CentOS 6
Sponsored Link

SELinux : Change File Types
2016/07/26
 
It's possbile to modify access control settings to change File Type without changing boolean value.
The example below is on "targeted" Policy environment.
[1] Settings of default SELinux Contexts are placed under the [policy directory]/contexts/files like follows.
[root@dlp ~]#
ll /etc/selinux/targeted/contexts/files

total 584
-rw-r--r--. 1 root root 291724 Jul 28 11:21 file_contexts
-rw-r--r--. 1 root root   6405 Jul 28 11:21 file_contexts.homedirs
-rw-r--r--. 1 root root 290594 Aug 17  2015 file_contexts.pre
-rw-r--r--. 1 root root    139 May 11 18:45 media

[root@dlp ~]#
head /etc/selinux/targeted/contexts/files/file_contexts

/.*     system_u:object_r:default_t:s0
/[^/]+  --      system_u:object_r:etc_runtime_t:s0
/a?quota\.(user|group)  --      system_u:object_r:quota_db_t:s0
/nsr(/.*)?      system_u:object_r:var_t:s0
/sys(/.*)?      system_u:object_r:sysfs_t:s0
/xen(/.*)?      system_u:object_r:xen_image_t:s0
/mnt(/[^/]*)    -l      system_u:object_r:mnt_t:s0
/mnt(/[^/]*)?   -d      system_u:object_r:mnt_t:s0
/bin/.* system_u:object_r:bin_t:s0
/dev/.* system_u:object_r:device_t:s0
[2]
For example, Modify File Type for the case to use CGI on httpd.
The boolean value for using CGI on httpd is set "on" by default so it's possible to run CGI under the default directory "/var/www/cgi-bin/" on httpd settings with default SELinux settings.
[root@dlp ~]#
semanage boolean -l | grep httpd_enable_cgi

httpd_enable_cgi               (on   ,   on)  Allow httpd cgi support

[root@dlp ~]#
grep "cgi" /etc/selinux/targeted/contexts/files/file_contexts | grep "httpd"

/usr/lib(64)?/nagios/cgi(/.*)?  system_u:object_r:httpd_nagios_script_exec_t:s0
/usr/lib(64)?/dirsrv/cgi-bin(/.*)?      system_u:object_r:httpd_dirsrvadmin_script_exec_t:s0
/usr/lib(64)?/cgi-bin/nagios(/.+)?      system_u:object_r:httpd_nagios_script_exec_t:s0
/usr/lib(64)?/nagios/cgi-bin(/.*)?      system_u:object_r:httpd_nagios_script_exec_t:s0
/usr/lib(64)?/cgi-bin/netsaint(/.*)?    system_u:object_r:httpd_nagios_script_exec_t:s0
/usr/lib(64)?/dirsrv/dsgw-cgi-bin(/.*)? system_u:object_r:httpd_dirsrvadmin_script_exec_t:s0
/usr/lib(64)?/cgi-bin/(nph-)?cgiwrap(d)?        --      system_u:object_r:httpd_suexec_exec_t:s0
/var/www/[^/]*/cgi-bin(/.*)?    system_u:object_r:httpd_sys_script_exec_t:s0
/var/www/html/[^/]*/cgi-bin(/.*)?       system_u:object_r:httpd_sys_script_exec_t:s0
/var/cache/cgit(/.*)?   system_u:object_r:httpd_git_rw_content_t:s0
/var/www/dspam/.*\.cgi  --      system_u:object_r:httpd_dspam_script_exec_t:s0
/usr/lib/cgi-bin(/.*)?  system_u:object_r:httpd_sys_script_exec_t:s0
/var/www/cgi-bin(/.*)?  system_u:object_r:httpd_sys_script_exec_t:s0
.....
.....

# create a test script and access to it, then it's OK to access

[root@dlp ~]#
curl http://localhost/cgi-bin/index.cgi

CGI Test Page
  However, if you'd like to use CGI on another directory, accesses are denied like follows even if httpd settings are correct.
[root ~]#
curl http://localhost/cgi-enabled/index.cgi

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
misconfiguration and was unable to complete
your request.</p>
.....
.....

# "httpd_sys_content_t" is assinged

[root ~]#
ls -Z /var/www/html/cgi-enabled

-rwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 index.cgi
 
On this case, it needs to change File Type to the one which SELinux allows CGI.
[3] Change File Type like follows.
But be careful, this changing with the chcon command will be back when using restorecon command or re-label to filesystem.
[root@dlp ~]#
chcon -t httpd_sys_script_exec_t /var/www/html/cgi-enabled/index.cgi

[root@dlp ~]#
ls -Z /var/www/html/cgi-enabled

-rwxr-xr-x. root root unconfined_u:object_r:httpd_sys_script_exec_t:s0 index.cgi

[root@dlp ~]#
curl http://localhost/cgi-enabled/index.cgi

CGI Test Page    
# just accessed

[4] If you'd like to change Types permanently, set like follows.
[root@dlp ~]#
semanage fcontext -a -t httpd_sys_script_exec_t /var/www/html/cgi-enabled/index.cgi

[root@dlp ~]#
grep "cgi-enabled" /etc/selinux/targeted/contexts/files/file_contexts.local

/var/www/html/cgi-enabled/index.cgi    system_u:object_r:httpd_sys_script_exec_t:s0
# written as default Context

[root@dlp ~]#
ls -Z /var/www/html/cgi-enabled

-rwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 index.cgi

# reset with restotecon

[root@dlp ~]#
restorecon /var/www/html/cgi-enabled/index.cgi

[root@dlp ~]#
ls -Z /var/www/html/cgi-enabled

-rwxr-xr-x. root root unconfined_u:object_r:httpd_sys_script_exec_t:s0 index.cgi
# restored

[root@dlp ~]#
curl http://localhost/cgi-enabled/index.cgi

CGI Test Page    
# accessed

Matched Content
 
Tweet