SELinux with ApacheSecurity with Apache is an important topic, of which SELinux is a part. However, the frustration that results in trying to manage SELinux and how it relates to an Apache Web Server is huge. Most of the time, administrators bail and shut down SELinux because they do not have the time to correctly configure the system. SELinux can be a key to good security for the Apache daemon. This tutorial with help you develop several skills that will provide some level of SELinux management for the Apache Web Server.
View Processes protected by SELinuxYou may view processes which are restricted by SELinux with ps. While your Apache Web Server is running you can view the processes under management. Remember that by default Apache will start 8 web servers when it is initialized so that is why you see this number of processes running. The ps command had to be completely rewritten to provide these SELinux attributes.
# ps -ZC httpd LABEL PID TTY TIME CMD root:system_r:httpd_t 11759 ? 00:00:00 httpd root:system_r:httpd_t 15899 ? 00:00:00 httpd root:system_r:httpd_t 15900 ? 00:00:00 httpd root:system_r:httpd_t 15901 ? 00:00:00 httpd root:system_r:httpd_t 15902 ? 00:00:00 httpd root:system_r:httpd_t 15903 ? 00:00:00 httpd root:system_r:httpd_t 15918 ? 00:00:00 httpd root:system_r:httpd_t 15919 ? 00:00:00 httpd root:system_r:httpd_t 15920 ? 00:00:00 httpd If you wanted to view the entire list of processes currently protected with SELinux you would use this command:
# ps -eZ LABEL PID TTY TIME CMD system_u:system_r:init_t 1 ? 00:00:00 init system_u:system_r:kernel_t 2 ? 00:00:00 migration/0 system_u:system_r:kernel_t 3 ? 00:00:00 ksoftirqd/0 system_u:system_r:kernel_t 4 ? 00:00:00 watchdog/0 system_u:system_r:kernel_t 5 ? 00:00:00 events/0 system_u:system_r:kernel_t 6 ? 00:00:00 khelper system_u:system_r:kernel_t 7 ? 00:00:00 kthread system_u:system_r:kernel_t 10 ? 00:00:00 kblockd/0 system_u:system_r:kernel_t 11 ? 00:00:00 kacpid ---cut---
SELinux sees everything as an object. Access to objects are controlled by security elements stored in the inode, which now has extended fields. The security elements combined create a security context which consists of five elements.
user
The role is used to indicate the user of the context. If a user logs in as root they will have a user value of root. If they log in as a regular user, like tom, they will have the value of user_u. Users who su to root will continue to have the value of user_u. Processes also have a value, system_u.
role
This is used to define the role of the user. Files have a role of object_r and processes have a role of system_r. Users, like processes have the role of system_r.
type
Types are used to create a type enforcement which determines which process types can have access to which file types.
sensitivity
This is a security feature used by government agencies.
category
This provides a way to block access to categories of people including root.
user: role: type: sensitivity: category If you view the settings for the index.html file in /var/www/html you will see these attributes listed. # ls -Z -rw-r--r-- root root root:object_r:httpd_sys_content_t index.html user: root: role: object_r: type: httpd_sys_content_t sensitivity: category It is important to note that the type: httpd_sys_content_t is required in order to view a SELinux object such as index.html. This type serves up content whereas if you wanted to use a cgi program or any other active page you will need a different type. Listed below are various types and also how to manage those types so they work. If you are going to use the apache web server you will need to know how to adjust the SELinux for that daemon. The first step in this process is to evaluate the booleans that are set for httpd in SELinux. Here is a list of the types that are available for the Apache Web Server.
# getsebool -a | grep httpd allow_httpd_anon_write --> off allow_httpd_mod_auth_pam --> off allow_httpd_sys_script_anon_write --> off httpd_builtin_scripting --> on httpd_can_network_connect --> off httpd_can_network_connect_db --> off httpd_can_network_relay --> off httpd_disable_trans --> off httpd_enable_cgi --> on httpd_enable_ftp_server --> off httpd_enable_homedirs --> on httpd_rotatelogs_disable_trans --> off httpd_ssi_exec --> off httpd_suexec_disable_trans --> off httpd_tty_comm --> off httpd_unified --> on
Here is a brief description of several major types. httpd_sys_content_t Set files with httpd_sys_content_t for content which is available from all httpd scripts and the daemon. httpd_sys_script_exec_t Set cgi scripts with httpd_sys_script_exec_t to allow them to run with access to all sys types. httpd_sys_script_ro_t Set files with httpd_sys_script_ro_t if you want httpd_sys_script_exec_t scripts to read the data, and disallow other sys scripts from access. httpd_sys_script_rw_t Set files with httpd_sys_script_rw_t if you want httpd_sys_script_exec_t scripts to read/write the data, and disallow other non sys scripts from access. httpd_sys_script_ra_t Set files with httpd_sys_script_ra_t if you want httpd_sys_script_exec_t scripts to read/append to the file, and disallow other non sys scripts from access. httpd_unconfined_script_exec_t
Set cgi scripts with httpd_unconfined_script_exec_t to allow them to run without any SELinux pro- tection. This should only be used for a very complex httpd scripts, after exhausting all other options. It is better to use this script rather than turning off SELinux protection for httpd.
