Open Source

Practical SELinux for the beginner: Contexts and labels

Vincent Danen gets into some of the basics of working with SELinux. Learn how to work with contexts, which include ports, processes, files, and directories, and labels.

Last time, I introduced you to SELinux: what it is, what it can do, and really why you need it (or a system like it). It is especially important with reported (and fixed) security vulnerabilities on the rise, and each year brings more reports, and more updates for end-users to install. This data tells us that we are in greater need of proactive security measures now than we ever were before. And this is where software like SELinux fits in.

There is a lot to SELinux, and we're only going to touch on SELinux contexts and labels. Suffice it to say, SELinux policies contain various rules that allow interaction between different contexts. Contexts are ports, processes, files, directories, and so on. Instead of getting overwhelmed with the technical concepts of SELinux, we'll instead look at the practical side of using SELinux so that it doesn't seem quite as daunting.

The first thing to do is determine what mode SELinux is running in:

$ getenforce
Enforcing

The getenforce command tells us what mode SELinux is in. The possible modes are Enforcing, Permissive, or Disabled. Enforcing means that SELinux will report access violations and deny the attempt, Permissive tells SELinux to report the violation but allow it, and Disabled completely turns SELinux off.

Ideally, if you are unprepared to run SELinux in Enforcing mode, it should be in Permissive mode.

This can be set at boot by editing (on Red Hat Enterprise Linux and Fedora) the /etc/sysconfig/selinux file and setting the SELINUX option:

SELINUX=enforcing

This will ensure it persists across reboot. SELinux can transition from Enforcing to Permissive easily using the setenforce command. Providing setenforce with a "0" argument will put the system in Permissive mode, a "1" will set it to Enforcing. To transition to or from Disabled mode, you need to reboot after making the appropriate changes to the sysconfig file. Using setenforce can be a great way of troubleshooting problems; if the problem goes away after setting the system to Permissive mode then you know it is SELinux.

If not, then it is something else.

# setenforce 0
# getenforce
Permissive

To view the contexts that a process is running with, add the Z option to ps:

# ps auxZ | grep httpd
system_u:system_r:httpd_t:s0    apache   30544  0.0  0.0 305612  6688 ?        S    Mar30   0:00 /usr/sbin/httpd

This tells us that the httpd process is using the httpd_t type, the system_r role, and the system_u user. More often than not, it is the httpd_t type you would be interested in.

The Z option is also used with other commands, such as ls, cp, id, and others. For instance, to view your security context:

# id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

Or to view the security context associated with a file:

# ls -lZ /var/www/html/index.html
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/index.html

Again, probably the most useful bit of information here is the type, in this case it is httpd_sys_content_t.

As an example of how to quickly change the policy, assume that you do not put your websites in /var/www/, but rather use /srv/www/foo.com/html/ for your site's document root. You can configure Apache to use these directories as the DocumentRoot for various websites, but if you were to visit them, Apache would return an error because SELinux would disallow access. SELinux knows nothing about allowing Apache to these directories as of yet.

To determine what type a file needs to have in order for Apache to access it, the above ls command tells us that the type we want is probably httpd_sys_content_t; after all, Apache by default serves files from /var/www/html/. Another, probably better, way is to use the semanage tool.

This tool is used to show, and change, defined SELinux policy. We could also do:

# semanage fcontext -l | grep '/var/www'
/var/www(/.*)?                                     all files          system_u:object_r:httpd_sys_content_t:s0

This command tells semanage to list all fcontext entries (file contexts), and we hand that output to grep to search for and display '/var/www'. For brevity, the whole output is not shown, but the above confirms that /var/www/* has the httpd_sys_content_t type. So what we need to do is tell SELinux to give this same type to /srv/www/foo.com/html/*, so that Apache can serve up those files.

This can be done by using semanage to add a new context:

# semanage fcontext -a -t httpd_sys_content_t '/srv/www(/.*)?'
# semanage fcontext -l | grep '/srv/www'
/srv/www(/.*)?                                     all files          system_u:object_r:httpd_sys_content_t:s0
# restorecon -Rv /srv/www

The SELinux policies here use regular expressions, so the above tells semanage to add (-a) a new fcontext with the type (-t) httpd_sys_content_t, and targets /srv/www itself and any sub-directories and files. We use semanage to list the fcontexts and search for any '/srv/www' entries, to verify it is in place, and then use restorecon to re-label and set the appropriate security context on the /srv/www directory and any sub-directories and files.

