Targeted policy is the default SELinux policy used in Fedora 10. When using targeted policy, processes that are targeted run in a confined domain, and processes that are not targeted run in an unconfined domain. For example, by default, logged in users run in the unconfined_t
domain, and system processes started by init run in the initrc_t
domain - both of these domains are unconfined.
Unconfined domains (as well as confined domains) are subject to executable and writeable memory checks. By default, subjects running in an unconfined domain can not allocate writeable memory and execute it. This reduces vulnerability to buffer overflow attacks. These memory checks are disable by setting Booleans, which allow the SELinux policy to be modified at runtime. Boolean configuration is discussed later.
Almost every process that has network access is confined in Fedora 10. Most processes that run as the Linux root user and perform tasks for users, such as the passwd application, are confined. When a process is confined, it runs in its own domain, such as the httpd
process running in the httpd_t
domain. If a confined process is compromised by an attacker, depending on SELinux policy configuration, an attacker's access to resources and the possible damage they can do is limited.
The following example demonstrates how SELinux prevents the Apache HTTP Server (httpd
) from reading files that are not correctly labeled, such as files intended for use by Samba. This is an example, and should not be used in production. It assumes that the httpd, wget, setroubleshoot-server, and audit packages are installed, that the SELinux targeted policy is used, and that SELinux is running in enforcing mode:
Run the /usr/sbin/sestatus
command to confirm that SELinux is enabled, is running in enforcing mode, and that targeted policy is being used:
SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 23 Policy from config file: targeted
SELinux status: enabled
is returned when SELinux is enabled. Current mode: enforcing
is returned when SELinux is running in enforcing mode. Policy from config file: targeted
is returned when the SELinux targeted policy is used.
As the Linux root user, run the touch /var/www/html/testfile
command to create a file.
Run the ls -Z /var/www/html/testfile
command to view the SELinux context:
-rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/testfile
By default, Linux users run unconfined in Fedora 10, which is why the testfile
file is labeled with the SELinux unconfined_u
user. RBAC is used for processes, not files. Roles do not have a meaning for files - the object_r
role is a generic role used for files (on persistent storage and network file systems). Under the /proc/
directory, files related to processes may use the system_r
role.[6] The httpd_sys_content_t
type allows the httpd
process to access this file.
As the Linux root user, run the /sbin/service httpd start
command to start the httpd
process. The output is as follows if httpd
starts successfully:
# /sbin/service httpd start Starting httpd: [ OK ]
Change into a directory where your Linux user has write access to, and run the wget http://localhost/testfile
command. Unless there are any changes to the default configuration, this command succeeds:
--2008-09-06 23:00:01-- http://localhost/testfile Resolving localhost... 127.0.0.1 Connecting to localhost|127.0.0.1|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 0 [text/plain] Saving to: `testfile' [ <=> ] 0 --.-K/s in 0s 2008-09-06 23:00:01 (0.00 B/s) - `testfile' saved [0/0]
The /usr/bin/chcon
command relabels files; however, such label changes do not survive when the file system is relabeled. For permanent changes that survive a file system relabel, use the semanage
command, which is discussed later. As the Linux root user, run the following command to change the type to a type used by Samba:
/usr/bin/chcon -t samba_share_t /var/www/html/testfile
Run the ls -Z /var/www/html/testfile
command to view the changes:
-rw-r--r-- root root unconfined_u:object_r:samba_share_t:s0 /var/www/html/testfile
Note: the current DAC permissions allow the httpd
process access to testfile
. Change into a directory where your Linux user has write access to, and run the wget http://localhost/testfile
command. Unless there are any changes to the default configuration, this command fails:
--2008-09-06 23:00:54-- http://localhost/testfile Resolving localhost... 127.0.0.1 Connecting to localhost|127.0.0.1|:80... connected. HTTP request sent, awaiting response... 403 Forbidden 2008-09-06 23:00:54 ERROR 403: Forbidden.
As the Linux root user, run the rm -i /var/www/html/testfile
command to remove testfile
.
If you do not require httpd
to be running, as the Linux root user, run the /sbin/service httpd stop
command to stop httpd
:
# /sbin/service httpd stop Stopping httpd: [ OK ]
This example demonstrates the additional security added by SELinux. Although DAC rules allowed the httpd
process access to testfile
in step 7, because the file was labeled with a type that the httpd
process does not have access to, SELinux denied access. After step 7, an error similar to the following is logged to /var/log/messages
:
Sep 6 23:00:54 localhost setroubleshoot: SELinux is preventing httpd (httpd_t) "getattr" to /var/www/html/testfile (samba_share_t). For complete SELinux messages. run sealert -l c05911d3-e680-4e42-8e36-fe2ab9f8e654
Previous log files may use a /var/log/messages.
format. When running syslog-ng, previous log files may use a YYYYMMDD
/var/log/messages.
format. If the X
setroubleshootd
and auditd
processes are running, errors similar to the following are logged to /var/log/audit/audit.log
:
type=AVC msg=audit(1220706212.937:70): avc: denied { getattr } for pid=1904 comm="httpd" path="/var/www/html/testfile" dev=sda5 ino=247576 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file type=SYSCALL msg=audit(1220706212.937:70): arch=40000003 syscall=196 success=no exit=-13 a0=b9e21da0 a1=bf9581dc a2=555ff4 a3=2008171 items=0 ppid=1902 pid=1904 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
Also, an error similar to the following is logged to /etc/httpd/logs/error_log
:
[Sat Sep 06 23:00:54 2008] [error] [client 127.0.0.1
] (13)Permission denied: access to /testfile denied
In Fedora 10, the setroubleshoot-server and audit packages are installed by default. These packages include the setroubleshootd
and auditd
daemons respectively. These daemons run by default. Stopping either of these daemons changes where SELinux denials are written to. Refer to Section 5.2, “Which Log File is Used” for further information.