Unable to change user in security context of symlink

Question Overflow asked:

I have created a few symbolic links to replace some broken links in /etc/pam.d. The original links have system_u as the user. The newly created ones somehow have unconfined_u as the user. I am not sure if there is any security implications to this though the target files all have system_u as the user.

I tried the following:

# restorecon -v thefilename


# chcon -v -u system_u thefilename

Both methods do not lead to any change to the user in SELinux security context. Why is that so? Is there any security risk if I don’t change the user? And how to make the change?

My answer:

The SELinux user is ignored in the default targeted policy. It is fine to leave them as is, unless you plan to use the strict or mls policies, or use confined users.

As for changing the context of a symbolic link, you need to use the -h option to chcon so that it changes the context of the symlink, rather than the file to which it points.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.