iptables and more on Linux » security

SELinux tools

admin — Fri, 08 Jan 2010 18:34:05 +0000

As SELinux is a bit of complicated compared to the tools that we use currently, I have thought it is good to have some tips here.

1) seinfo: This is the selinux query tool to see statistics about your policy.

[root@rh54-3 ~]# seinfo

Statistics for policy file: /etc/selinux/targeted/policy/policy.21
Policy Version & Type: v.21 (binary, MLS)

Classes:            61    Permissions:       220
Types:            1710    Attributes:        161
Users:               3    Roles:               6
Booleans:          242    Cond. Expr.:       222
Sensitivities:       1    Categories:       1024
Allow:          116810    Neverallow:          0
Auditallow:         41    Dontaudit:        6778
Role allow:          5    Role trans:          0
Type_trans:       1886    Type_change:         0
Type_member:         0    Range_trans:       317
Constraints:        47    Validatetrans:       0
Fs_use:             18    Genfscon:           74
Portcon:           323    Netifcon:

2) sesearch: This is a very handy tool. When I started using SELinux, I was thinking that processes with a specific type are only allowed to make operations of the same type:) how stupid I am. Then I have seen by experience that policy can defines it and to see what a source can do, we can use sesearch. For example to search for httpd_t type source in order to see in which types it is associated with issue the following;

[root@rh54-3 ~]# sesearch -s httpd_t -c file –allow
Found 103 av rules:
allow httpd_t etc_runtime_t : file { ioctl read getattr lock };
allow httpd_t httpd_var_lib_t : file { ioctl read write create getattr setattr lock append unlink link rename };
allow httpd_t httpd_var_run_t : file { ioctl read write create getattr setattr lock append unlink link rename };
allow httpd_t httpd_sys_content_t : file { ioctl read getattr lock };
allow httpd_t public_content_rw_t : file { ioctl read getattr lock };
allow httpd_t httpd_bugzilla_htaccess_t : file { ioctl read getattr lock };
allow httpd_t mailman_data_t : file { ioctl read getattr lock };
allow httpd_t httpd_cvs_htaccess_t : file { ioctl read getattr lock };
allow httpd_t httpd_sys_htaccess_t : file { ioctl read getattr lock };
allow httpd_t squirrelmail_spool_t : file { ioctl read write create getattr setattr lock append unlink link rename };
allow httpd_t httpd_prewikka_htaccess_t : file { ioctl read getattr lock };
allow httpd_t locale_t : file { ioctl read getattr lock };
allow httpd_t var_auth_t : file { ioctl read write create getattr setattr lock append unlink link rename };
allow httpd_t etc_t : file { ioctl read getattr lock };
allow httpd_t fonts_t : file { ioctl read getattr lock };
allow httpd_t ld_so_t : file { ioctl read getattr lock execute };
allow httpd_t proc_t : file { ioctl read getattr lock };
allow httpd_t sysfs_t : file { ioctl read getattr lock };
allow httpd_t krb5_keytab_t : file { ioctl read getattr lock };
allow httpd_t httpd_config_t : file { ioctl read getattr lock };
allow httpd_t udev_tbl_t : file { ioctl read getattr lock };
allow httpd_t httpd_tmp_t : file { ioctl read write create getattr setattr lock append unlink link rename };
allow httpd_t shell_exec_t : file { ioctl read getattr lock execute execute_no_trans };
allow httpd_t cvs_data_t : file { ioctl read getattr lock };
allow httpd_t httpd_helper_exec_t : file { read getattr execute };
allow httpd_t ld_so_cache_t : file { ioctl read getattr lock };
allow httpd_t httpd_squirrelmail_t : file { ioctl read write create getattr setattr lock append unlink link rename };
allow httpd_t httpd_php_exec_t : file { read getattr execute };
allow httpd_t httpd_nagios_htaccess_t : file { ioctl read getattr lock };
allow httpd_t net_conf_t : file { ioctl read getattr lock };
…

…

3) Restorecon

This is a very useful utility that allows you to restore types configured statically in the system. The only thing you should do is

#restorecon -R -v /data

However if your type is in /etc/selinux/targeted/contexts/customizable_types file then you have to add “-F” flag into the command, if you don’t nothing happens:) As I have quoted text from Dan Walsh’s blog (RH engineer) , restorecon ignores these types and -F must be added.

customizable_types
- These are a list of file types that restorecon will ignore. So if you want to relabel your entire system using restorecon, and a file is labeled with a context in this file, the context will not be changed. This can be overridden with the -F flag. This allows you to specify special directories on your system as being readable by apache. So if you chcon -R -t httpd_sys_content_t /var/myhtml, a relabel will not change this directory tree back to var_t.

