Saturday, January 23, 2010

4. SELinux TYPE Context : chcon & restorecon

Changing and restoring the Types:(chcon with Apache public directory)
We will explain the usage of chcon and restorecon with the following example.
Correctly label files under ~/public_html which is served by Apache using the UserDir derivative on a server which runs SELinux in Enforcing mode.

Step 1
Make sure that the apache serves the file under public_html directory of all users.
# vim /etc/httpd/httpd.conf
#(comment the following derivative)
 # UserDir disable
UserDir public_html
# service httpd restart
This will make apache to serve the pages in the directory public_home of all users home directory.

Keep in mind that the SElinux is enabled and running in Permissive mode. Now create directory inside any users home directory
# cd /home/user
# mkdir public_html && cd public_html && echo "testing the Type Enforcement(TE)" > index.html
Now check the label of the newly created directory
# ls -ltdZ public_html
drwxrwxr-x user user user_u:object_r:user_home_t public_html
The labeling is done automatically while creation of the folder with the specific type "user_home_t". But the Apache will not be able to server from this folder because of this type Tuple .

Step 2
First make sure that the DAC level permission is done for apache user to enter the users home directory to get the files inside the public_html folder. Because "SELinux honors the DAC prior to MAC"
# chmod a+x /home/user
# chmod a+x /home/user/public_html
Try accessing the file using the web browser http://localhost/~user.
This will serve the page from the users home directory. If we recall the SELinux has been set as Permissive mode so the page has been served. Refer Logs to find more details about the SElinux policy violations. The Logs will be generated since the SELinux is running at Permissive mode

Step:- 3
Now change the SELInux mode to Enforced
# echo 1 > /selinux/enforce
# setenforce 1
# sestatus
Make sure SELinux is running in the Enforced mode. Try accessing the file using the web browser http://localhost/~user.
This time we will get the 403 "Forbidden" error msg.

Step:- 4
Manipulate the Type Enforcement(TE), this means we have to make sure that the type or the value of the Tuple is changed on the files to be accessed by Apache.
# chcon -R -t httpd_user_content_t public_html/
Recursively change the type (TE) to "httpd_user_content_t". This will make apache to serve the page from the directory public_html. "httpd_user_content_t" is defined in the policy binary and source file.
# ls -ltrZ public_html/
Confirm the change.

Now Try accessing the file using the web browser http://localhost/~user.
This will serve the content.

To change the mode from enforcing to permissive mode
# echo 0 > /selinux/enforce
# setenforce 0

DAC-checks occurs first and if denied obviates need for MAC-checks

Restorecon - allows to restore the context information or the Tuple.
     This will allow to correctly restore the policy-based (/etc/selinux/targeted/policy/policy.xx) security-label context. The type contexts are inherited from the parent folder while running restorecon.
# restorecon -nv public_html
This will show the change that will be applied in the context from the policy to the current context. Usage of "-n" makes "no changes" to the files.
# restorecon -Rv public_html
This will restore the type context recursively under the folder public_html. The SElinux is need not to be enabled to run this utility because, this tool is based on the /etc/selinux/targeted/policy/policy.xx and applies accordingly.

verify the context with the following command.
# ls -ltrZ public_html

"Copying a file will result in inheriting the type context of the targeted folder".
"Moving a file will preserve the SElinux security Tuple/context/label"

1 comment:

tag ur valuable ideas below