SELinux : Change File Types2021/07/22 |
It's possbile to modify access control settings to change File Type without changing boolean value.
This example is based on [targeted] Policy environment.
|
|
[1] | Settings of default SELinux Contexts are placed under the [(policy directory)/contexts/files] like follows. |
[root@dlp ~]# ll /etc/selinux/targeted/contexts/files total 1000 -rw-r--r--. 1 root root 404663 Jul 16 09:11 file_contexts -rw-r--r--. 1 root root 570305 Jul 16 09:11 file_contexts.bin -rw-r--r--. 1 root root 13770 Jul 16 09:11 file_contexts.homedirs -rw-r--r--. 1 root root 18938 Jul 16 09:11 file_contexts.homedirs.bin -rw-r--r--. 1 root root 0 May 19 12:00 file_contexts.local -rw-r--r--. 1 root root 0 May 19 12:00 file_contexts.subs -rw-r--r--. 1 root root 565 May 19 12:00 file_contexts.subs_dist -rw-r--r--. 1 root root 139 May 19 11:59 media[root@dlp ~]# head /etc/selinux/targeted/contexts/files/file_contexts /.* system_u:object_r:default_t:s0 /[^/]+ -- system_u:object_r:etc_runtime_t:s0 /a?quota\.(user|group) -- system_u:object_r:quota_db_t:s0 /nsr(/.*)? system_u:object_r:var_t:s0 /sys(/.*)? system_u:object_r:sysfs_t:s0 /xen(/.*)? system_u:object_r:xen_image_t:s0 /mnt(/[^/]*)? -d system_u:object_r:mnt_t:s0 /mnt(/[^/]*)? -l system_u:object_r:mnt_t:s0 /bin/.* system_u:object_r:bin_t:s0 /dev/.* system_u:object_r:device_t:s0 |
[2] |
For example, Modify File Type for the case to use CGI on httpd.
The boolean value for using CGI on httpd is set [on] by default,
so it's possible to run CGI under the default directory [/var/www/cgi-bin/] on httpd settings with default SELinux settings.
|
[root@dlp ~]# semanage boolean -l | grep httpd_enable_cgi httpd_enable_cgi (on , on) Allow httpd to enable cgi[root@dlp ~]# grep "cgi" /etc/selinux/targeted/contexts/files/file_contexts | grep "httpd" /opt/.*\.cgi -- system_u:object_r:httpd_sys_script_exec_t:s0 /usr/.*\.cgi -- system_u:object_r:httpd_sys_script_exec_t:s0 /var/www/[^/]*/cgi-bin(/.*)? system_u:object_r:httpd_sys_script_exec_t:s0 /var/www/html/[^/]*/cgi-bin(/.*)? system_u:object_r:httpd_sys_script_exec_t:s0 /usr/lib/cgi-bin(/.*)? system_u:object_r:httpd_sys_script_exec_t:s0 /var/www/cgi-bin(/.*)? system_u:object_r:httpd_sys_script_exec_t:s0 /var/run/fcgiwrap(/.*)? system_u:object_r:httpd_var_run_t:s0 /usr/lib/cgi-bin/(nph-)?cgiwrap(d)? -- system_u:object_r:httpd_suexec_exec_t:s0 /var/log/cgiwrap\.log.* -- system_u:object_r:httpd_log_t:s0 # create a test script and access to it, then it's OK to access [root@dlp ~]# echo '#!/usr/libexec/platform-python' > /var/www/cgi-bin/index.py [root@dlp ~]# echo 'print("Content-type: text/html\n")' >> /var/www/cgi-bin/index.py [root@dlp ~]# echo 'print("CGI Script Test Page")' >> /var/www/cgi-bin/index.py [root@dlp ~]# chmod 755 /var/www/cgi-bin/index.py [root@dlp ~]# curl localhost/cgi-bin/index.py CGI Test Page |
However, if you'd like to use CGI on another directory, accesses are denied like follows even if httpd settings are correct. |
[root@dlp ~]# mkdir /var/www/html/cgi-enabled [root@dlp ~]# cp -p /var/www/cgi-bin/index.py /var/www/html/cgi-enabled/ [root@dlp ~]# curl localhost/cgi-enabled/index.py <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>500 Internal Server Error</title> </head><body> <h1>Internal Server Error</h1> <p>The server encountered an internal error or misconfiguration and was unable to complete your request.</p> ..... ..... # [httpd_sys_content_t] is assinged [root@dlp ~]# ls -lZ /var/www/html/cgi-enabled total 4 -rwxr-xr-x. 1 root root unconfined_u:object_r:httpd_sys_content_t:s0 96 Jul 22 11:10 index.py |
On that case, it needs to change File Type to the one which SELinux allows CGI.
|
[3] | Change File Type like follows. But be careful, this change with [chcon] command will be back when using [restorecon] command or re-label to filesystem. |
[root@dlp ~]# chcon -t httpd_sys_script_exec_t /var/www/html/cgi-enabled/index.py [root@dlp ~]# ls -lZ /var/www/html/cgi-enabled total 4 -rwxr-xr-x. 1 root root unconfined_u:object_r:httpd_sys_script_exec_t:s0 96 Jul 22 11:10 index.py[root@dlp ~]# curl localhost/cgi-enabled/index.py CGI Test Page # accessed |
[4] | If you'd like to change Types permanently, set like follows. |
[root@dlp ~]# semanage fcontext -a -t httpd_sys_script_exec_t /var/www/html/cgi-enabled/index.py [root@dlp ~]# grep "cgi-enabled" /etc/selinux/targeted/contexts/files/file_contexts.local
/var/www/html/cgi-enabled/index.py system_u:object_r:httpd_sys_script_exec_t:s0
# written as default Context
[root@dlp ~]# ls -lZ /var/www/html/cgi-enabled total 4 -rwxr-xr-x. 1 root root unconfined_u:object_r:httpd_sys_content_t:s0 96 Jul 22 11:10 index.py # reset with [restotecon] [root@dlp ~]# restorecon /var/www/html/cgi-enabled/index.py [root@dlp ~]# ls -lZ /var/www/html/cgi-enabled
total 4
-rwxr-xr-x. 1 root root unconfined_u:object_r:httpd_sys_script_exec_t:s0 96 Jul 22 11:10 index.py
# restored
[root@dlp ~]# curl localhost/cgi-enabled/index.py CGI Test Page # accessed |
Sponsored Link |
|