unconfined_t
domain, and system processes started by init run in the initrc_t
domain; both of these domains are unconfined.
sshd
or httpd
, is confined in Fedora. Also, most processes that run as the root user and perform tasks for users, such as the passwd
utility, are confined. When a process is confined, it runs in its own domain, such as the httpd
process running in the httpd_t
domain. If a confined process is compromised by an attacker, depending on SELinux policy configuration, an attacker's access to resources and the possible damage they can do is limited.
Procedure 10.3. How to Verify SELinux Status
~]$
sestatus
SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 24 Policy from config file: targeted
/var/www/html/
directory:
~]#
touch /var/www/html/testfile
~]$
ls -Z /var/www/html/testfile
-rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/testfile
testfile
file is labeled with the SELinux unconfined_u
user. RBAC is used for processes, not files. Roles do not have a meaning for files; the object_r
role is a generic role used for files (on persistent storage and network file systems). Under the /proc/
directory, files related to processes may use the system_r
role.
[18] The httpd_sys_content_t
type allows the httpd
process to access this file.
httpd
) from reading files that are not correctly labeled, such as files intended for use by Samba. This is an example, and should not be used in production. It assumes that the httpd and wget packages are installed, the SELinux targeted policy is used, and that SELinux is running in enforcing mode.
Procedure 10.4. An Example of Confined Process
httpd
daemon:
~]#
systemctl start httpd.service
~]$
systemctl status httpd.service
httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled) Active: active (running) since Mon 2013-08-05 14:00:55 CEST; 8s ago
~]$
wget http://localhost/testfile
--2009-11-06 17:43:01-- http://localhost/testfile Resolving localhost... 127.0.0.1 Connecting to localhost|127.0.0.1|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 0 [text/plain] Saving to: `testfile' [ <=> ] 0 --.-K/s in 0s 2009-11-06 17:43:01 (0.00 B/s) - `testfile' saved [0/0]
chcon
command relabels files; however, such label changes do not survive when the file system is relabeled. For permanent changes that survive a file system relabel, use the semanage
utility, which is discussed later. As root, run the following command to change the type to a type used by Samba:
~]#
chcon -t samba_share_t /var/www/html/testfile
~]$
ls -Z /var/www/html/testfile
-rw-r--r-- root root unconfined_u:object_r:samba_share_t:s0 /var/www/html/testfile
httpd
process access to testfile
. Change into a directory where your user has write access to, and run the following command. Unless there are changes to the default configuration, this command fails:
~]$
wget http://localhost/testfile
--2009-11-06 14:11:23-- http://localhost/testfile Resolving localhost... 127.0.0.1 Connecting to localhost|127.0.0.1|:80... connected. HTTP request sent, awaiting response... 403 Forbidden 2009-11-06 14:11:23 ERROR 403: Forbidden.
testfile
:
~]#
rm -i /var/www/html/testfile
httpd
to be running, as root, run the following command to stop it:
~]#
systemctl stop httpd.service
httpd
process access to testfile
in step 2, because the file was labeled with a type that the httpd
process does not have access to, SELinux denied access.
auditd
daemon is running, an error similar to the following is logged to /var/log/audit/audit.log
:
type=AVC msg=audit(1220706212.937:70): avc: denied { getattr } for pid=1904 comm="httpd" path="/var/www/html/testfile" dev=sda5 ino=247576 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file type=SYSCALL msg=audit(1220706212.937:70): arch=40000003 syscall=196 success=no exit=-13 a0=b9e21da0 a1=bf9581dc a2=555ff4 a3=2008171 items=0 ppid=1902 pid=1904 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
/var/log/httpd/error_log
:
[Wed May 06 23:00:54 2009] [error] [client 127.0.0.1] (13)Permission denied: access to /testfile denied