SELinux : Change File Types2016/07/26 |
It's possbile to modify access control settings to change File Type without changing boolean value.
The example below is on "targeted" Policy environment.
|
|
[1] | Settings of default SELinux Contexts are placed under the [policy directory]/contexts/files like follows. |
[root@dlp ~]# ll /etc/selinux/targeted/contexts/files total 584 -rw-r--r--. 1 root root 291724 Jul 28 11:21 file_contexts -rw-r--r--. 1 root root 6405 Jul 28 11:21 file_contexts.homedirs -rw-r--r--. 1 root root 290594 Aug 17 2015 file_contexts.pre -rw-r--r--. 1 root root 139 May 11 18:45 media[root@dlp ~]# head /etc/selinux/targeted/contexts/files/file_contexts /.* system_u:object_r:default_t:s0 /[^/]+ -- system_u:object_r:etc_runtime_t:s0 /a?quota\.(user|group) -- system_u:object_r:quota_db_t:s0 /nsr(/.*)? system_u:object_r:var_t:s0 /sys(/.*)? system_u:object_r:sysfs_t:s0 /xen(/.*)? system_u:object_r:xen_image_t:s0 /mnt(/[^/]*) -l system_u:object_r:mnt_t:s0 /mnt(/[^/]*)? -d system_u:object_r:mnt_t:s0 /bin/.* system_u:object_r:bin_t:s0 /dev/.* system_u:object_r:device_t:s0 |
[2] |
For example, Modify File Type for the case to use CGI on httpd.
The boolean value for using CGI on httpd is set "on" by default so it's possible to run CGI under the default directory
"/var/www/cgi-bin/" on httpd settings with default SELinux settings.
|
[root@dlp ~]# semanage boolean -l | grep httpd_enable_cgi httpd_enable_cgi (on , on) Allow httpd cgi support[root@dlp ~]# grep "cgi" /etc/selinux/targeted/contexts/files/file_contexts | grep "httpd" /usr/lib(64)?/nagios/cgi(/.*)? system_u:object_r:httpd_nagios_script_exec_t:s0 /usr/lib(64)?/dirsrv/cgi-bin(/.*)? system_u:object_r:httpd_dirsrvadmin_script_exec_t:s0 /usr/lib(64)?/cgi-bin/nagios(/.+)? system_u:object_r:httpd_nagios_script_exec_t:s0 /usr/lib(64)?/nagios/cgi-bin(/.*)? system_u:object_r:httpd_nagios_script_exec_t:s0 /usr/lib(64)?/cgi-bin/netsaint(/.*)? system_u:object_r:httpd_nagios_script_exec_t:s0 /usr/lib(64)?/dirsrv/dsgw-cgi-bin(/.*)? system_u:object_r:httpd_dirsrvadmin_script_exec_t:s0 /usr/lib(64)?/cgi-bin/(nph-)?cgiwrap(d)? -- system_u:object_r:httpd_suexec_exec_t:s0 /var/www/[^/]*/cgi-bin(/.*)? system_u:object_r:httpd_sys_script_exec_t:s0 /var/www/html/[^/]*/cgi-bin(/.*)? system_u:object_r:httpd_sys_script_exec_t:s0 /var/cache/cgit(/.*)? system_u:object_r:httpd_git_rw_content_t:s0 /var/www/dspam/.*\.cgi -- system_u:object_r:httpd_dspam_script_exec_t:s0 /usr/lib/cgi-bin(/.*)? system_u:object_r:httpd_sys_script_exec_t:s0 /var/www/cgi-bin(/.*)? system_u:object_r:httpd_sys_script_exec_t:s0 ..... ..... # create a test script and access to it, then it's OK to access [root@dlp ~]# curl http://localhost/cgi-bin/index.cgi CGI Test Page |
However, if you'd like to use CGI on another directory, accesses are denied like follows even if httpd settings are correct. |
[root ~]# curl http://localhost/cgi-enabled/index.cgi <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>500 Internal Server Error</title> </head><body> <h1>Internal Server Error</h1> <p>The server encountered an internal error or misconfiguration and was unable to complete your request.</p> ..... ..... # "httpd_sys_content_t" is assinged [root ~]# ls -Z /var/www/html/cgi-enabled -rwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 index.cgi |
On this case, it needs to change File Type to the one which SELinux allows CGI.
|
[3] | Change File Type like follows. But be careful, this changing with the chcon command will be back when using restorecon command or re-label to filesystem. |
[root@dlp ~]# chcon -t httpd_sys_script_exec_t /var/www/html/cgi-enabled/index.cgi [root@dlp ~]# ls -Z /var/www/html/cgi-enabled -rwxr-xr-x. root root unconfined_u:object_r:httpd_sys_script_exec_t:s0 index.cgi[root@dlp ~]# curl http://localhost/cgi-enabled/index.cgi CGI Test Page # just accessed |
[4] | If you'd like to change Types permanently, set like follows. |
[root@dlp ~]# semanage fcontext -a -t httpd_sys_script_exec_t /var/www/html/cgi-enabled/index.cgi [root@dlp ~]# grep "cgi-enabled" /etc/selinux/targeted/contexts/files/file_contexts.local
/var/www/html/cgi-enabled/index.cgi system_u:object_r:httpd_sys_script_exec_t:s0
# written as default Context
[root@dlp ~]# ls -Z /var/www/html/cgi-enabled -rwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 index.cgi # reset with restotecon [root@dlp ~]# restorecon /var/www/html/cgi-enabled/index.cgi [root@dlp ~]# ls -Z /var/www/html/cgi-enabled
-rwxr-xr-x. root root unconfined_u:object_r:httpd_sys_script_exec_t:s0 index.cgi
# restored
[root@dlp ~]# curl http://localhost/cgi-enabled/index.cgi CGI Test Page # accessed |
Sponsored Link |
|