Este conteúdo não está disponível no idioma selecionado.

4.2. Unconfined Processes

Unconfined processes run in unconfined domains, for example, init programs run in the unconfined initrc_t domain, unconfined kernel processes run in the kernel_t domain, and unconfined Linux users run in the unconfined_t domain. For unconfined processes, SELinux policy rules are applied, but policy rules exist that allow processes running in unconfined domains almost all access. Processes running in unconfined domains fall back to using DAC rules exclusively. If an unconfined process is compromised, SELinux does not prevent an attacker from gaining access to system resources and data, but of course, DAC rules are still used. SELinux is a security enhancement on top of DAC rules – it does not replace them.

To ensure that SELinux is enabled and the system is prepared to perform the following example, complete the Procedure 4.1, “How to Verify SELinux Status” described in Section 4.1, “Confined Processes”.

The following example demonstrates how the Apache HTTP Server (httpd) can access data intended for use by Samba, when running unconfined. Note that in Red Hat Enterprise Linux, the httpd process runs in the confined httpd_t domain by default. This is an example, and should not be used in production. It assumes that the httpd, wget, dbus and audit packages are installed, that the SELinux targeted policy is used, and that SELinux is running in enforcing mode.

Procedure 4.3. An Example of Unconfined Process

The chcon command relabels files; however, such label changes do not survive when the file system is relabeled. For permanent changes that survive a file system relabel, use the semanage command, which is discussed later. As the Linux root user, run the following command to change the type to a type used by Samba:
```
chcon -t samba_share_t /var/www/html/testfile
```
```
~]# chcon -t samba_share_t /var/www/html/testfile
```
Copy to Clipboard Toggle word wrap
Run the ls -Z /var/www/html/testfile command to view the changes:
```
ls -Z /var/www/html/testfile
```
```
~]$ ls -Z /var/www/html/testfile
-rw-r--r--  root root unconfined_u:object_r:samba_share_t:s0 /var/www/html/testfile
```
Copy to Clipboard Toggle word wrap
Run the service httpd status command to confirm that the httpd process is not running:
```
service httpd status
```
```
~]$ service httpd status
httpd is stopped
```
Copy to Clipboard Toggle word wrap
If the output differs, run the service httpd stop command as the Linux root user to stop the httpd process:
```
service httpd stop
```
```
~]# service httpd stop
Stopping httpd:                                            [  OK  ]
```
Copy to Clipboard Toggle word wrap
To make the httpd process run unconfined, run the following command as the Linux root user to change the type of /usr/sbin/httpd, to a type that does not transition to a confined domain:
```
chcon -t unconfined_exec_t /usr/sbin/httpd
```
```
~]# chcon -t unconfined_exec_t /usr/sbin/httpd
```
Copy to Clipboard Toggle word wrap
Run the ls -Z /usr/sbin/httpd command to confirm that /usr/sbin/httpd is labeled with the unconfined_exec_t type:
```
ls -Z /usr/sbin/httpd
```
```
~]$ ls -Z /usr/sbin/httpd
-rwxr-xr-x  root root system_u:object_r:unconfined_exec_t:s0 /usr/sbin/httpd
```
Copy to Clipboard Toggle word wrap
As the Linux root user, run the service httpd start command to start the httpd process. The output is as follows if httpd starts successfully:
```
service httpd start
```
```
~]# service httpd start
Starting httpd:                                            [  OK  ]
```
Copy to Clipboard Toggle word wrap

Run the ps -eZ | grep httpd command to view the httpd running in the unconfined_t domain:

ps -eZ | grep httpd

~]$ ps -eZ | grep httpd
unconfined_u:unconfined_r:unconfined_t:s0 7721 ?      00:00:00 httpd
unconfined_u:unconfined_r:unconfined_t:s0 7723 ?      00:00:00 httpd
unconfined_u:unconfined_r:unconfined_t:s0 7724 ?      00:00:00 httpd
unconfined_u:unconfined_r:unconfined_t:s0 7725 ?      00:00:00 httpd
unconfined_u:unconfined_r:unconfined_t:s0 7726 ?      00:00:00 httpd
unconfined_u:unconfined_r:unconfined_t:s0 7727 ?      00:00:00 httpd
unconfined_u:unconfined_r:unconfined_t:s0 7728 ?      00:00:00 httpd
unconfined_u:unconfined_r:unconfined_t:s0 7729 ?      00:00:00 httpd
unconfined_u:unconfined_r:unconfined_t:s0 7730 ?      00:00:00 httpd

