Chapter 4. Configuring SELinux for applications and services with non-standard configurations


When SELinux is in enforcing mode, the default policy is the targeted policy. The following sections provide information about setting up and configuring the SELinux policy for various services after you change configuration defaults, such as ports, database locations, or file-system permissions for processes.

You learn to change SELinux types for non-standard ports, to identify and fix incorrect labels for changes of default directories, and to adjust the policy using SELinux booleans.

4.1. Customizing the SELinux policy for the Apache HTTP server in a non-standard configuration

You can configure the Apache HTTP server to listen on a different port and to provide content in a non-default directory. To prevent consequent SELinux denials, follow the steps in this procedure to adjust your system’s SELinux policy.

Prerequisites

  • The httpd package is installed and the Apache HTTP server is configured to listen on TCP port 3131 and to use the /var/test_www/ directory instead of the default /var/www/ directory.
  • The policycoreutils-python-utils and setroubleshoot-server packages are installed on your system.

Procedure

  1. Start the httpd service and check the status:

    # systemctl start httpd
    # systemctl status httpd
    ...
    httpd[14523]: (13)Permission denied: AH00072: make_sock: could not bind to address [::]:3131
    ...
    systemd[1]: Failed to start The Apache HTTP Server.
    ...
  2. The SELinux policy assumes that httpd runs on port 80:

    # semanage port -l | grep http
    http_cache_port_t              tcp      8080, 8118, 8123, 10001-10010
    http_cache_port_t              udp      3130
    http_port_t                    tcp      80, 81, 443, 488, 8008, 8009, 8443, 9000
    pegasus_http_port_t            tcp      5988
    pegasus_https_port_t           tcp      5989
  3. Change the SELinux type of port 3131 to match port 80:

    # semanage port -a -t http_port_t -p tcp 3131
  4. Start httpd again:

    # systemctl start httpd
  5. However, the content remains inaccessible:

    # wget localhost:3131/index.html
    ...
    HTTP request sent, awaiting response... 403 Forbidden
    ...

    Find the reason with the sealert tool:

    # sealert -l "*"
    ...
    SELinux is preventing httpd from getattr access on the file /var/test_www/html/index.html.
    ...
  6. Compare SELinux types for the standard and the new path using the matchpathcon tool:

    # matchpathcon /var/www/html /var/test_www/html
    /var/www/html       system_u:object_r:httpd_sys_content_t:s0
    /var/test_www/html  system_u:object_r:var_t:s0
  7. Change the SELinux type of the new /var/test_www/html/ content directory to the type of the default /var/www/html directory:

    # semanage fcontext -a -e /var/www /var/test_www
  8. Relabel the /var directory recursively:

    # restorecon -Rv /var/
    ...
    Relabeled /var/test_www/html from unconfined_u:object_r:var_t:s0 to unconfined_u:object_r:httpd_sys_content_t:s0
    Relabeled /var/test_www/html/index.html from unconfined_u:object_r:var_t:s0 to unconfined_u:object_r:httpd_sys_content_t:s0

Verification

  1. Check that the httpd service is running:

    # systemctl status httpd
    ...
    Active: active (running)
    ...
    systemd[1]: Started The Apache HTTP Server.
    httpd[14888]: Server configured, listening on: port 3131
    ...
  2. Verify that the content provided by the Apache HTTP server is accessible:

    # wget localhost:3131/index.html
    ...
    HTTP request sent, awaiting response... 200 OK
    Length: 0 [text/html]
    Saving to: ‘index.html’
    ...

Additional resources

  • semanage(8), matchpathcon(8), and sealert(8) man pages.

4.2. Adjusting the policy for sharing NFS and CIFS volumes by using SELinux booleans

You can change parts of SELinux policy at runtime using booleans, even without any knowledge of SELinux policy writing. This enables changes, such as allowing services access to NFS volumes, without reloading or recompiling SELinux policy. The following procedure demonstrates listing SELinux booleans and configuring them to achieve the required changes in the policy.

NFS mounts on the client side are labeled with a default context defined by a policy for NFS volumes. In RHEL, this default context uses the nfs_t type. Also, Samba shares mounted on the client side are labeled with a default context defined by the policy. This default context uses the cifs_t type. You can enable or disable booleans to control which services are allowed to access the nfs_t and cifs_t types.

To allow the Apache HTTP server service (httpd) to access and share NFS and CIFS volumes, perform the following steps:

Prerequisites

  • Optionally, install the selinux-policy-devel package to obtain clearer and more detailed descriptions of SELinux booleans in the output of the semanage boolean -l command.

Procedure

  1. Identify SELinux booleans relevant for NFS, CIFS, and Apache:

    # semanage boolean -l | grep 'nfs\|cifs' | grep httpd
    httpd_use_cifs                 (off  ,  off)  Allow httpd to access cifs file systems
    httpd_use_nfs                  (off  ,  off)  Allow httpd to access nfs file systems
  2. List the current state of the booleans:

    $ getsebool -a | grep 'nfs\|cifs' | grep httpd
    httpd_use_cifs --> off
    httpd_use_nfs --> off
  3. Enable the identified booleans:

    # setsebool httpd_use_nfs on
    # setsebool httpd_use_cifs on
    Note

    Use setsebool with the -P option to make the changes persistent across restarts. A setsebool -P command requires a rebuild of the entire policy, and it might take some time depending on your configuration.

