2.2. Types
The main permission control method used in SELinux targeted policy to provide advanced process isolation is Type Enforcement. All files and processes are labeled with a type: types define a SELinux domain for processes and a SELinux type for files. SELinux policy rules define how types access each other, whether it be a domain accessing a type, or a domain accessing another domain. Access is only allowed if a specific SELinux policy rule exists that allows it.
The following example creates a new file in the
/var/www/html/
directory, and shows the file inheriting the httpd_sys_content_t
type from its parent directory (/var/www/html/
):
- Run the
ls -dZ /var/www/html
command to view the SELinux context of/var/www/html/
:~]$
ls -dZ /var/www/html
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t:s0 /var/www/htmlThis shows/var/www/html/
is labeled with thehttpd_sys_content_t
type. - Run the
touch /var/www/html/file1
command as the root user to create a new file. - Run the
ls -Z /var/www/html/file1
command to view the SELinux context:~]$
ls -Z /var/www/html/file1
-rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/file1
The
ls -Z
command shows file1
labeled with the httpd_sys_content_t
type. SELinux allows httpd
to read files labeled with this type, but not write to them, even if Linux permissions allow write access. SELinux policy defines what types a process running in the httpd_t
domain (where httpd
runs) can read and write to. This helps prevent processes from accessing files intended for use by another process.
For example,
httpd
can access files labeled with the httpd_sys_content_t
type (intended for the Apache HTTP Server), but by default, cannot access files labeled with the samba_share_t
type (intended for Samba). Also, files in user home directories are labeled with the user_home_t
type: by default, this prevents httpd
from reading or writing to files in user home directories.
The following lists some of the types used with
httpd
. Different types allow you to configure flexible access:
httpd_sys_content_t
- Use this type for static web content, such as
.html
files used by a static website. Files labeled with this type are accessible (read only) tohttpd
and scripts executed byhttpd
. By default, files and directories labeled with this type cannot be written to or modified byhttpd
or other processes. Note that by default, files created in or copied into/var/www/html/
are labeled with thehttpd_sys_content_t
type. httpd_sys_script_exec_t
- Use this type for scripts you want
httpd
to execute. This type is commonly used for Common Gateway Interface (CGI) scripts in/var/www/cgi-bin/
. By default, SELinux policy preventshttpd
from executing CGI scripts. To allow this, label the scripts with thehttpd_sys_script_exec_t
type and enable thehttpd_enable_cgi
Boolean. Scripts labeled withhttpd_sys_script_exec_t
run in thehttpd_sys_script_t
domain when executed byhttpd
. Thehttpd_sys_script_t
domain has access to other system domains, such aspostgresql_t
andmysqld_t
. httpd_sys_rw_content_t
- Files labeled with this type can be written to by scripts labeled with the
httpd_sys_script_exec_t
type, but cannot be modified by scripts labeled with any other type. You must use thehttpd_sys_rw_content_t
type to label files that will be read from and written to by scripts labeled with thehttpd_sys_script_exec_t
type. httpd_sys_ra_content_t
- Files labeled with this type can be appended to by scripts labeled with the
httpd_sys_script_exec_t
type, but cannot be modified by scripts labeled with any other type. You must use thehttpd_sys_ra_content_t
type to label files that will be read from and appended to by scripts labeled with thehttpd_sys_script_exec_t
type. httpd_unconfined_script_exec_t
- Scripts labeled with this type run without SELinux protection. Only use this type for complex scripts, after exhausting all other options. It is better to use this type instead of disabling SELinux protection for
httpd
, or for the entire system.
Note
To see more of the available types for httpd, run the following command:
~]$ grep httpd /etc/selinux/targeted/contexts/files/file_contexts
Procedure 2.1. Changing the SELinux Context
The type for files and directories can be changed with the
chcon
command. Changes made with chcon
do not survive a file system relabel or the restorecon
command. SELinux policy controls whether users are able to modify the SELinux context for any given file. The following example demonstrates creating a new directory and an index.html
file for use by httpd
, and labeling that file and directory to allow httpd
access to them:
- Run the
mkdir -p /my/website
command as the root user to create a top-level directory structure to store files to be used byhttpd
. - Files and directories that do not match a pattern in file-context configuration may be labeled with the
default_t
type. This type is inaccessible to confined services:~]$
ls -dZ /my
drwxr-xr-x root root unconfined_u:object_r:default_t:s0 /my - Run the
chcon -R -t httpd_sys_content_t /my/
command as the root user to change the type of the/my/
directory and subdirectories, to a type accessible tohttpd
. Now, files created under/my/website/
inherit thehttpd_sys_content_t
type, rather than thedefault_t
type, and are therefore accessible to httpd:~]#
chcon -R -t httpd_sys_content_t /my/
~]#touch /my/website/index.html
~]#ls -Z /my/website/index.html
-rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 /my/website/index.html
Refer to the Temporary Changes: chcon section of the Red Hat Enterprise Linux 6 SELinux User Guide for further information about
chcon
.
Use the
semanage fcontext
command (semanage
is provided by the policycoreutils-python package) to make label changes that survive a relabel and the restorecon
command. This command adds changes to file-context configuration. Then, run restorecon
, which reads file-context configuration, to apply the label change. The following example demonstrates creating a new directory and an index.html
file for use by httpd
, and persistently changing the label of that directory and file to allow httpd
access to them:
- Run the
mkdir -p /my/website
command as the root user to create a top-level directory structure to store files to be used byhttpd
. - Run the following command as the root user to add the label change to file-context configuration:
~]#
semanage fcontext -a -t httpd_sys_content_t "/my(/.*)?"
The"/my(/.*)?"
expression means the label change applies to the/my/
directory and all files and directories under it. - Run the
touch /my/website/index.html
command as the root user to create a new file. - Run the
restorecon -R -v /my/
command as the root user to apply the label changes (restorecon
reads file-context configuration, which was modified by thesemanage
command in step 2):~]#
restorecon -R -v /my/
restorecon reset /my context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0 restorecon reset /my/website context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0 restorecon reset /my/website/index.html context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
Refer to the Persistent Changes: semanage fcontext section of the Red Hat Enterprise Linux SELinux User Guide for further information on semanage.