  7360 ?        Ss   16:47   0:01 metacity --sm-client-id=default1
user_u:system_r:unconfined_t    user     3148  0.2  2.9  79544 14808 ?        Ss   16:47   0:03 gnome-panel --sm-client-id default2

Checking a User ID

You can use the -Z option with the id command to determine a user's security context. Note that with this command you cannot combine -Z with other options.

[root@localhost ~]# id -Z
user_u:system_r:unconfined_t

Note that you cannot use the -Z option with the id command to inspect the security context of a different user. That is, you can only display the security context of the currently logged-in user:

[user@localhost ~]$ id
uid=501(user) gid=501(user) groups=501(user) context=user_u:system_r:unconfined_t
[user@localhost ~]$ id root
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
[user@localhost ~]$ id -Z root
id: cannot display context when selinux not enabled or when displaying the id
of a different user

Check a File ID

You can use the -Z option with the ls command to group common long-format information. You can display mode, user, group, security context, and filename information.

cd /etc
ls -Z h* -d
drwxr-xr-x  root root  system_u:object_r:etc_t        hal
-rw-r--r--  root root  system_u:object_r:etc_t        host.conf
-rw-r--r--  root root  user_u:object_r:etc_t          hosts
-rw-r--r--  root root  system_u:object_r:etc_t        hosts.allow
-rw-r--r--  root root  system_u:object_r:etc_t        hosts.canna
-rw-r--r--  root root  system_u:object_r:etc_t        hosts.deny
drwxr-xr-x  root root  system_u:object_r:hotplug_etc_t  hotplug
drwxr-xr-x  root root  system_u:object_r:etc_t        hotplug.d
drwxr-xr-x  root root  system_u:object_r:httpd_sys_content_t htdig
drwxr-xr-x  root root  system_u:object_r:httpd_config_t httpd