Red Hat SummitEste contenido no está disponible en el idioma seleccionado.
2.2. Types
The main permission control method used in SELinux targeted policy to provide advanced process isolation is Type Enforcement. All files and processes are labeled with a type: types define a SELinux domain for processes and a SELinux type for files. SELinux policy rules define how types access each other, whether it be a domain accessing a type, or a domain accessing another domain. Access is only allowed if a specific SELinux policy rule exists that allows it.
The following example creates a new file in the
/var/www/html/ directory, and shows the file inheriting the httpd_sys_content_t type from its parent directory (/var/www/html/):
- Run the
ls -dZ /var/www/htmlcommand to view the SELinux context of/var/www/html/:ls -dZ /var/www/html
~]$ ls -dZ /var/www/html drwxr-xr-x root root system_u:object_r:httpd_sys_content_t:s0 /var/www/htmlCopy to Clipboard Copied! Toggle word wrap Toggle overflow This shows/var/www/html/is labeled with thehttpd_sys_content_ttype. - Run the
touch /var/www/html/file1command as the root user to create a new file. - Run the
ls -Z /var/www/html/file1command to view the SELinux context:ls -Z /var/www/html/file1
~]$ ls -Z /var/www/html/file1 -rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/file1Copy to Clipboard Copied! Toggle word wrap Toggle overflow
The
ls -Z command shows file1 labeled with the httpd_sys_content_t type. SELinux allows httpd to read files labeled with this type, but not write to them, even if Linux permissions allow write access. SELinux policy defines what types a process running in the httpd_t domain (where httpd runs) can read and write to. This helps prevent processes from accessing files intended for use by another process.
For example,
httpd can access files labeled with the httpd_sys_content_t type (intended for the Apache HTTP Server), but by default, cannot access files labeled with the samba_share_t type (intended for Samba). Also, files in user home directories are labeled with the user_home_t type: by default, this prevents httpd from reading or writing to files in user home directories.
The following lists some of the types used with
httpd. Different types allow you to configure flexible access:
httpd_sys_content_t- Use this type for static web content, such as
.htmlfiles used by a static website. Files labeled with this type are accessible (read only) tohttpdand scripts executed byhttpd. By default, files and directories labeled with this type cannot be written to or modified byhttpdor other processes. Note that by default, files created in or copied into/var/www/html/are labeled with thehttpd_sys_content_ttype. httpd_sys_script_exec_t- Use this type for scripts you want
httpdto execute. This type is commonly used for Common Gateway Interface (CGI) scripts in/var/www/cgi-bin/. By default, SELinux policy preventshttpdfrom executing CGI scripts. To allow this, label the scripts with thehttpd_sys_script_exec_ttype and enable thehttpd_enable_cgiBoolean. Scripts labeled withhttpd_sys_script_exec_trun in thehttpd_sys_script_tdomain when executed byhttpd. Thehttpd_sys_script_tdomain has access to other system domains, such aspostgresql_tandmysqld_t. httpd_sys_rw_content_t- Files labeled with this type can be written to by scripts labeled with the
httpd_sys_script_exec_ttype, but cannot be modified by scripts labeled with any other type. You must use thehttpd_sys_rw_content_ttype to label files that will be read from and written to by scripts labeled with thehttpd_sys_script_exec_ttype. httpd_sys_ra_content_t- Files labeled with this type can be appended to by scripts labeled with the
httpd_sys_script_exec_ttype, but cannot be modified by scripts labeled with any other type. You must use thehttpd_sys_ra_content_ttype to label files that will be read from and appended to by scripts labeled with thehttpd_sys_script_exec_ttype. httpd_unconfined_script_exec_t- Scripts labeled with this type run without SELinux protection. Only use this type for complex scripts, after exhausting all other options. It is better to use this type instead of disabling SELinux protection for
httpd, or for the entire system.
Note
To see more of the available types for httpd, run the following command:
Copy to Clipboard
Copied!
Toggle word wrap
Toggle overflow
grep httpd /etc/selinux/targeted/contexts/files/file_contexts
~]$ grep httpd /etc/selinux/targeted/contexts/files/file_contextsProcedure 2.1. Changing the SELinux Context
The type for files and directories can be changed with the
chcon command. Changes made with chcon do not survive a file system relabel or the restorecon command. SELinux policy controls whether users are able to modify the SELinux context for any given file. The following example demonstrates creating a new directory and an index.html file for use by httpd, and labeling that file and directory to allow httpd access to them:
- Run the
mkdir -p /my/websitecommand as the root user to create a top-level directory structure to store files to be used byhttpd. - Files and directories that do not match a pattern in file-context configuration may be labeled with the
default_ttype. This type is inaccessible to confined services:ls -dZ /my
~]$ ls -dZ /my drwxr-xr-x root root unconfined_u:object_r:default_t:s0 /myCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Run the
chcon -R -t httpd_sys_content_t /my/command as the root user to change the type of the/my/directory and subdirectories, to a type accessible tohttpd. Now, files created under/my/website/inherit thehttpd_sys_content_ttype, rather than thedefault_ttype, and are therefore accessible to httpd:chcon -R -t httpd_sys_content_t /my/ touch /my/website/index.html ls -Z /my/website/index.html
~]# chcon -R -t httpd_sys_content_t /my/ ~]# touch /my/website/index.html ~]# ls -Z /my/website/index.html -rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 /my/website/index.htmlCopy to Clipboard Copied! Toggle word wrap Toggle overflow
Refer to the Temporary Changes: chcon section of the Red Hat Enterprise Linux 6 SELinux User Guide for further information about
chcon.
Use the
semanage fcontext command (semanage is provided by the policycoreutils-python package) to make label changes that survive a relabel and the restorecon command. This command adds changes to file-context configuration. Then, run restorecon, which reads file-context configuration, to apply the label change. The following example demonstrates creating a new directory and an index.html file for use by httpd, and persistently changing the label of that directory and file to allow httpd access to them:
- Run the
mkdir -p /my/websitecommand as the root user to create a top-level directory structure to store files to be used byhttpd. - Run the following command as the root user to add the label change to file-context configuration:
semanage fcontext -a -t httpd_sys_content_t "/my(/.*)?"
~]# semanage fcontext -a -t httpd_sys_content_t "/my(/.*)?"Copy to Clipboard Copied! Toggle word wrap Toggle overflow The"/my(/.*)?"expression means the label change applies to the/my/directory and all files and directories under it. - Run the
touch /my/website/index.htmlcommand as the root user to create a new file. - Run the
restorecon -R -v /my/command as the root user to apply the label changes (restoreconreads file-context configuration, which was modified by thesemanagecommand in step 2):restorecon -R -v /my/
~]# restorecon -R -v /my/ restorecon reset /my context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0 restorecon reset /my/website context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0 restorecon reset /my/website/index.html context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0Copy to Clipboard Copied! Toggle word wrap Toggle overflow
Refer to the Persistent Changes: semanage fcontext section of the Red Hat Enterprise Linux SELinux User Guide for further information on semanage.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}