Selinux User Guide: http://docs.fedoraproject.org/selinux-user-guide/f12/en-US/index.html

Disabling local access for normal users

admin — Fri, 08 Jan 2010 13:40:07 +0000

If you want to disable only local login for normal users you can use the file /etc/security/access.conf for this purpose however it doesn’t work by default even if you configure this file properly. For example, if you want to allow root logins locally but not any other user, edit access.conf file such that;

-:ALL EXCEPT root:ALL

Literally the above line means ” Disable (-) all users’ (ALL) login access except (EXCEPT) root user (root) and allow root user to login via all terminals.

We haven’t finished yet as we must introduce this file into pam configuration. The necessary pam module is “pam_access” my new /etc/pam.d/login file is as follows:

#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth       include      system-auth
account    required     pam_nologin.so
account    required     pam_access.so
account    include      system-auth
password   include      system-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    include      system-auth
session    required     pam_loginuid.so
session    optional     pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open
session    optional     pam_keyinit.so force revoke

By the default, the red line isn’t in this file. Once you add it, you will see that access restrictions are applied.

Disabling su for normal users

admin — Fri, 08 Jan 2010 13:10:23 +0000

When I install Gentoo, as far as I remember, by default normal users aren’t allowed to use “su” . If you want to let any user to use “su” then you have to add them into the “wheel” user group. In redhat, you can uncomment one line, and it works like a charm.

Edit the file /etc/pam.d/su :

#%PAM-1.0
auth            sufficient      pam_rootok.so
# Uncomment the following line to implicitly trust users in the “wheel” group.
#auth           sufficient      pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the “wheel” group.
#auth            required        pam_wheel.so use_uid
auth            include         system-auth
account         sufficient      pam_succeed_if.so uid = 0 use_uid quiet
account         include         system-auth
password        include         system-auth
session         include         system-auth
session         optional        pam_xauth.so

If you uncomment the red line;

#%PAM-1.0
auth            sufficient      pam_rootok.so
# Uncomment the following line to implicitly trust users in the “wheel” group.
#auth           sufficient      pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the “wheel” group.
auth            required        pam_wheel.so use_uid
auth            include         system-auth
account         sufficient      pam_succeed_if.so uid = 0 use_uid quiet
account         include         system-auth
password        include         system-auth
session         include         system-auth
session         optional        pam_xauth.so

Then users have to be in wheel group in order to gain access to root privileges. Once you add your normal user into wheel user e.g

usermod -G wheel testuser

this test users can switch into root user.

Displaying certificates with openssl

admin — Fri, 08 Jan 2010 12:14:26 +0000

Sometimes you need to view certificates with a simple utility rather then using a browser or MUA. Here is how you can do it with openssl. For instance you would like to display the certificate of https://192.168.200.1 , lets do it;

