Rocky_Linux_8
Sponsored Link

SELinux : Change File Types
2021/07/22
 
It's possbile to modify access control settings to change File Type without changing boolean value.
This example is based on [targeted] Policy environment.
[1] Settings of default SELinux Contexts are placed under the [(policy directory)/contexts/files] like follows.
[root@dlp ~]#
ll /etc/selinux/targeted/contexts/files

total 1000
-rw-r--r--. 1 root root 404663 Jul 16 09:11 file_contexts
-rw-r--r--. 1 root root 570305 Jul 16 09:11 file_contexts.bin
-rw-r--r--. 1 root root  13770 Jul 16 09:11 file_contexts.homedirs
-rw-r--r--. 1 root root  18938 Jul 16 09:11 file_contexts.homedirs.bin
-rw-r--r--. 1 root root      0 May 19 12:00 file_contexts.local
-rw-r--r--. 1 root root      0 May 19 12:00 file_contexts.subs
-rw-r--r--. 1 root root    565 May 19 12:00 file_contexts.subs_dist
-rw-r--r--. 1 root root    139 May 19 11:59 media

[root@dlp ~]#
head /etc/selinux/targeted/contexts/files/file_contexts

/.*     system_u:object_r:default_t:s0
/[^/]+  --      system_u:object_r:etc_runtime_t:s0
/a?quota\.(user|group)  --      system_u:object_r:quota_db_t:s0
/nsr(/.*)?      system_u:object_r:var_t:s0
/sys(/.*)?      system_u:object_r:sysfs_t:s0
/xen(/.*)?      system_u:object_r:xen_image_t:s0
/mnt(/[^/]*)?   -d      system_u:object_r:mnt_t:s0
/mnt(/[^/]*)?   -l      system_u:object_r:mnt_t:s0
/bin/.* system_u:object_r:bin_t:s0
/dev/.* system_u:object_r:device_t:s0
[2]
For example, Modify File Type for the case to use CGI on httpd.
The boolean value for using CGI on httpd is set [on] by default, so it's possible to run CGI under the default directory [/var/www/cgi-bin/] on httpd settings with default SELinux settings.
[root@dlp ~]#
semanage boolean -l | grep httpd_enable_cgi

httpd_enable_cgi               (on   ,   on)  Allow httpd to enable cgi

[root@dlp ~]#
grep "cgi" /etc/selinux/targeted/contexts/files/file_contexts | grep "httpd"

/opt/.*\.cgi    --      system_u:object_r:httpd_sys_script_exec_t:s0
/usr/.*\.cgi    --      system_u:object_r:httpd_sys_script_exec_t:s0
/var/www/[^/]*/cgi-bin(/.*)?    system_u:object_r:httpd_sys_script_exec_t:s0
/var/www/html/[^/]*/cgi-bin(/.*)?       system_u:object_r:httpd_sys_script_exec_t:s0
/usr/lib/cgi-bin(/.*)?  system_u:object_r:httpd_sys_script_exec_t:s0
/var/www/cgi-bin(/.*)?  system_u:object_r:httpd_sys_script_exec_t:s0
/var/run/fcgiwrap(/.*)? system_u:object_r:httpd_var_run_t:s0
/usr/lib/cgi-bin/(nph-)?cgiwrap(d)?     --      system_u:object_r:httpd_suexec_exec_t:s0
/var/log/cgiwrap\.log.* --      system_u:object_r:httpd_log_t:s0

# create a test script and access to it, then it's OK to access

[root@dlp ~]#
echo '#!/usr/libexec/platform-python' > /var/www/cgi-bin/index.py

[root@dlp ~]#
echo 'print("Content-type: text/html\n")' >> /var/www/cgi-bin/index.py

[root@dlp ~]#
echo 'print("CGI Script Test Page")' >> /var/www/cgi-bin/index.py

[root@dlp ~]#
chmod 755 /var/www/cgi-bin/index.py

[root@dlp ~]#
curl localhost/cgi-bin/index.py

CGI Test Page
  However, if you'd like to use CGI on another directory, accesses are denied like follows even if httpd settings are correct.
[root@dlp ~]#
mkdir /var/www/html/cgi-enabled

[root@dlp ~]#
cp -p /var/www/cgi-bin/index.py /var/www/html/cgi-enabled/

[root@dlp ~]#
curl localhost/cgi-enabled/index.py

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
misconfiguration and was unable to complete
your request.</p>
.....
.....

# [httpd_sys_content_t] is assinged

[root@dlp ~]#
ls -lZ /var/www/html/cgi-enabled

total 4
-rwxr-xr-x. 1 root root unconfined_u:object_r:httpd_sys_content_t:s0 96 Jul 22 11:10 index.py
 
On that case, it needs to change File Type to the one which SELinux allows CGI.
[3] Change File Type like follows.
But be careful, this change with [chcon] command will be back when using [restorecon] command or re-label to filesystem.
[root@dlp ~]#
chcon -t httpd_sys_script_exec_t /var/www/html/cgi-enabled/index.py

[root@dlp ~]#
ls -lZ /var/www/html/cgi-enabled

total 4
-rwxr-xr-x. 1 root root unconfined_u:object_r:httpd_sys_script_exec_t:s0 96 Jul 22 11:10 index.py

[root@dlp ~]#
curl localhost/cgi-enabled/index.py

CGI Test Page  
# accessed

[4] If you'd like to change Types permanently, set like follows.
[root@dlp ~]#
semanage fcontext -a -t httpd_sys_script_exec_t /var/www/html/cgi-enabled/index.py

[root@dlp ~]#
grep "cgi-enabled" /etc/selinux/targeted/contexts/files/file_contexts.local

/var/www/html/cgi-enabled/index.py    system_u:object_r:httpd_sys_script_exec_t:s0
# written as default Context

[root@dlp ~]#
ls -lZ /var/www/html/cgi-enabled

total 4
-rwxr-xr-x. 1 root root unconfined_u:object_r:httpd_sys_content_t:s0 96 Jul 22 11:10 index.py

# reset with [restotecon]

[root@dlp ~]#
restorecon /var/www/html/cgi-enabled/index.py

[root@dlp ~]#
ls -lZ /var/www/html/cgi-enabled

total 4
-rwxr-xr-x. 1 root root unconfined_u:object_r:httpd_sys_script_exec_t:s0 96 Jul 22 11:10 index.py
# restored

[root@dlp ~]#
curl localhost/cgi-enabled/index.py

CGI Test Page  
# accessed

Matched Content