Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Programming
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Databases
Mail Systems
openSolaris
Eclipse Documentation
Techotopia.com
Virtuatopia.com
Answertopia.com

How To Guides
Virtualization
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Windows
Problem Solutions
Privacy Policy

  




 

 

Red Hat Enterprise Linux 9 Essentials Book now available.

Purchase a copy of Red Hat Enterprise Linux 9 (RHEL 9) Essentials

Red Hat Enterprise Linux 9 Essentials Print and eBook (PDF) editions contain 34 chapters and 298 pages

Preview Book

Chapter 4. Targeted Policy

Targeted policy is the default SELinux policy used in Red Hat Enterprise Linux. When using targeted policy, processes that are targeted run in a confined domain, and processes that are not targeted run in an unconfined domain. For example, by default, logged in users run in the unconfined_t domain, and system processes started by init run in the initrc_t domain - both of these domains are unconfined.
Unconfined domains (as well as confined domains) are subject to executable and writeable memory checks. By default, subjects running in an unconfined domain can not allocate writeable memory and execute it. This reduces vulnerability to buffer overflow attacks. These memory checks are disabled by setting Booleans, which allow the SELinux policy to be modified at runtime. Boolean configuration is discussed later.

4.1. Confined Processes

Almost every service that listens on a network, such as sshd or httpd, is confined in Red Hat Enterprise Linux. Also, most processes that run as the Linux root user and perform tasks for users, such as the passwd application, are confined. When a process is confined, it runs in its own domain, such as the httpd process running in the httpd_t domain. If a confined process is compromised by an attacker, depending on SELinux policy configuration, an attacker's access to resources and the possible damage they can do is limited.
The following example demonstrates how SELinux prevents the Apache HTTP Server (httpd) from reading files that are not correctly labeled, such as files intended for use by Samba. This is an example, and should not be used in production. It assumes that the httpd and wget packages are installed, the SELinux targeted policy is used, and that SELinux is running in enforcing mode:
  1. Run the sestatus command to confirm that SELinux is enabled, is running in enforcing mode, and that targeted policy is being used:
    $ /usr/sbin/sestatus
    SELinux status:                 enabled
    SELinuxfs mount:                /selinux
    Current mode:                   enforcing
    Mode from config file:          enforcing
    Policy version:                 24
    Policy from config file:        targeted
    
    SELinux status: enabled is returned when SELinux is enabled. Current mode: enforcing is returned when SELinux is running in enforcing mode. Policy from config file: targeted is returned when the SELinux targeted policy is used.
  2. As the Linux root user, run the touch /var/www/html/testfile command to create a file.
  3. Run the ls -Z /var/www/html/testfile command to view the SELinux context:
    -rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/testfile
    
    By default, Linux users run unconfined in Red Hat Enterprise Linux, which is why the testfile file is labeled with the SELinux unconfined_u user. RBAC is used for processes, not files. Roles do not have a meaning for files - the object_r role is a generic role used for files (on persistent storage and network file systems). Under the /proc/ directory, files related to processes may use the system_r role.[6] The httpd_sys_content_t type allows the httpd process to access this file.
  4. As the Linux root user, run the service httpd start command to start the httpd process. The output is as follows if httpd starts successfully:
    # /sbin/service httpd start
    Starting httpd:                                            [  OK  ]
    
  5. Change into a directory where your Linux user has write access to, and run the wget https://localhost/testfile command. Unless there are changes to the default configuration, this command succeeds:
    --2009-11-06 17:43:01--  https://localhost/testfile
    Resolving localhost... 127.0.0.1
    Connecting to localhost|127.0.0.1|:80... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 0 [text/plain]
    Saving to: `testfile'
    
    [ <=>                              ] 0     --.-K/s   in 0s
                    
    2009-11-06 17:43:01 (0.00 B/s) - `testfile' saved [0/0]
    
  6. The chcon command relabels files; however, such label changes do not survive when the file system is relabeled. For permanent changes that survive a file system relabel, use the semanage command, which is discussed later. As the Linux root user, run the following command to change the type to a type used by Samba:
    chcon -t samba_share_t /var/www/html/testfile
    Run the ls -Z /var/www/html/testfile command to view the changes:
    -rw-r--r--  root root unconfined_u:object_r:samba_share_t:s0 /var/www/html/testfile
    
  7. Note: the current DAC permissions allow the httpd process access to testfile. Change into a directory where your Linux user has write access to, and run the wget https://localhost/testfile command. Unless there are changes to the default configuration, this command fails:
    --2009-11-06 14:11:23--  https://localhost/testfile
    Resolving localhost... 127.0.0.1
    Connecting to localhost|127.0.0.1|:80... connected.
    HTTP request sent, awaiting response... 403 Forbidden
    2009-11-06 14:11:23 ERROR 403: Forbidden.
    
  8. As the Linux root user, run the rm -i /var/www/html/testfile command to remove testfile.
  9. If you do not require httpd to be running, as the Linux root user, run the service httpd stop command to stop httpd:
    # /sbin/service httpd stop
    Stopping httpd:                                            [  OK  ]
    
This example demonstrates the additional security added by SELinux. Although DAC rules allowed the httpd process access to testfile in step 7, because the file was labeled with a type that the httpd process does not have access to, SELinux denied access.
An error similar to the following is logged to /var/log/audit/audit.log:
type=AVC msg=audit(1220706212.937:70): avc:  denied  { getattr } for  pid=1904 comm="httpd" path="/var/www/html/testfile" dev=sda5 ino=247576 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:samba_share_t:s0  tclass=file

type=SYSCALL msg=audit(1220706212.937:70): arch=40000003 syscall=196 success=no exit=-13 a0=b9e21da0 a1=bf9581dc a2=555ff4 a3=2008171 items=0 ppid=1902 pid=1904 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
Also, an error similar to the following is logged to /var/log/httpd/error_log:
[Wed May 06 23:00:54 2009] [error] [client 127.0.0.1] (13)Permission denied: access to /testfile denied


[6] When using other policies, such as MLS, other roles may be used, for example, secadm_r.


 
 
  Published under the terms of the Creative Commons License Design by Interspire