At this point, Apache will serve content from that directory if configured to do so, because Apache has the right to read httpd_sys_content_t files and /srv/www/ will now be labeled correctly.

The restorecon tool is used to set default contexts on files and directories, according to policy. You will become very familiar with this tool because it is used very often. For instance, if you move a file from a home directory to this web root, it will not immediately gain the appropriate security context because the mv command retains the existing context (cp will make a new context because it is making a new file). For instance:

% echo "my file" >file.html
% ls -Z file.html
-rw-rw-r--. vdanen vdanen unconfined_u:object_r:user_home_t:s0 file.html
% mv file.html /srv/www/foo.com/html/
% ls -Z /srv/www/foo.com/html/
-rw-rw-r--. vdanen vdanen unconfined_u:object_r:user_home_t:s0 file.html

Apache is not, by default, allowed to serve up user_home_t files, so any attempt to display this file via Apache will fail with denied access. restorecon is required to re-label the file so Apache can access it:

# restorecon -v /srv/www/foo.com/html/file.html
restorecon reset /srv/www/foo.com/html/file.html context unconfined_u:object_r:user_home_t:s0->system_u:object_r:httpd_sys_content_t:s0

Now the security context of the file is correct.

Similarly, when going from Disabled mode to Permissive or Enforcing mode, SELinux will have to re-label the entire filesystem (effectively running "estorecon /) because contexts are not set at all when SELinux is disabled.

Once you wrap your head around these basics of SELinux, all of a sudden it is no more difficult to use than manipulating iptables firewall rules. Just as you would adjust your firewall to allow access to a new service, you adjust SELinux file contexts to allow applications and services to access them. Yes, it does require a little more work to set up, initially, but the security benefits are really quite useful, especially considering that the bulk of this kind of manipulation will only happen when initially setting up a system or adding new services. And getting into the habit of running restorecon on new files and directories as they are created isn't any more difficult than using ls on them to double-check their permissions.

The next and final tip on SELinux will introduce us to SELinux logging, to detect access violations, and to some other basic SELinux commands.

About

Vincent Danen works on the Red Hat Security Response Team and lives in Canada. He has been writing about and developing on Linux for over 10 years and is a veteran Mac user.

13 comments
skhalid555
skhalid555

Hello,

Many thanks for excellent article

we have apache running with "Include /opt/file.conf"

when we are restarting apache with selinux enforcingĀ 

Apache failed to start

I checked /opt/file.conf file permission and selinux label with matchpathcon and its show verified

If i set selinux to permissive mode , i am able to start apache.

Anybody encountered similar issue.

Thanks

Mohammed Khalid


lojabrazil
lojabrazil

Excellent article. Thanks. Comprar Loja

jaycutler
jaycutler

Very dashing and attractive woody vases. Creativity is clearly showing. Nice work. Essay Help Dissertation Help

instalacao
instalacao

Thanks for jobs ! ... post that revealed answers for questions I have been posing to myself for ages. This site has been such a great help to me. Ar Condicionado Massagista Acompanhantes

marshalreon
marshalreon

I have been depressed and low in energy due to some personal problem, but after reading your article today, I suddenly felt a boost within me and guess what there was a sudden change in my behavior, that???s because your article gave me the best solution for solving the problems in my life. Essay Help |Cheap Custom Essays|Write My Essay

jack6666
jack6666

... post that revealed answers for questions I have been posing to myself for ages. This site has been such a great help to me. Landscape Lighting|Outdoor Security Lighting

Weazley
Weazley

We get this thing proper and this is what we understand. Buy Essay - Thesis Writing - Dissertation Writing - Course Work - Assignment writing

isakson
isakson

This is a better description than I got from Red Hat training. Kudos to the author!

jack6666
jack6666

... that went into this post, I dare say the value has to be something in the range of a thousand fold. I really like this blog. Driveway Lights

jamesaustinwarn
jamesaustinwarn

After read blog topic's related post now I feel my research is almost completed. happy to see that.Thanks to share this brilliant matter. buy essay online