Almost every service that listens on a network is confined in Red Hat Enterprise Linux. Also, most processes that run as the root user and perform tasks for users, such as the passwd application, are confined. When a process is confined, it runs in its own domain, such as the httpd process running in the httpd_t domain. If a confined process is compromised by an attacker, depending on SELinux policy configuration, an attacker's access to resources and the possible damage they can do is limited.
The following example demonstrates how SELinux prevents the Apache HTTP Server (httpd) from reading files that are not correctly labeled, such as files intended for use by Samba. This is an example, and should not be used in production. It assumes that the httpd, wget, setroubleshoot-server and audit packages are installed, that the SELinux targeted policy is used, and that SELinux is running in enforcing mode:
Run the sestatus command to confirm that SELinux is enabled, is running in enforcing mode, and that targeted policy is being used:
$ /usr/sbin/sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 24
Policy from config file: targeted
SELinux status: enabled is returned when SELinux is enabled. Current mode: enforcing is returned when SELinux is running in enforcing mode. Policy from config file: targeted is returned when the SELinux targeted policy is used.
As the root user, run the touch /var/www/html/testfile command to create a file.
Run the ls -Z /var/www/html/testfile command to view the SELinux context:
-rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/testfile
The testfile file is labeled with the SELinux unconfined_u user because a Linux user that is mapped to the unconfined_u SELinux user created the file. Role-Based Access Control (RBAC) is used for processes, not files. Roles do not have a meaning for files - the object_r role is a generic role used for files (on persistent storage and network file systems). Under the /proc/ directory, files related to processes may use the system_r role.[] The httpd_sys_content_t type allows the httpd process to access this file.
As the root user, run the service httpd start command to start the httpd process. The output is as follows if httpd starts successfully:
# /sbin/service httpd start
Starting httpd: [ OK ]
Change into a directory where your Linux user has write access to, and run the wget http://localhost/testfile command. Unless there are changes to the default configuration, this command succeeds:
--2009-12-01 11:40:28-- http://localhost/testfile
Resolving localhost... 127.0.0.1
Connecting to localhost|127.0.0.1|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 0 [text/plain]
Saving to: `testfile'
[ <=> ] 0 --.-K/s in 0s
2009-12-01 11:40:28 (0.00 B/s) - `testfile' saved [0/0]
The chcon command relabels files; however, such label changes do not survive when the file system is relabeled. For permanent changes that survive a file system relabel, use the semanage command, which is discussed later. As the root user, run the following command to change the type to a type used by Samba:
chcon -t samba_share_t /var/www/html/testfile
Run the ls -Z /var/www/html/testfile command to view the changes:
-rw-r--r-- root root unconfined_u:object_r:samba_share_t:s0 /var/www/html/testfile
Note: the current DAC permissions allow the httpd process access to testfile. Change into a directory where your Linux user has write access to, and run the wget http://localhost/testfile command. Unless there are changes to the default configuration, this command fails:
--2009-12-01 11:43:18-- http://localhost/testfile
Resolving localhost... 127.0.0.1
Connecting to localhost|127.0.0.1|:80... connected.
HTTP request sent, awaiting response... 403 Forbidden
2009-12-01 11:43:18 ERROR 403: Forbidden.
As the root user, run the rm /var/www/html/testfile command to remove testfile.
If you do not require httpd to be running, as the root user, run the service httpd stop command to stop httpd:
# /sbin/service httpd stop
Stopping httpd: [ OK ]
This example demonstrated the additional security added by SELinux. DAC rules allowed the httpd process access to testfile in step 5, but because the file was then labeled with a type that the httpd process does not have access to, SELinux denied access. After step 7, if the setroubleshoot-server package is installed, an error similar to the following is logged to /var/log/messages:
setroubleshoot: SELinux is preventing httpd (httpd_t) "getattr" to /var/www/html/testfile (samba_share_t). For complete SELinux messages run sealert -l c05911d3-e680-4e42-8e36-fe2ab9f8e654
Also, an error similar to the following is logged to /var/log/httpd/error_log:
[Tue Dec 01 11:43:18 2009] [error] [client 127.0.0.1] (13)Permission denied: access to /testfile denied
