CentOS 7
Sponsored Link

SELinux : Change File Types2016/03/27

 
It's possible to modify access control settings to change File Type without changing boolean value.
The example below is on "targeted" Policy environment.
[1] Settings of default SELinux Contexts are placed under the [policy directory]/contexts/files like follows.
[root@dlp ~]#
ll /etc/selinux/targeted/contexts/files

total 2104
-rw-r--r--. 1 root root  368879 Mar 28 15:46 file_contexts
-rw-------. 1 root root 1336352 Mar 28 15:46 file_contexts.bin
-rw-r--r--. 1 root root   13169 Mar 28 15:46 file_contexts.homedirs
-rw-------. 1 root root   43960 Mar 28 15:46 file_contexts.homedirs.bin
-rw-r--r--. 1 root root       0 Feb 17 02:24 file_contexts.local
-rw-------. 1 root root      16 Mar 28 15:46 file_contexts.local.bin
-rw-r--r--. 1 root root  365908 Oct 21 11:19 file_contexts.pre
-rw-r--r--. 1 root root       0 Feb 17 02:24 file_contexts.subs
-rw-r--r--. 1 root root     422 Feb 17 02:24 file_contexts.subs_dist
-rw-r--r--. 1 root root     139 Feb 17 02:24 media

[root@dlp ~]#
head /etc/selinux/targeted/contexts/files/file_contexts

/.*     system_u:object_r:default_t:s0
/[^/]+  --      system_u:object_r:etc_runtime_t:s0
/a?quota\.(user|group)  --      system_u:object_r:quota_db_t:s0
/nsr(/.*)?      system_u:object_r:var_t:s0
/sys(/.*)?      system_u:object_r:sysfs_t:s0
/xen(/.*)?      system_u:object_r:xen_image_t:s0
/mnt(/[^/]*)?   -l      system_u:object_r:mnt_t:s0
/mnt(/[^/]*)?   -d      system_u:object_r:mnt_t:s0
/bin/.* system_u:object_r:bin_t:s0
/dev/.* system_u:object_r:device_t:s0
[2]
For example, Modify File Type for the case to use CGI on httpd.
The boolean value for using CGI on httpd is set "on" by default so it's possible to run CGI under the default directory "/var/www/cgi-bin/" on httpd settings with default SELinux settings.
[root@dlp ~]#
semanage boolean -l | grep httpd_enable_cgi

httpd_enable_cgi               (on   ,   on)  Allow httpd to enable cgi

[root@dlp ~]#
grep "cgi" /etc/selinux/targeted/contexts/files/file_contexts | grep "httpd"

/usr/.*\.cgi    --      system_u:object_r:httpd_sys_script_exec_t:s0
/opt/.*\.cgi    --      system_u:object_r:httpd_sys_script_exec_t:s0
/var/www/[^/]*/cgi-bin(/.*)?    system_u:object_r:httpd_sys_script_exec_t:s0
/var/www/html/[^/]*/cgi-bin(/.*)?       system_u:object_r:httpd_sys_script_exec_t:s0
/usr/lib/cgi-bin(/.*)?  system_u:object_r:httpd_sys_script_exec_t:s0
/var/www/cgi-bin(/.*)?  system_u:object_r:httpd_sys_script_exec_t:s0
/usr/lib/cgi-bin/(nph-)?cgiwrap(d)?     --      system_u:object_r:httpd_suexec_exec_t:s0
/var/log/cgiwrap\.log.* --      system_u:object_r:httpd_log_t:s0

# create a test script and access to it, then it's OK to access

[root@dlp ~]#
curl http://localhost/cgi-bin/index.py

CGI Test Page
  However, if you'd like to use CGI on another directory like this example in [3], accesses are denied like follows even if httpd settings are correct.
[root ~]#
curl http://localhost/cgi-enabled/index.py

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
misconfiguration and was unable to complete
your request.</p>
.....
.....

# "httpd_sys_content_t" is assinged

[root ~]#
ls -Z /var/www/html/cgi-enabled

-rwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 index.py
 
On this case, it needs to change File Type to the one which SELinux allows CGI.
[3] Change File Type like follows.
But be careful, this changing with the chcon command will be back when using restorecon command or re-label to filesystem.
[root@dlp ~]#
chcon -t httpd_sys_script_exec_t /var/www/html/cgi-enabled/index.py

[root@dlp ~]#
ls -Z /var/www/html/cgi-enabled

-rwxr-xr-x. root root unconfined_u:object_r:httpd_sys_script_exec_t:s0 index.py

[root@dlp ~]#
curl http://localhost/cgi-enabled/index.py

CGI Test Page    
# just accessed

[4] If you'd like to change Types permanently, set like follows.
[root@dlp ~]#
semanage fcontext -a -t httpd_sys_script_exec_t /var/www/html/cgi-enabled/index.py

[root@dlp ~]#
grep "cgi-enabled" /etc/selinux/targeted/contexts/files/file_contexts.local

/var/www/html/cgi-enabled/index.py    system_u:object_r:httpd_sys_script_exec_t:s0
# written as default Context

[root@dlp ~]#
ls -Z /var/www/html/cgi-enabled

-rwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 index.py

# reset with restotecon

[root@dlp ~]#
restorecon /var/www/html/cgi-enabled/index.py

[root@dlp ~]#
ls -Z /var/www/html/cgi-enabled

-rwxr-xr-x. root root unconfined_u:object_r:httpd_sys_script_exec_t:s0 index.py
# restored

[root@dlp ~]#
curl http://localhost/cgi-enabled/index.py

CGI Test Page    
# accessed

Matched Content