|
SELinux : Change File Types
2016/03/27 |
|
It's possbile to modify access control settings to change File Type without changing boolean value.
The example below is on "targeted" Policy environment.
|
|
| [1] | Settings of default SELinux Contexts are placed under the [policy directory]/contexts/files like follows. |
|
[root@dlp ~]# ll /etc/selinux/targeted/contexts/files total 2104 -rw-r--r--. 1 root root 368879 Mar 28 15:46 file_contexts -rw-------. 1 root root 1336352 Mar 28 15:46 file_contexts.bin -rw-r--r--. 1 root root 13169 Mar 28 15:46 file_contexts.homedirs -rw-------. 1 root root 43960 Mar 28 15:46 file_contexts.homedirs.bin -rw-r--r--. 1 root root 0 Feb 17 02:24 file_contexts.local -rw-------. 1 root root 16 Mar 28 15:46 file_contexts.local.bin -rw-r--r--. 1 root root 365908 Oct 21 11:19 file_contexts.pre -rw-r--r--. 1 root root 0 Feb 17 02:24 file_contexts.subs -rw-r--r--. 1 root root 422 Feb 17 02:24 file_contexts.subs_dist -rw-r--r--. 1 root root 139 Feb 17 02:24 media[root@dlp ~]# head /etc/selinux/targeted/contexts/files/file_contexts /.* system_u:object_r:default_t:s0 /[^/]+ -- system_u:object_r:etc_runtime_t:s0 /a?quota\.(user|group) -- system_u:object_r:quota_db_t:s0 /nsr(/.*)? system_u:object_r:var_t:s0 /sys(/.*)? system_u:object_r:sysfs_t:s0 /xen(/.*)? system_u:object_r:xen_image_t:s0 /mnt(/[^/]*)? -l system_u:object_r:mnt_t:s0 /mnt(/[^/]*)? -d system_u:object_r:mnt_t:s0 /bin/.* system_u:object_r:bin_t:s0 /dev/.* system_u:object_r:device_t:s0 |
| [2] |
For example, Modify File Type for the case to use CGI on httpd.
The boolean value for using CGI on httpd is set "on" by default so it's possible to run CGI under the default directory
"/var/www/cgi-bin/" on httpd settings with default SELinux settings.
|
|
[root@dlp ~]# semanage boolean -l | grep httpd_enable_cgi httpd_enable_cgi (on , on) Allow httpd to enable cgi[root@dlp ~]# grep "cgi" /etc/selinux/targeted/contexts/files/file_contexts | grep "httpd" /usr/.*\.cgi -- system_u:object_r:httpd_sys_script_exec_t:s0 /opt/.*\.cgi -- system_u:object_r:httpd_sys_script_exec_t:s0 /var/www/[^/]*/cgi-bin(/.*)? system_u:object_r:httpd_sys_script_exec_t:s0 /var/www/html/[^/]*/cgi-bin(/.*)? system_u:object_r:httpd_sys_script_exec_t:s0 /usr/lib/cgi-bin(/.*)? system_u:object_r:httpd_sys_script_exec_t:s0 /var/www/cgi-bin(/.*)? system_u:object_r:httpd_sys_script_exec_t:s0 /usr/lib/cgi-bin/(nph-)?cgiwrap(d)? -- system_u:object_r:httpd_suexec_exec_t:s0 /var/log/cgiwrap\.log.* -- system_u:object_r:httpd_log_t:s0 # create a test script and access to it, then it's OK to access [root@dlp ~]# curl http://localhost/cgi-bin/index.py CGI Test Page |
| However, if you'd like to use CGI on another directory like this exmaple in [3], accesses are denied like follows even if httpd settings are correct. |
|
[root ~]# curl http://localhost/cgi-enabled/index.py <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>500 Internal Server Error</title> </head><body> <h1>Internal Server Error</h1> <p>The server encountered an internal error or misconfiguration and was unable to complete your request.</p> ..... ..... # "httpd_sys_content_t" is assinged [root ~]# ls -Z /var/www/html/cgi-enabled -rwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 index.py |
|
On this case, it needs to change File Type to the one which SELinux allows CGI.
|
| [3] | Change File Type like follows. But be careful, this changing with the chcon command will be back when using restorecon command or re-label to filesystem. |
|
[root@dlp ~]# chcon -t httpd_sys_script_exec_t /var/www/html/cgi-enabled/index.py [root@dlp ~]# ls -Z /var/www/html/cgi-enabled -rwxr-xr-x. root root unconfined_u:object_r:httpd_sys_script_exec_t:s0 index.py[root@dlp ~]# curl http://localhost/cgi-enabled/index.py CGI Test Page # just accessed |
| [4] | If you'd like to change Types permanently, set like follows. |
|
[root@dlp ~]# semanage fcontext -a -t httpd_sys_script_exec_t /var/www/html/cgi-enabled/index.py [root@dlp ~]# grep "cgi-enabled" /etc/selinux/targeted/contexts/files/file_contexts.local
/var/www/html/cgi-enabled/index.py system_u:object_r:httpd_sys_script_exec_t:s0
# written as default Context
[root@dlp ~]# ls -Z /var/www/html/cgi-enabled -rwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 index.py # reset with restotecon [root@dlp ~]# restorecon /var/www/html/cgi-enabled/index.py [root@dlp ~]# ls -Z /var/www/html/cgi-enabled
-rwxr-xr-x. root root unconfined_u:object_r:httpd_sys_script_exec_t:s0 index.py
# restored
[root@dlp ~]# curl http://localhost/cgi-enabled/index.py CGI Test Page # accessed |