SELinux greatly enhances security by going beyond discretionary access control (DAC) and implementing mandatory access control (MAC). MAC allows implementation of additional restrictions on how processes can access objects, such as files, ports, and other processes. Normally, httpd process has access to files under /var/www. However, if that process is compromised, it can be used to access other files on the system. Under MAC, processes are limited to certain types of data.
For example, “httpd_sys_content_t” type normally associated with web content is accessible by the httpd process, provided that access control list (ALC) under DAC allows this. Using DAC alone, a seriously misconfigured web server can expose sensitive files, such as /etc/passwd, as default ACL allows it to be world readable. SELinux prevents such exposers as /etc/passwd is labeled as type “passwd_file_t”, which is not accessible by the httpd process.
By default, recent versions of Red Hat Enterprise Linux come with SELinux in enforcing mode with the targeted policy. Targeted policy protects typical processes running on the system and allows them to access files normally associated with them in their default locations. Admins normally run into trouble with SELinux when trying to allow process access files innon-default locations. For example, let say /web directory is created to host web pages. Even with correct ACL, httpd process won’t have access to /web because it’ll be labeled as type “default_t”, which isn’t accessible by httpd. Running a couple of commands will fix this:
#This changes /web to labeled as “httpd_sys_content_t”
semanage fcontext -a -t httpd_sys_content_t /web
#This immediately updates the label of /web as defined above
restorecon /web
Other directories and files created under /web will also be labeled as “httpd_sys_content_t” due to the inheritance.
Although above example is straight forward, /home directory imposes additional challenges as various directories and files nested within it are assigned as different types. This is for a good reason as you may want httpd process to be able to access ~/public_html, but it prevents compromised httpd process from accessing rest of the user’s files. Examples of different file and directory types are shown below:
[root@enterprise web]# ls -Zd /home drwxr-xr-x. root root system_u:object_r:home_root_t:s0 /home
[root@enterprise web]# ls -Z /home drwx--x--x. lim lim unconfined_u:object_r:user_home_dir_t:s0 lim
[root@enterprise ~]# ls -aZ /home/lim
drwx--x--x. lim lim unconfined_u:object_r:user_home_dir_t:s0 . drwxr-xr-x. root root system_u:object_r:home_root_t:s0 .. -rw-------. lim lim unconfined_u:object_r:user_home_t:s0 .bash_history -rw-r--r--. lim lim unconfined_u:object_r:user_home_t:s0 .bash_logout -rw-r--r--. lim lim unconfined_u:object_r:user_home_t:s0 .bash_profile -rw-r--r--. lim lim unconfined_u:object_r:user_home_t:s0 .bashrc drwx------. lim lim unconfined_u:object_r:cache_home_t:s0 .cache drwxr-xr-x. lim lim unconfined_u:object_r:config_home_t:s0 .config drwxr-xr-x. lim lim unconfined_u:object_r:user_home_t:s0 Desktop drwxr-xr-x. lim lim unconfined_u:object_r:user_home_t:s0 Documents drwxr-xr-x. lim lim unconfined_u:object_r:user_home_t:s0 Downloads -rw-------. lim lim unconfined_u:object_r:pulseaudio_home_t:s0 .esd_auth drwx------. lim lim unconfined_u:object_r:gnome_home_t:s0 .gnome2 drwx------. lim lim unconfined_u:object_r:user_home_t:s0 .gnome2_private -rw-------. lim lim unconfined_u:object_r:iceauth_home_t:s0 .ICEauthority drwx------. lim lim unconfined_u:object_r:gconf_home_t:s0 .local drwxr-xr-x. lim lim unconfined_u:object_r:mozilla_home_t:s0 .mozilla drwxr-xr-x. lim lim unconfined_u:object_r:audio_home_t:s0 Music drwxr-xr-x. lim lim unconfined_u:object_r:user_home_t:s0 Pictures drwxr-xr-x. lim lim unconfined_u:object_r:user_home_t:s0 Public drwxr-xr-x. lim lim unconfined_u:object_r:httpd_user_content_t:s0 public_html drwx------. lim lim unconfined_u:object_r:ssh_home_t:s0 .ssh drwxr-xr-x. lim lim unconfined_u:object_r:user_home_t:s0 Templates drwxr-xr-x. lim lim unconfined_u:object_r:user_home_t:s0 Videos -rw-------. lim lim unconfined_u:object_r:user_home_t:s0 .viminfo -rw-------. lim lim unconfined_u:object_r:xauth_home_t:s0 .Xauthority
This poses a major challenge for organizations that use non-default location for home directories as simple relabeling of the root directory of alternate home directories and relying on inheritance won’t work. There’s no need to set SELinux to permissive mode or disabling it altogether as there are simple steps to overcome this.
First, open /etc/selinux/semanage.conf with a text editor and set “usepasswd” to “true”. This will allow semanage to scan /etc/passwd (also works with LDAP) correctly label home directories in non-default locations instead of /home only. Then run the following commands:
#This sets /home2’s labels to be same as /home
semanage fcontext -a -e /home /home2
#This updates the labels of /home2, with the –R option doing it recursively for existing subdirectories.
restorecon –R /home2
Afterwards, existing and newly created user home directories will be labeled correctly. If you’re interested in seeing how semanage correctly labels contents of home directories, check out /etc/selinux/targeted/modules/active/homedir_template.
About Author
This is a guest post written by: Hyung Lim. If any queries, you contact the author: hyung.lim@gmail.com.