DISPLAYING A REMOTE CERTIFICATE

# openssl s_client -connect 192.168.200.1:443
CONNECTED(00000003)
depth=0 /C=–/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=–/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
verify error:num=9:certificate is not yet valid
notBefore=Dec 8 18:44:11 2009 GMT
verify return:1
depth=0 /C=–/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
notBefore=Dec 8 18:44:11 2009 GMT
verify return:1
—
Certificate chain
0 s:/C=–/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
i:/C=–/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
—
Server certificate
—–BEGIN CERTIFICATE—–
MIIEDjCCA3egAwIBAgICRrUwDQYJKoZIhvcNAQEFBQAwgbsxCzAJBgNVBAYTAi0t
MRIwEAYDVQQIEwlTb21lU3RhdGUxETAPBgNVBAcTCFNvbWVDaXR5MRkwFwYDVQQK
ExBTb21lT3JnYW5pemF0aW9uMR8wHQYDVQQLExZTb21lT3JnYW5pemF0aW9uYWxV
bml0MR4wHAYDVQQDExVsb2NhbGhvc3QubG9jYWxkb21haW4xKTAnBgkqhkiG9w0B
CQEWGnJvb3RAbG9jYWxob3N0LmxvY2FsZG9tYWluMB4XDTA5MTIwODE4NDQxMVoX
DTEwMTIwODE4NDQxMVowgbsxCzAJBgNVBAYTAi0tMRIwEAYDVQQIEwlTb21lU3Rh
dGUxETAPBgNVBAcTCFNvbWVDaXR5MRkwFwYDVQQKExBTb21lT3JnYW5pemF0aW9u
MR8wHQYDVQQLExZTb21lT3JnYW5pemF0aW9uYWxVbml0MR4wHAYDVQQDExVsb2Nh
bGhvc3QubG9jYWxkb21haW4xKTAnBgkqhkiG9w0BCQEWGnJvb3RAbG9jYWxob3N0
LmxvY2FsZG9tYWluMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCqP30TzVK+
kO/V8g7PLP4gDDBAJAoQheb/I8Fg4pMiWUKnBE1hqftCOWcd1KTyNWgXPNB+xspE
5G+3Lk5enccuzr/r0YrjJHWYNzKge4tau1sLSqpBWlFGyQmBlP1JBG2vBQMy9nu6
t/RtJMii6yDm9H6xj10h98wXut8D6mOyQwIDAQABo4IBHTCCARkwHQYDVR0OBBYE
FPbm+ZFfjHJF3HtyQDzO31YbNVaNMIHpBgNVHSMEgeEwgd6AFPbm+ZFfjHJF3Hty
QDzO31YbNVaNoYHBpIG+MIG7MQswCQYDVQQGEwItLTESMBAGA1UECBMJU29tZVN0
YXRlMREwDwYDVQQHEwhTb21lQ2l0eTEZMBcGA1UEChMQU29tZU9yZ2FuaXphdGlv
bjEfMB0GA1UECxMWU29tZU9yZ2FuaXphdGlvbmFsVW5pdDEeMBwGA1UEAxMVbG9j
YWxob3N0LmxvY2FsZG9tYWluMSkwJwYJKoZIhvcNAQkBFhpyb290QGxvY2FsaG9z
dC5sb2NhbGRvbWFpboICRrUwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOB
gQBNUijzKybFB2a/vDpetJ9AEyyLFwlqnF2QIY577pYo6WBR/w6XsEo7oN2PHRKB
z77OfW9Wt15tTMqm3gZMHVY7wmnWA0uVbnbnAL90Ht6pdRvqYy7CyejaKJQKPBhI
ZjGKWJlPzgf5gro4nSPwoG+qFnmJYotoFfGP9+5gF1HEmA==
—–END CERTIFICATE—–
subject=/C=–/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
issuer=/C=–/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
—
No client certificate CA names sent
—
SSL handshake has read 1606 bytes and written 316 bytes
—
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher    : DHE-RSA-AES256-SHA
Session-ID: 1B7226891FBA809022C13F2ECC68E602895ADBA11F8FCB93630BA7DC643B1781
Session-ID-ctx:
Master-Key: 46F7E40AE4688DFBDCDBAE5B261078323A227C21988F78B568A8F15C660CD2C9C4A8FF517B71A460B1C2CFF8F51FAF7F
Key-Arg   : None
Krb5 Principal: None
Start Time: 1136128014
Timeout   : 300 (sec)
Verify return code: 9 (certificate is not yet valid)
—

DISPLAYING A LOCAL CERTIFICATE (FILE)

If you issue the following command for the certificate file (server.crt) locally saved, you will see the certificate details

#openssl x509 -in server.crt -text

SELinux and SAMBA

admin — Thu, 07 Jan 2010 17:18:41 +0000

In this article we will configure samba based on a case in which SELinux is enabled again . The case is:

“Setup samba in such a way that only users mert and yigit will be able to access the folder /samba_share in the server”

1) First create the folder and set the permissions for these users and adjust selinux settings.

[root@rh54-2 /]# mkdir /samba_share
[root@rh54-2 /]# setfacl -m u:mert:rwx /samba_share/
[root@rh54-2 /]# setfacl -m u:yigit:rwx /samba_share/
[root@rh54-2 /]# getfacl /samba_share/
getfacl: Removing leading ‘/’ from absolute path names
# file: samba_share
# owner: root
# group: root
user::rwx
user:yigit:rwx
user:mert:rwx
group::r-x
mask::rwx
other::r-x

From the getfacl output we can see that root,mert and yigit users have full access on this folder.

Now put this new share under the security context type of samba which is : samba_share_t

[root@rh54-2 ~]# chcon -R -t samba_share_t /samba_share/
[root@rh54-2 ~]# semanage fcontext -a -t samba_share_t “/samba_share(/.*)?”