Copy to Clipboard

Toggle word wrap

Change into a directory where your Linux user has write access to, and run the wget http://localhost/testfile command. Unless there are changes to the default configuration, this command succeeds:
```
wget http://localhost/testfile
```
```
~]$ wget http://localhost/testfile
--2009-05-07 01:41:10--  http://localhost/testfile
Resolving localhost... 127.0.0.1
Connecting to localhost|127.0.0.1|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 0 [text/plain]
Saving to: `testfile.1'

[ <=>                            ]--.-K/s   in 0s      
	
2009-05-07 01:41:10 (0.00 B/s) - `testfile.1' saved [0/0]
```
Copy to Clipboard Toggle word wrap
Although the httpd process does not have access to files labeled with the samba_share_t type, httpd is running in the unconfined unconfined_t domain, and falls back to using DAC rules, and as such, the wget command succeeds. Had httpd been running in the confined httpd_t domain, the wget command would have failed.
The restorecon command restores the default SELinux context for files. As the Linux root user, run the restorecon -v /usr/sbin/httpd command to restore the default SELinux context for /usr/sbin/httpd:
```
restorecon -v /usr/sbin/httpd
```
```
~]# restorecon -v /usr/sbin/httpd
restorecon reset /usr/sbin/httpd context system_u:object_r:unconfined_exec_t:s0->system_u:object_r:httpd_exec_t:s0
```
Copy to Clipboard Toggle word wrap
Run the ls -Z /usr/sbin/httpd command to confirm that /usr/sbin/httpd is labeled with the httpd_exec_t type:
```
ls -Z /usr/sbin/httpd
```
```
~]$ ls -Z /usr/sbin/httpd
-rwxr-xr-x  root root system_u:object_r:httpd_exec_t:s0 /usr/sbin/httpd
```
Copy to Clipboard Toggle word wrap

As the Linux root user, run the service httpd restart command to restart httpd. After restarting, run the ps -eZ | grep httpd command to confirm that httpd is running in the confined httpd_t domain:

service httpd restart
ps -eZ | grep httpd

~]# service httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]
~]# ps -eZ | grep httpd
unconfined_u:system_r:httpd_t:s0    8883 ?        00:00:00 httpd
unconfined_u:system_r:httpd_t:s0    8884 ?        00:00:00 httpd
unconfined_u:system_r:httpd_t:s0    8885 ?        00:00:00 httpd
unconfined_u:system_r:httpd_t:s0    8886 ?        00:00:00 httpd
unconfined_u:system_r:httpd_t:s0    8887 ?        00:00:00 httpd
unconfined_u:system_r:httpd_t:s0    8888 ?        00:00:00 httpd
unconfined_u:system_r:httpd_t:s0    8889 ?        00:00:00 httpd

Copy to Clipboard

Toggle word wrap

As the Linux root user, run the rm -i /var/www/html/testfile command to remove testfile:
```
rm -i /var/www/html/testfile
```
```
~]# rm -i /var/www/html/testfile
rm: remove regular empty file `/var/www/html/testfile'? y
```
Copy to Clipboard Toggle word wrap
If you do not require httpd to be running, as the Linux root user, run the service httpd stop command to stop httpd:
```
service httpd stop
```
```
~]# service httpd stop
Stopping httpd:                                            [  OK  ]
```
Copy to Clipboard Toggle word wrap

The examples in these sections demonstrate how data can be protected from a compromised confined-process (protected by SELinux), as well as how data is more accessible to an attacker from a compromised unconfined-process (not protected by SELinux).

Este conteúdo não está disponível no idioma selecionado.

4.2. Unconfined Processes

Aprender

Experimente, compre e venda

Comunidades

Sobre a documentação da Red Hat

Tornando o open source mais inclusivo

Sobre a Red Hat

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links