4.2. Unconfined Processes
Unconfined processes run in unconfined domains, for example, init programs run in the unconfined
initrc_t
domain, unconfined kernel processes run in the kernel_t
domain, and unconfined Linux users run in the unconfined_t
domain. For unconfined processes, SELinux policy rules are applied, but policy rules exist that allow processes running in unconfined domains almost all access. Processes running in unconfined domains fall back to using DAC rules exclusively. If an unconfined process is compromised, SELinux does not prevent an attacker from gaining access to system resources and data, but of course, DAC rules are still used. SELinux is a security enhancement on top of DAC rules – it does not replace them.
To ensure that SELinux is enabled and the system is prepared to perform the following example, complete the Procedure 4.1, “How to Verify SELinux Status” described in Section 4.1, “Confined Processes”.
The following example demonstrates how the Apache HTTP Server (
httpd
) can access data intended for use by Samba, when running unconfined. Note that in Red Hat Enterprise Linux, the httpd
process runs in the confined httpd_t
domain by default. This is an example, and should not be used in production. It assumes that the httpd, wget, dbus and audit packages are installed, that the SELinux targeted policy is used, and that SELinux is running in enforcing mode.
Procedure 4.3. An Example of Unconfined Process
- The
chcon
command relabels files; however, such label changes do not survive when the file system is relabeled. For permanent changes that survive a file system relabel, use thesemanage
command, which is discussed later. As the Linux root user, run the following command to change the type to a type used by Samba:~]#
chcon -t samba_share_t /var/www/html/testfile
Run thels -Z /var/www/html/testfile
command to view the changes:~]$
ls -Z /var/www/html/testfile
-rw-r--r-- root root unconfined_u:object_r:samba_share_t:s0 /var/www/html/testfile - Run the
service httpd status
command to confirm that thehttpd
process is not running:~]$
service httpd status
httpd is stoppedIf the output differs, run theservice httpd stop
command as the Linux root user to stop thehttpd
process:~]#
service httpd stop
Stopping httpd: [ OK ] - To make the
httpd
process run unconfined, run the following command as the Linux root user to change the type of/usr/sbin/httpd
, to a type that does not transition to a confined domain:~]#
chcon -t unconfined_exec_t /usr/sbin/httpd
- Run the
ls -Z /usr/sbin/httpd
command to confirm that/usr/sbin/httpd
is labeled with theunconfined_exec_t
type:~]$
ls -Z /usr/sbin/httpd
-rwxr-xr-x root root system_u:object_r:unconfined_exec_t:s0 /usr/sbin/httpd - As the Linux root user, run the
service httpd start
command to start thehttpd
process. The output is as follows ifhttpd
starts successfully:~]#
service httpd start
Starting httpd: [ OK ] - Run the
ps -eZ | grep httpd
command to view thehttpd
running in theunconfined_t
domain:~]$
ps -eZ | grep httpd
unconfined_u:unconfined_r:unconfined_t:s0 7721 ? 00:00:00 httpd unconfined_u:unconfined_r:unconfined_t:s0 7723 ? 00:00:00 httpd unconfined_u:unconfined_r:unconfined_t:s0 7724 ? 00:00:00 httpd unconfined_u:unconfined_r:unconfined_t:s0 7725 ? 00:00:00 httpd unconfined_u:unconfined_r:unconfined_t:s0 7726 ? 00:00:00 httpd unconfined_u:unconfined_r:unconfined_t:s0 7727 ? 00:00:00 httpd unconfined_u:unconfined_r:unconfined_t:s0 7728 ? 00:00:00 httpd unconfined_u:unconfined_r:unconfined_t:s0 7729 ? 00:00:00 httpd unconfined_u:unconfined_r:unconfined_t:s0 7730 ? 00:00:00 httpd - Change into a directory where your Linux user has write access to, and run the
wget http://localhost/testfile
command. Unless there are changes to the default configuration, this command succeeds:~]$
wget http://localhost/testfile
--2009-05-07 01:41:10-- http://localhost/testfile Resolving localhost... 127.0.0.1 Connecting to localhost|127.0.0.1|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 0 [text/plain] Saving to: `testfile.1' [ <=> ]--.-K/s in 0s 2009-05-07 01:41:10 (0.00 B/s) - `testfile.1' saved [0/0]Although thehttpd
process does not have access to files labeled with thesamba_share_t
type,httpd
is running in the unconfinedunconfined_t
domain, and falls back to using DAC rules, and as such, thewget
command succeeds. Hadhttpd
been running in the confinedhttpd_t
domain, thewget
command would have failed. - The
restorecon
command restores the default SELinux context for files. As the Linux root user, run therestorecon -v /usr/sbin/httpd
command to restore the default SELinux context for/usr/sbin/httpd
:~]#
restorecon -v /usr/sbin/httpd
restorecon reset /usr/sbin/httpd context system_u:object_r:unconfined_exec_t:s0->system_u:object_r:httpd_exec_t:s0Run thels -Z /usr/sbin/httpd
command to confirm that/usr/sbin/httpd
is labeled with thehttpd_exec_t
type:~]$
ls -Z /usr/sbin/httpd
-rwxr-xr-x root root system_u:object_r:httpd_exec_t:s0 /usr/sbin/httpd - As the Linux root user, run the
service httpd restart
command to restarthttpd
. After restarting, run theps -eZ | grep httpd
command to confirm thathttpd
is running in the confinedhttpd_t
domain:~]#
service httpd restart
Stopping httpd: [ OK ] Starting httpd: [ OK ] ~]#ps -eZ | grep httpd
unconfined_u:system_r:httpd_t:s0 8883 ? 00:00:00 httpd unconfined_u:system_r:httpd_t:s0 8884 ? 00:00:00 httpd unconfined_u:system_r:httpd_t:s0 8885 ? 00:00:00 httpd unconfined_u:system_r:httpd_t:s0 8886 ? 00:00:00 httpd unconfined_u:system_r:httpd_t:s0 8887 ? 00:00:00 httpd unconfined_u:system_r:httpd_t:s0 8888 ? 00:00:00 httpd unconfined_u:system_r:httpd_t:s0 8889 ? 00:00:00 httpd - As the Linux root user, run the
rm -i /var/www/html/testfile
command to removetestfile
:~]#
rm -i /var/www/html/testfile
rm: remove regular empty file `/var/www/html/testfile'? y - If you do not require
httpd
to be running, as the Linux root user, run theservice httpd stop
command to stophttpd
:~]#
service httpd stop
Stopping httpd: [ OK ]
The examples in these sections demonstrate how data can be protected from a compromised confined-process (protected by SELinux), as well as how data is more accessible to an attacker from a compromised unconfined-process (not protected by SELinux).