As it can be seen we have also added the folder into the policy so that if relabeling is performed, this folder won’t be affected.

2) Setup SAMBA config to allow access for these users

[sambatest]
comment = share for mert and yigit
path = /samba_share
writable = yes
valid users = yigit mert

and reload samba

[root@rh54-2 ~]# /etc/init.d/smb reload
Reloading smb.conf file: [ OK ]

Note: As we have used “valid users” option for users, no other users are allowed even to display/login into this share. If we had written
“writable = no” and “write list = yigit mert” , then other users would have also gained access into this share.

3) Add these users into samba user list

[root@rh54-2 ~]# smbpasswd -a yigit
New SMB password:
Retype new SMB password:
Added user yigit.
[root@rh54-2 ~]# smbpasswd -a mert
New SMB password:
Retype new SMB password:
Added user mert.

4) Connect to samba server and send a test file followed by a deletion

[root@rh54-2 ~]# touch testfile
[root@rh54-2 ~]# smbclient //192.168.200.81/sambatest -U yigit
Password:
Domain=[RH54-2] OS=[Unix] Server=[Samba 3.0.33-3.14.el5]
smb: \> put testfile
putting file testfile as \testfile (0.0 kb/s) (average 0.0 kb/s)
smb: \> rm testfile
smb: \>

As you can see sending and removing a file works for the user yigit, lets try for mert.

[root@rh54-2 ~]# smbclient //192.168.200.81/sambatest -U mert
Password:
Domain=[RH54-2] OS=[Unix] Server=[Samba 3.0.33-3.14.el5]
smb: \> put testfilemert
putting file testfilemert as \testfilemert (0.0 kb/s) (average 0.0 kb/s)
smb: \> rm testfilemert
smb: \>

Great!! it has worked as well. POSIX access list is a great way when you have run out of tools in permission managament. It is by no means that involving SELinux also complicates things a bit. Fortunately there isn’t many booleans for SAMBA.

Please let me know if you have any questions in configuration or anything to add.

SELinux and BIND

admin — Tue, 05 Jan 2010 22:38:55 +0000

When SELinux and BIND are together, there is not much to say as there are only two booleans that you can toggle as you can see below;

[root@rh54-2 named]# getsebool -a | grep named
named_disable_trans –> off
named_write_master_zones –> off

When your booelans is like above and you want to use your BIND as a slave server, you will get a SELinux blocking similar to below.

[root@rh54-2 named]# sealert -l d157199a-1b33-41a6-bf77-3811bb492b84

Summary:

SELinux is preventing the named daemon from writing to the zone directory

Detailed Description:

SELinux has denied the named daemon from writing zone files. Ordinarily, named
is not required to write to these files. Only secondary servers should be
required to write to these directories. If this machine is not a secondary
server, this could signal a intrusion attempt.

Allowing Access:

If you want named to run as a secondary server and accept zone transfers you
need to turn on the named_write_master_zones boolean: “setsebool -P
named_write_master_zones=1″

The following command will allow this access:

setsebool -P named_write_master_zones=1

Additional Information:

Source Context                root:system_r:named_t
Target Context                system_u:object_r:named_zone_t
Target Objects                ./named [ dir ]
Source                        named
Source Path                   /usr/sbin/named
Port
Host                          rh54-2.iptables.gen.tr
Source RPM Packages           bind-9.3.6-4.P1.el5
Target RPM Packages
Policy RPM                    selinux-policy-2.4.6-255.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   named_write_master_zones
Host Name                     rh54-2.iptables.gen.tr
Platform                      Linux rh54-2.iptables.gen.tr 2.6.18-164.el5 #1 SMP Tue
Aug 18 15:51:54 EDT 2009 i686 i686
Alert Count                   2
First Seen                    Tue Jan 5 06:08:58 2010
Last Seen                     Tue Jan 5 06:08:59 2010
Local ID                      d157199a-1b33-41a6-bf77-3811bb492b84
Line Numbers

Raw Audit Messages

host=rh54-2.iptables.gen.tr type=AVC msg=audit(1262668139.6:51): avc: denied { write } for pid=4299 comm=”named” name=”named” dev=dm-0 ino=195429 scontext=root:system_r:named_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=dir

host=rh54-2.iptables.gen.tr type=SYSCALL msg=audit(1262668139.6:51): arch=40000003 syscall=5 success=no exit=-13 a0=9448670 a1=c2 a2=1b6 a3=9448674 items=0 ppid=1 pid=4299 auid=0 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=6 comm=”named” exe=”/usr/sbin/named” subj=root:system_r:named_t:s0 key=(null)

To get named update the zone files you have to toggle the boolean as below;

setsebool -P named_write_master_zones=1

Then your zone files will be written properly.