Verification

  1. Check that the booleans are on:

    $ getsebool -a | grep 'nfs\|cifs' | grep httpd
    httpd_use_cifs --> on
    httpd_use_nfs --> on

Additional resources

  • semanage-boolean(8), sepolicy-booleans(8), getsebool(8), setsebool(8), booleans(5), and booleans(8) man pages on your system

4.3. Finding the correct SELinux type for managing access to non-standard directories

If you need to set access-control rules that the default SELinux policy does not cover, start by searching for a boolean that matches your use case. If you cannot find a suitable boolean, you can use a matching SELinux type or even create a local policy module.

Prerequisites

  • The selinux-policy-doc and setools-console packages are installed on your system.

Procedure

  1. List all SELinux-related topics and limit the results to a component you want to configure. For example:

    # man -k selinux | grep samba
    samba_net_selinux (8) - Security Enhanced Linux Policy for the samba_net processes
    samba_selinux (8)    - Security Enhanced Linux Policy for the smbd processes
    …

    In the man page that corresponds to your scenario, find the related SELinux booleans, port types, and file types.

    Note that the man -k selinux or apropos selinux commands are available only after you install the selinux-policy-doc package.

  2. Optional: You can display the default mapping of processes on default locations by using the semanage fcontext -l command, for example:

    # semanage fcontext -l | grep samba
    …
    /var/cache/samba(/.*)?                             all files          system_u:object_r:samba_var_t:s0
    …
    /var/spool/samba(/.*)?                             all files          system_u:object_r:samba_spool_t:s0
    …
  3. Use the sesearch command to display rules in the default SELinux policy. You can find the type and boolean to use by listing the corresponding rule, for example:

    $ sesearch -A | grep samba | grep httpd
    …
    allow httpd_t cifs_t:dir { getattr open search }; [ use_samba_home_dirs && httpd_enable_homedirs ]:True
    …
  4. An SELinux boolean might be the most straightforward solution for your configuration problem. You can display all available booleans and their values by using the getsebool -a command, for example:

    $ getsebool -a | grep homedirs
    git_cgi_enable_homedirs --> off
    git_system_enable_homedirs --> off
    httpd_enable_homedirs --> off
    mock_enable_homedirs --> off
    mpd_enable_homedirs --> off
    openvpn_enable_homedirs --> on
    ssh_chroot_rw_homedirs --> off
  5. You can verify that the selected boolean does exactly what you want by using the sesearch command, for example:

    $ sesearch -A | grep httpd_enable_homedirs
    …
    allow httpd_suexec_t autofs_t:dir { getattr open search }; [ use_nfs_home_dirs && httpd_enable_homedirs ]:True
    allow httpd_suexec_t autofs_t:dir { getattr open search }; [ use_samba_home_dirs && httpd_enable_homedirs ]:True
    …
  6. If no boolean matches your scenario, find an SELinux type that suits your case. You can find a type for your files by querying a corresponding rule from the default policy by using sesearch, for example:

    $ sesearch -A -s httpd_t -c file -p read
    …
    allow httpd_t httpd_t:file { append getattr ioctl lock open read write };
    allow httpd_t httpd_tmp_t:file { append create getattr ioctl link lock map open read rename setattr unlink write };
    …
  7. If none of the previous solutions cover your scenario, you can add a custom rule to the SELinux policy. See the Creating a local SELinux policy module section for more information.

Additional resources

  • SELinux-related man pages provided by the man -k selinux command
  • sesearch(1), semanage-fcontext(8), semanage-boolean(8), and getsebool(8) man pages on your system

4.4. Managing access to non-standard shared directories for unprivileged SELinux users

You can configure access to a non-standard shared directory for the generic unprivileged SELinux user user_u by finding and mapping the corresponding SELinux file type. The user_u user has the default role user_r and the default domain user_t.

Prerequisites

  • The selinux-policy-doc and setools-console packages are installed on your system.

Procedure

  1. Open the user_selinux(8) man page in your terminal:

    $ man user_selinux

    In the MANAGED FILES section, find an attribute or a type that corresponds with your scenario. For example, the user_home_type attribute.

  2. Optional: To list all types assigned to an attribute, use the seinfo command with the -x and -a options, for example:

    $ seinfo -x -a user_home_type
    
    Type Attributes: 1
       attribute user_home_type;
    …
    	chrome_sandbox_home_t
    	config_home_t
    	cvs_home_t
    	data_home_t
    	dbus_home_t
    	fetchmail_home_t
    	gconf_home_t
    	git_user_content_t
    …
  3. After you identify a candidate for the corresponding type, the data_home_t type in this example, check its SELinux mapping:

    $ semanage fcontext -l | grep data_home_t
    …
    /root/\.local/share(/.*)?                          all files          system_u:object_r:data_home_t:s0
    …
  4. Map the corresponding type to a directory that you want to make accessible for user_u, for example, /shared-data:

    $ semanage fcontext -a -t data_home_t '/shared-data(/.*)?'

Verification

  1. Check the mapping of the directory you configured:

    # semanage fcontext -l | grep "shared-data"
    /shared-data(/.*)?                             	all files      	system_u:object_r:data_home_t:s0
  2. Log in as a Linux user mapped to the user_u SELinux user, and verify you can access the directory.

Additional resources

Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.