Project 6: File Context Integrity Checker

A tool that scans filesystems for mislabeled files (files whose current context doesn’t match what policy dictates), reports violations, and can fix them. Integrates with system monitoring for drift detection.

Quick Reference

Attribute Value
Primary Language Python
Alternative Languages Rust, Go, Bash
Difficulty Level 2: Intermediate
Time Estimate 1-2 weeks
Knowledge Area SELinux File Contexts / Security Auditing
Tooling restorecon, fixfiles, matchpathcon
Prerequisites Project 1 completed, understanding of file contexts

What You Will Build

A tool that scans filesystems for mislabeled files (files whose current context doesn’t match what policy dictates), reports violations, and can fix them. Integrates with system monitoring for drift detection.

Why It Matters

This project builds core skills that appear repeatedly in real-world systems and tooling.

Core Challenges

  • Understanding file context specifications → maps to the .fc file format
  • Comparing actual vs expected contexts → maps to matchpathcon logic
  • Handling special cases (symlinks, /tmp, user home) → maps to context inheritance
  • Efficient filesystem scanning → maps to performance at scale

Key Concepts

  • File Context Files: SELinux Notebook - File Contexts section
  • restorecon internals: libselinux documentation
  • Context Inheritance: SELinux System Administration Ch. 3
  • Extended Attributes: Understanding xattrs and security.selinux

Real-World Outcome

$ ./selinux-context-checker --path /var/www --report

SELinux File Context Integrity Report
=====================================
Scanned: /var/www
Files checked: 1,247
Mislabeled: 23
Unlabeled: 2

MISLABELED FILES:
┌────────────────────────────────────────────────────────────────────────┐
│ Path                        │ Current          │ Expected             │
├────────────────────────────────────────────────────────────────────────┤
│ /var/www/uploads/doc.pdf    │ user_home_t      │ httpd_sys_rw_content │
│ /var/www/config/app.conf    │ default_t        │ httpd_sys_content_t  │
│ /var/www/cgi-bin/script.sh  │ httpd_sys_content│ httpd_sys_script_exe │
└────────────────────────────────────────────────────────────────────────┘

RISK ASSESSMENT:
- HIGH: /var/www/cgi-bin/script.sh - CGI script won't execute (wrong type)
- MEDIUM: /var/www/config/app.conf - App may fail to read config
- LOW: /var/www/uploads/doc.pdf - Read access may be denied

$ ./selinux-context-checker --path /var/www --fix --dry-run
Would restore context for 23 files:
  restorecon -v /var/www/uploads/doc.pdf
  restorecon -v /var/www/config/app.conf
  ...

$ ./selinux-context-checker --path /var/www --fix
Restored context for 23 files.
All files now match expected SELinux context.

Implementation Guide

  1. Reproduce the simplest happy-path scenario.
  2. Build the smallest working version of the core feature.
  3. Add input validation and error handling.
  4. Add instrumentation/logging to confirm behavior.
  5. Refactor into clean modules with tests.

Milestones

  • Milestone 1: Minimal working program that runs end-to-end.
  • Milestone 2: Correct outputs for typical inputs.
  • Milestone 3: Robust handling of edge cases.
  • Milestone 4: Clean structure and documented usage.

Validation Checklist

  • Output matches the real-world outcome example
  • Handles invalid inputs safely
  • Provides clear errors and exit codes
  • Repeatable results across runs

References

  • Main guide: SELINUX_DEEP_DIVE_LEARNING_PROJECTS.md
  • “SELinux System Administration” by Sven Vermeulen