initrc_t
domain, unconfined kernel processes run in the kernel_t
domain, and unconfined Linux users run in the unconfined_t
domain. For unconfined processes, SELinux policy rules are applied, but policy rules exist that allow processes running in unconfined domains almost all access. Processes running in unconfined domains fall back to using DAC rules exclusively. If an unconfined process is compromised, SELinux does not prevent an attacker from gaining access to system resources and data, but of course, DAC rules are still used. SELinux is a security enhancement on top of DAC rules – it does not replace them.
httpd
) can access data intended for use by Samba, when running unconfined. Note that in Fedora, the httpd
process runs in the confined httpd_t
domain by default. This is an example, and should not be used in production. It assumes that the httpd, wget, dbus and audit packages are installed, that the SELinux targeted policy is used, and that SELinux is running in enforcing mode.
Procedure 10.5. An Example of Unconfined Process
chcon
command relabels files; however, such label changes do not survive when the file system is relabeled. For permanent changes that survive a file system relabel, use the semanage
utility, which is discussed later. As the root user, run the following command to change the type to a type used by Samba:
~]#
chcon -t samba_share_t /var/www/html/testfile
~]$
ls -Z /var/www/html/testfile
-rw-r--r-- root root unconfined_u:object_r:samba_share_t:s0 /var/www/html/testfile
httpd
process is not running:
~]$
systemctl status httpd.service
httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled) Active: inactive (dead)
httpd
process:
~]#
systemctl stop httpd.service
httpd
process run unconfined, run the following command as root to change the type of the /usr/sbin/httpd
file, to a type that does not transition to a confined domain:
~]#
chcon -t unconfined_exec_t /usr/sbin/httpd
/usr/sbin/httpd
is labeled with the unconfined_exec_t
type:
~]$
ls -Z /usr/sbin/httpd
-rwxr-xr-x root root system_u:object_r:unconfined_exec_t:s0 /usr/sbin/httpd
httpd
process and confirm, that it started successfully:
~]#
systemctl start httpd.service
~]#
systemctl status httpd.service
httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled) Active: active (running) since Thu 2013-08-15 11:17:01 CEST; 5s ago
httpd
running in the unconfined_t
domain:
~]$
ps -eZ | grep httpd
unconfined_u:unconfined_r:unconfined_t:s0 7721 ? 00:00:00 httpd unconfined_u:unconfined_r:unconfined_t:s0 7723 ? 00:00:00 httpd unconfined_u:unconfined_r:unconfined_t:s0 7724 ? 00:00:00 httpd unconfined_u:unconfined_r:unconfined_t:s0 7725 ? 00:00:00 httpd unconfined_u:unconfined_r:unconfined_t:s0 7726 ? 00:00:00 httpd unconfined_u:unconfined_r:unconfined_t:s0 7727 ? 00:00:00 httpd unconfined_u:unconfined_r:unconfined_t:s0 7728 ? 00:00:00 httpd unconfined_u:unconfined_r:unconfined_t:s0 7729 ? 00:00:00 httpd unconfined_u:unconfined_r:unconfined_t:s0 7730 ? 00:00:00 httpd
~]$
wget http://localhost/testfile
--2009-05-07 01:41:10-- http://localhost/testfile Resolving localhost... 127.0.0.1 Connecting to localhost|127.0.0.1|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 0 [text/plain] Saving to: `testfile.1' [ <=> ]--.-K/s in 0s 2009-05-07 01:41:10 (0.00 B/s) - `testfile.1' saved [0/0]
httpd
process does not have access to files labeled with the samba_share_t
type, httpd
is running in the unconfined unconfined_t
domain, and falls back to using DAC rules, and as such, the wget
command succeeds. Had httpd
been running in the confined httpd_t
domain, the wget
command would have failed.
restorecon
utility restores the default SELinux context for files. As root, run the following command to restore the default SELinux context for /usr/sbin/httpd
:
~]#
restorecon -v /usr/sbin/httpd
restorecon reset /usr/sbin/httpd context system_u:object_r:unconfined_exec_t:s0->system_u:object_r:httpd_exec_t:s0
/usr/sbin/httpd
is labeled with the httpd_exec_t
type:
~]$
ls -Z /usr/sbin/httpd
-rwxr-xr-x root root system_u:object_r:httpd_exec_t:s0 /usr/sbin/httpd
httpd
. After restarting, confirm that httpd
is running in the confined httpd_t
domain:
~]#
systemctl restart httpd.service
~]$
ps -eZ | grep httpd
system_u:system_r:httpd_t:s0 8883 ? 00:00:00 httpd system_u:system_r:httpd_t:s0 8884 ? 00:00:00 httpd system_u:system_r:httpd_t:s0 8885 ? 00:00:00 httpd system_u:system_r:httpd_t:s0 8886 ? 00:00:00 httpd system_u:system_r:httpd_t:s0 8887 ? 00:00:00 httpd system_u:system_r:httpd_t:s0 8888 ? 00:00:00 httpd system_u:system_r:httpd_t:s0 8889 ? 00:00:00 httpd
testfile
:
~]#
rm -i /var/www/html/testfile
rm: remove regular empty file `/var/www/html/testfile'? y
httpd
to be running, as root, run the following command to stop httpd
:
~]#
systemctl stop httpd.service