Chapter 4. Targeted Policy
Targeted policy is the default SELinux policy used in Red Hat Enterprise Linux. When using targeted policy, processes that are targeted run in a confined domain, and processes that are not targeted run in an unconfined domain. For example, by default, logged-in users run in the
unconfined_t domain, and system processes started by init run in the initrc_t domain; both of these domains are unconfined.
Executable and writable memory checks may apply to both confined and unconfined domains. However, by default, subjects running in an unconfined domain cannot allocate writable memory and execute it. This reduces vulnerability to buffer overflow attacks. These memory checks are disabled by setting Booleans, which allow the SELinux policy to be modified at runtime. Boolean configuration is discussed later.
4.1. Confined Processes
Almost every service that listens on a network, such as
sshd or httpd, is confined in Red Hat Enterprise Linux. Also, most processes that run as the Linux root user and perform tasks for users, such as the passwd application, are confined. When a process is confined, it runs in its own domain, such as the httpd process running in the httpd_t domain. If a confined process is compromised by an attacker, depending on SELinux policy configuration, an attacker's access to resources and the possible damage they can do is limited.
Complete this procedure to ensure that SELinux is enabled and the system is prepared to perform the following example:
Procedure 4.1. How to Verify SELinux Status
- Run the
sestatuscommand to confirm that SELinux is enabled, is running in enforcing mode, and that targeted policy is being used. The correct output should look similar to the output bellow.~]$
sestatusSELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 24 Policy from config file: targetedRefer to the section Section 5.4, “Permanent Changes in SELinux States and Modes” for detailed information about enabling and disabling SELinux. - As the Linux root user, run the
touch /var/www/html/testfilecommand to create a file. - Run the
ls -Z /var/www/html/testfilecommand to view the SELinux context:-rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/testfile
By default, Linux users run unconfined in Red Hat Enterprise Linux, which is why thetestfilefile is labeled with the SELinuxunconfined_uuser. RBAC is used for processes, not files. Roles do not have a meaning for files; theobject_rrole is a generic role used for files (on persistent storage and network file systems). Under the/proc/directory, files related to processes may use thesystem_rrole. Thehttpd_sys_content_ttype allows thehttpdprocess to access this file.
The following example demonstrates how SELinux prevents the Apache HTTP Server (
httpd) from reading files that are not correctly labeled, such as files intended for use by Samba. This is an example, and should not be used in production. It assumes that the httpd and wget packages are installed, the SELinux targeted policy is used, and that SELinux is running in enforcing mode.
Procedure 4.2. An Example of Confined Process
- As the Linux root user, run the
service httpd startcommand to start thehttpdprocess. The output is as follows ifhttpdstarts successfully:~]#
service httpd startStarting httpd: [ OK ] - Change into a directory where your Linux user has write access to, and run the
wget http://localhost/testfilecommand. Unless there are changes to the default configuration, this command succeeds:~]$
wget http://localhost/testfile--2009-11-06 17:43:01-- http://localhost/testfile Resolving localhost... 127.0.0.1 Connecting to localhost|127.0.0.1|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 0 [text/plain] Saving to: `testfile' [ <=> ] 0 --.-K/s in 0s 2009-11-06 17:43:01 (0.00 B/s) - `testfile' saved [0/0] - The
chconcommand relabels files; however, such label changes do not survive when the file system is relabeled. For permanent changes that survive a file system relabel, use thesemanagecommand, which is discussed later. As the Linux root user, run the following command to change the type to a type used by Samba:~]#
chcon -t samba_share_t /var/www/html/testfileRun thels -Z /var/www/html/testfilecommand to view the changes:-rw-r--r-- root root unconfined_u:object_r:samba_share_t:s0 /var/www/html/testfile
- Note: the current DAC permissions allow the
httpdprocess access totestfile. Change into a directory where your Linux user has write access to, and run thewget http://localhost/testfilecommand. Unless there are changes to the default configuration, this command fails:~]$
wget http://localhost/testfile--2009-11-06 14:11:23-- http://localhost/testfile Resolving localhost... 127.0.0.1 Connecting to localhost|127.0.0.1|:80... connected. HTTP request sent, awaiting response... 403 Forbidden 2009-11-06 14:11:23 ERROR 403: Forbidden. - As the Linux root user, run the
rm -i /var/www/html/testfilecommand to removetestfile. - If you do not require
httpdto be running, as the Linux root user, run theservice httpd stopcommand to stophttpd:~]#
service httpd stopStopping httpd: [ OK ]
This example demonstrates the additional security added by SELinux. Although DAC rules allowed the
httpd process access to testfile in step 2, because the file was labeled with a type that the httpd process does not have access to, SELinux denied access.
If the
auditd daemon is running, an error similar to the following is logged to /var/log/audit/audit.log:
type=AVC msg=audit(1220706212.937:70): avc: denied { getattr } for pid=1904 comm="httpd" path="/var/www/html/testfile" dev=sda5 ino=247576 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file
type=SYSCALL msg=audit(1220706212.937:70): arch=40000003 syscall=196 success=no exit=-13 a0=b9e21da0 a1=bf9581dc a2=555ff4 a3=2008171 items=0 ppid=1902 pid=1904 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
Also, an error similar to the following is logged to
/var/log/httpd/error_log:
[Wed May 06 23:00:54 2009] [error] [client 127.0.0.1] (13)Permission denied: access to /testfile denied