SELinux policy is customizable based on least access required. So by default SElinux prevents certain http scripts from working. httpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd with the tightest access possible. Here is the process for changed the status of these booleans for the Apache Web Server.
Enable cgi If you wanted to enable the server to run cgi scripts you will need to change the boolean to allow this type. And...this is important...you will need to alter your cgi scripts so that their type is this type for cgi. # setsebool -P httpd_enable_cgi 1 Now that you have enabled cgi you will need to change the type for your cgi applications. Type Enforcement is the primary method of security for the targeted policy. The Type can be changed using the chcon command. However, the chcon command can only change to a Type that is defined by the policy.
# ls -Z -rw-r--r-- root root root:object_r:httpd_sys_content_t myprogram.cgi
In this example the cgi program will not be able to execute as it is a content type not the cgi type.
# chcon -t httpd_sys_script_exec_t myprogram.cgi
# ls -Z -rw-r--r-- root root root:object_r:httpd_sys_script_exec_t myprogram.cgi Now the cgi should be able to execute.
Enable User home Directories and Change Context You may want to allow users to show web pages from their home directory. # setsebool -P httpd_enable_homedirs 1 # chcon -R -t httpd_sys_content_t ~user/public_html
Enable Access to Terminal
httpd may need to prompt for a password on a certificate file # setsebool -P httpd_tty_comm 1
Disable File Control Contexts # setsebool -P httpd_unified 0
Disable PHP You will need to manage the PHP settings for SELinux in order to run PHP. # setsebool -P httpd_builtin_scripting 0
Enable Network Connections from httpd
Disabled to prevent hackers from attacking other machines from httpd. # setsebool -P httpd_can_network_connect 1
Disable suexec Transition # setsebool -P httpd_suexec_disable_trans 1
Disable Protection for httpd Daemon
# setsebool -P httpd_disable_trans 1 # service httpd restart
Changing a http Port You may want to change a port number for http. You cannot do this without editing the configuration for SELinux.
# semanage port -l | grep http http_cache_port_t tcp 3128, 8080, 8118 http_cache_port_t udp 3130 http_port_t tcp 80, 443, 488, 8008, 8009, 8443 pegasus_http_port_t tcp 5988 pegasus_https_port_t tcp 5989
Change httpd to port 81 in the httpd.conf file.
Listen 81
Now restart, and you will see that it will fail to restart. Check /var/log/messages for output.
Dec 10 08:03:46 cent2 setroubleshoot: SELinux is preventing the /usr/sbin/httpd (httpd_t) from binding to port 81. For complete SELinux messages. run sealert -l 9d1872a0-da1f-48b3-b7bc-4ed7094387e5
In order to fix this you will need to use the semanage command to add port 81 to the ports allowed by SELinux. # semanage port -a -t http_port_t -p tcp 81
Restart httpd and you will find that it works. Now verify that port 81 was added to the default allowed ports.
# semanage port -l | grep http http_cache_port_t tcp 3128, 8080, 8118 http_cache_port_t udp 3130 http_port_t tcp 81, 80, 443, 488, 8008, 8009, 8443 pegasus_http_port_t tcp 5988 pegasus_https_port_t tcp 5989
Managing Context Problems
A common problem is when you create HTML pages in a user directory with the context of the user and then copy them to the http directories to be used as web pages. Here is an example. Mike build an index.html page to be moved into the root directory for httpd. The file is created in the user's home directory and as you can see it will have this context:
# ls -Z index.html -rw-rw-r-- mike mike root:object_r:user_home_t index.html That file is copied into /var/www/html as the main index page but still has the same context, at least in some scenarios if the user has rights in the directory.
# ls -Z /var/www/html -rw-r--r-- root root root:object_r:httpd_sys_content_t index.html
Changing the Type Type Enforcement is the primary method of security for the targeted policy. The Type can be changed using the chcon command. However, the chcon command can only change to a Type that is defined by the policy.
# ls -Z -rw-r--r-- root root root:object_r:httpd_sys_content_t index.html
# chcon -t tmp_t index.html
# ls -Z -rw-r--r-- root root root:object_r:tmp_t index.html
You may also want to use a reference file to change the Type using the chcon command. The idea is to locate a file with the correct settings and then use it as a reference to correct another file. The example shows that the index.html file is incorrect but that the test.htm file can be used as a reference to fix the index.html file. # ls -Z -rw-r--r-- root root root:object_r:tmp_t index.html -rw-r--r-- root root root:object_r:httpd_sys_content_t test.htm
# chcon --reference test.htm index.html
# ls -Z -rw-r--r-- root root root:object_r:httpd_sys_content_t index.html -rw-r--r-- root root root:object_r:httpd_sys_content_t test.htm Another way to correct the problem is to use restorecon. This command can be used to bring all files in a directory back to the required Type. In this example restorecon repairs the index.html file that would not work correctly. Be sure to put a “/*” at the end of the directory you want to fix.
# ls -Z -rw-r--r-- root root root:object_r:tmp_t index.html -rw-r--r-- root root root:object_r:httpd_sys_content_t test.htm
# restorecon /var/www/html/*
# ls -Z -rw-r--r-- root root system_u:object_r:httpd_sys_content_t index.html -rw-r--r-- root root root:object_r:httpd_sys_content_t test.htm
REFERENCES |