Linux provides 3 levels regarding filesystem security: standard permissions, ACL and SELinux. SELinux handles not only with files permissions but with applications, resources and network ports as well. SELinux may put a ban on an application access to the spicified system files or may not allowed a user changing file permission. What is, how work and how to troubleshoot SELinux, let’s get to know!
What the power of SELinux consists in ?
As I mentioned in the introduction the power of SElinux consists in, that can assign different access of a single daemon to different parts of the system. The process may have or not have an access to network ports, files, sockets, directories according to the policies. From the security point of view it has a huge meaning, the attacker after succesfull attack will gain only access to the part of the system restricted to single daemon not entire system.
/etc/sysconfig/selinux – SELinux configuration file
There are 3 posibilities regarding action that SELinux may undertake :
enforcing – exacts rules / setenforce 1
permissive – logs violations, but doesn’t stop them / setenforce 0
disabled – turned off
sestauts – the command for checking state of SELinux enable/disable
Enforcing will be used in order to block, permissive in order to check what would happen if we used enforcing mode. By defalult SElinux type is “targeted”. Files, folders, processes and ports are labeled according to the access required to them
Commands that shows labels context:
ls -Z – files and folders
As we see there are a couple of labels attached to the files. I just listed /etc folder. We have not only etc_t labels but bin_t, locale_t as well, “etc_t” means “etc type” and so on. Based on these labels SELinux makes decisions. Contexts are inherited like permissions and ACLs, from folder to included files in its.
We may aslo check labels for processes and sockets
ps -z – processes
netstat -Z – ports
If we want to change the label of the file or folder we do this with command chcon:
chcon -t -R type file/folder (R stands for recursive)
If we want to restore original labels :
restorcon -vR file/folder
I’ve installed httpd daemon (or Apache if you wish) and started its. Let’s go over /var/www folder. As we see html folder is labeled with httpd_sys_content. Inside the folder there is an index.html that has exactly the same type of label. Index.html just inherited rights. Everything is ok
Let’s check what is the label of apache daemon with command “ps -Zaux” . As we see the label of httpd service is httpd_t. Just this. That’s fine, Apache will get an access to the www folder with label httpd_sys_content due to the SELinux rules. So far, so good. If we type localhost in the browser we gonna see index.html content!
Now, let’s make things more complicated. I logged off and logged on as user ‘marcin’. In folder /home/marcin I created index.html file and copy its to the correct folder of Apache /var/www/ namely. I even grant full permissions to everyone to read, write and execute index.html file because originaly this file didn’t have full permissions.
Let’s check if the site will be working out. Unfortunately not!
So we have 777 permissions, we are logged as root and we can’t run a file ?
Let’s check what say SELinux labels.
It has turned out index.html file has SELinux label user_home_t because has been created in home folder of user marcin not in folder /var/www/, if was then would inherit label from www folder httpd_sys_content.
Ok, so let’s try change the label of index.html from user_home_t to httpd_sys_content
Let’s check what we got
And finally, we have to try to open index.html file …. SUCCESS !
In order to show how to troubleshoot SELinux I took the lab back to the place, where I created index.html file as user marcin in /home/marcin folder and copy its to the /var/www/html folder. As you see ls -Z show that index.html has label home_user_t. Now you won’t be able to run index.html in the browser for lack of permissions.
Ok, let’s see how to find out what is wrong, firstly we have to install appropriate
program and restart the auditd service
yum install setroubleshoot-server
service auditd restart
Let’ try to run index.html one more time in the browser (with no luck of course)
From var/log/messages file we will find out everything what we have to know
The interesting for us line is marked on yellow colour, we get to know where is the problem and what we have to do next – we have to run “sealert -l c03093c4-9bef-4be7-a692-2a53d2bea36d” command
So let’s run “sealert -l c03093c4-9bef-4be7-a692-2a53d2bea36d“
So, from above alert we get to know that in order to allow the Apache reading files with label user_content we have to run command:
setsebool -P httpd_read_user_content 1
Let’s run setsebool -P httpd_read_user_content 1 and check what happens with index.html in the browser
SUCCESS! We didn’t change the label to httpd_sys_content and we didn’t grant 777 permissions to index.html file but it works ! What we just did ?
What is SELinux Booleans ?
SELinux Booleans enables us setting up what SELinux does or doesn’t do in given situation. When we’ve run “setsebool -P httpd_read_user_content 1” we didn’t do nothing more than set up permamently that Apache (httpd) is enable reading files with user_content SELinux labels.
getsebool -a shows all possible boolans, good to use grep
As we see httpd_read_user_content is turned off let’s change it
setsebool [-P] booloption on/off – setting up bool and state
/etc/selinux/targeted/active/booleans.local – file contains a list with booleans and settings that we have changed.
Let’s check if our new entry regarding httpd_read_user_content ie being placed
in booleans.local file.
Yes, it is !