SELinux and Apache

admin — Tue, 05 Jan 2010 19:54:05 +0000

SELinux (Security Enhanced Linux) is something that some of us may be afraid of because once it is enabled network services start to behave abnormally. However once it is configured properly you can restrict processes and enforce their access to files and directories as you wish. In this article we will speak briefly about integration of SELinux with Apache.

SELinux modes

There three modes of SELinux

Enforcing : You can restrict processes in this mode
Permissive : You can see what might happen in the logs if the mode was Enforcing instead of Permissive.
Disabled : Inactive state

You can query the runtime mode with “getenforce”:

[root@rh54-3 ~]# getenforce
Enforcing

or you can set the SELinux mode with “setenforce”:

[root@rh54-3 ~]# setenforce 0
[root@rh54-3 ~]# getenforce
Permissive

Note: If you want to set the selinux mode to enforcing, you must reboot the server to relabel the filesystem. To have your changes to be persistent between reboots, set the SELinux mode in /etc/sysconfig/selinux file.

Redhat uses targeted policy by default which isn’t very strict and mainly service focused.

Security Context

When you label the file system some extra attributes are involved for each file, lets see them;

[root@rh54-3 ~]# ls -Z
-rw——- root root system_u:object_r:user_home_t    anaconda-ks.cfg
drwxr-xr-x root root root:object_r:user_home_t Desktop
-rw-r–r– root root root:object_r:user_home_t        install.log
-rw-r–r– root root root:object_r:user_home_t        install.log.syslog

“ls -Z” shows us the security context “root:object_r:user_home_t” of our files. As you can see security context has three elements which are user,role and type in which we will be dealing with the type part mainly.

In targeted mode SELinux systems, not all services are SELinux protected. If you want to see whether a service is protected or not you can issue;

[root@rh54-3 ~]# ps -efZ |grep httpd
system_u:system_r:httpd_t       root      3102     1 0 11:19 ?        00:00:00 /usr/sbin/httpd
system_u:system_r:httpd_t apache    3127 3102 0 11:19 ?        00:00:00 /usr/sbin/httpd
system_u:system_r:httpd_t       apache    3128 3102 0 11:19 ?        00:00:00 /usr/sbin/httpd
system_u:system_r:httpd_t       apache    3129 3102 0 11:19 ?        00:00:00 /usr/sbin/httpd
system_u:system_r:httpd_t       apache    3130 3102 0 11:19 ?        00:00:00 /usr/sbin/httpd
system_u:system_r:httpd_t       apache    3131 3102 0 11:19 ?        00:00:00 /usr/sbin/httpd
system_u:system_r:httpd_t       apache    3132 3102 0 11:19 ?        00:00:00 /usr/sbin/httpd
system_u:system_r:httpd_t       apache    3133 3102 0 11:19 ?        00:00:00 /usr/sbin/httpd
system_u:system_r:httpd_t       apache    3134 3102 0 11:19 ?        00:00:00 /usr/sbin/httpd

You can see that httpd has a context and type is httpd_t.

Apache and SELinux

We will go by an example. SELinux mode is enforcing and we want to provide virtualhost services. Lets do it;

We have the following VirtualHost configuration in apache

NameVirtualHost 192.168.200.79:80
#

DocumentRoot /var/www/html
ServerName rh54-3.iptables.gen.tr

Lets look at the security context of DocumentRoot

[root@rh54-3 html]# ls -Z /var/www/
drwxr-xr-x root      root system_u:object_r:httpd_sys_script_exec_t cgi-bin
drwxr-xr-x root      root system_u:object_r:httpd_sys_content_t error
drwxr-xr-x root      root system_u:object_r:httpd_sys_content_t html
drwxr-xr-x root      root system_u:object_r:httpd_sys_content_t icons
drwxr-xr-x root      root system_u:object_r:httpd_sys_content_t manual
drwxr-xr-x webalizer root system_u:object_r:httpd_sys_content_t usage

As you can see our type for this directory is httpd_sys_content_t. When you point your browser to http://rh54-3.iptables.gen.tr address you will see what is in that directory (e.g index.html)

What if we want to serve virtualhost in a different directory. What will happen?

