Restricting Sensitive File Access with SELinux Context Swapping
Permissions & Security (Chmod/Chown/ACLs/SELinux/AppArmor)
Restricting Sensitive File Access with SELinux Context Swapping
🧩 The Challenge
You need to prevent a specific service from accessing files that share the same directory as other public-facing data. Relying solely on standard user permissions is insufficient if the service account is already compromised or if you require mandatory access control.
💡 The Fix
Apply a specific SELinux security context to the target files to effectively sandbox them from services that do not possess the corresponding transition policy.
semanage fcontext -a -t httpd_sys_rw_content_t "/srv/private_data(/.*)?"
restorecon -Rv /srv/private_data
⚙️ Why It Works
By modifying the file context mapping, you enforce a mandatory access policy that prevents any process lacking the specific label from interacting with the data regardless of standard POSIX permissions.
🚀 Pro-Tip: Use the -p flag with semanage to see the current file context mappings for your system before applying changes.
Linux Tips & Tricks | © ngelinux.com | 7/8/2026