NameVirtualHost 192.168.200.79:80
#

DocumentRoot /web/docs
ServerName dummy-host.example.com

Once you reload the configuration, you will notice that you can’t display the content of this new directory i.e /web/docs but why?

Lets look at the security context

root@rh54-3 www]# ls -Z /web
drwxr-xr-x root root root:object_r:default_t docs

From the security context, we see that the type for this “docs” folder is default_t and the SELinux policy currently active in the system doesn’t allow to access httpd process with httpd_t type into “/web/docs” folder. Ok ok, what this means or how we can see that SELinux is preventing access. If your setroubleshoot service is running on the system, you will see SELinux messages in your logs. For example when I try to access this new virtualhost, I have got the following message in my log;

Jan 5 15:02:18 rh54-3 setroubleshoot: SELinux is preventing access to files with the default label, default_t. For complete SELinux messages. run sealert -l 188d441e-0307-495b-a6cc-b7915fa408e3

If you run the command log entry suggests, you will have the following output.

[root@rh54-3 www]# sealert -l 188d441e-0307-495b-a6cc-b7915fa408e3

Summary:

SELinux is preventing access to files with the default label, default_t.

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux permission checks on files labeled default_t are being denied. These
files/directories have the default label on them. This can indicate a labeling
problem, especially if the files being referred to are not top level
directories. Any files/directories under standard system directories, /usr,
/var. /dev, /tmp, …, should not be labeled with the default label. The default
label is for files/directories which do not have a label on a parent directory.
So if you create a new directory in / you might legitimately get this label.

Allowing Access:

If you want a confined domain to use these files you will probably need to
relabel the file/directory with chcon. In some cases it is just easier to
relabel the system, to relabel execute: “touch /.autorelabel; reboot”

Additional Information:

Source Context                root:system_r:httpd_t
Target Context                root:object_r:default_t
Target Objects                ./web [ dir ]
Source                        httpd
Source Path                   /usr/sbin/httpd
Port
Host                          rh54-3.iptables.gen.tr
Source RPM Packages           httpd-2.2.3-31.el5
Target RPM Packages
Policy RPM                    selinux-policy-2.4.6-255.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   default
Host Name                     rh54-3.iptables.gen.tr
Platform                      Linux rh54-3.iptables.gen.tr 2.6.18-164.el5 #1 SMP Tue
Aug 18 15:51:54 EDT 2009 i686 i686
Alert Count                   1
First Seen                    Tue Jan 5 15:02:17 2010
Last Seen                     Tue Jan 5 15:02:17 2010
Local ID                      188d441e-0307-495b-a6cc-b7915fa408e3
Line Numbers

Raw Audit Messages

host=rh54-3.iptables.gen.tr type=AVC msg=audit(1262700137.792:35): avc: denied { search } for pid=3508 comm=”httpd” name=”web” dev=dm-0 ino=65568 scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:default_t:s0 tclass=dir

host=rh54-3.iptables.gen.tr type=AVC msg=audit(1262700137.792:35): avc: denied { getattr } for pid=3508 comm=”httpd” path=”/web/docs” dev=dm-0 ino=65569 scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:default_t:s0 tclass=dir

host=rh54-3.iptables.gen.tr type=SYSCALL msg=audit(1262700137.792:35): arch=40000003 syscall=195 success=yes exit=0 a0=917c4b0 a1=bfbb510c a2=631ff4 a3=8000 items=0 ppid=3507 pid=3508 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=2 comm=”httpd” exe=”/usr/sbin/httpd” subj=root:system_r:httpd_t:s0 key=(null)

It tells us that something is wrong:) as we are trying to access directory that we aren’t allowed to. To solve this issue, we can change the context of the destination directory.

chcon -R -t httpd_sys_content_t /web/

or you could have just copied the type from a known object into this one with;

chcon -R –reference /var/www/html/ /web/

Once you issue this command, all directories under this directory will be within httpd_sys_content_t which will allow httpd process to access because policy says so:)

However, if the filesystem is relabeled somehow, you will lose this labeling. If you want your change to survive during relabeling of the filesystems, then add this into the policy as follows;

semanage fcontext -a -t httpd_sys_content_t “/web(/.*)?”

However in the end, you didn’t like SELinux at all but you only want to disable SELinux for httpd. With the following command you can do this;

setsebool -P httpd_disable_trans 1

I have tried to talk about SELinux briefly. Main focus was apache but I will try to involve ftp,samba and NFS soon.

Please drop your comments if you have anything to add or any correction.