Unconfined processes run in unconfined domains, for example, init programs run in the unconfined initrc_t
domain, unconfined kernel processes run in the kernel_t
domain, and unconfined Linux users run in the unconfined_t
domain. For unconfined processes, SELinux policy rules are applied, but policy rules exist that allow processes running in unconfined domains almost all access. Processes running in unconfined domains fall back to using DAC rules exclusively. If an unconfined process is compromised, SELinux does not prevent an attacker from gaining access to system resources and data, but of course, DAC rules are still used. SELinux is a security enhancement on top of DAC rules - it does not replace them.
The following example demonstrates how the Apache HTTP Server (httpd
) can access data intended for use by Samba, when running unconfined. Note: in Fedora 10, the httpd
process runs in the confined httpd_t
domain by default. This is an example, and should not be used in production. It assumes that the httpd, wget, setroubleshoot-server, and audit packages are installed, that the SELinux targeted policy is used, and that SELinux is running in enforcing mode:
Run the /usr/sbin/sestatus
command to confirm that SELinux is enabled, is running in enforcing mode, and that targeted policy is being used:
SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 23 Policy from config file: targeted
SELinux status: enabled
is returned when SELinux is enabled. Current mode: enforcing
is returned when SELinux is running in enforcing mode. Policy from config file: targeted
is returned when the SELinux targeted policy is used.
As the Linux root user, run the touch /var/www/html/test2file
command to create a file.
Run the ls -Z /var/www/html/test2file
command to view the SELinux context:
-rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/test2file
By default, Linux users run unconfined in Fedora 10, which is why the test2file
file is labeled with the SELinux unconfined_u
user. RBAC is used for processes, not files. Roles do not have a meaning for files - the object_r
role is a generic role used for files (on persistent storage and network file systems). Under the /proc/
directory, files related to processes may use the system_r
role.[7] The httpd_sys_content_t
type allows the httpd
process to access this file.
The /usr/bin/chcon
command relabels files; however, such label changes do not survive when the file system is relabeled. For permanent changes that survive a file system relabel, use the /usr/sbin/semanage
command, which is discussed later. As the Linux root user, run the /usr/bin/chcon -t samba_share_t /var/www/html/test2file
command to change the type, to a type used by Samba. Run the ls -Z /var/www/html/test2file
command to view the changes:
-rw-r--r-- root root unconfined_u:object_r:samba_share_t:s0 /var/www/html/test2file
Run the /sbin/service httpd status
command to confirm that the httpd
process is not running:
$ /sbin/service httpd status httpd is stopped
If the output differs, run the /sbin/service httpd stop
command as the Linux root user to stop the httpd
process:
# /sbin/service httpd stop Stopping httpd: [ OK ]
To make the httpd
process run unconfined, run the following command as the Linux root user to change the type of /usr/sbin/httpd
, to a type that does not transition to a confined domain:
/usr/bin/chcon -t unconfined_exec_t /usr/sbin/httpd
Run the ls -Z /usr/sbin/httpd
command to confirm that /usr/sbin/httpd
is labeled with the unconfined_exec_t
type:
-rwxr-xr-x root root system_u:object_r:unconfined_exec_t /usr/sbin/httpd
As the Linux root user, run the /sbin/service httpd start
command to start the httpd
process. The output is as follows if httpd
starts successfully:
# /sbin/service httpd start Starting httpd: [ OK ]
Run the ps -eZ | grep httpd
command to view the httpd
running in the unconfined_t
domain:
$ ps -eZ | grep httpd unconfined_u:system_r:unconfined_t7721
? 00:00:00 httpd unconfined_u:system_r:unconfined_t7723
? 00:00:00 httpd unconfined_u:system_r:unconfined_t7724
? 00:00:00 httpd unconfined_u:system_r:unconfined_t7725
? 00:00:00 httpd unconfined_u:system_r:unconfined_t7726
? 00:00:00 httpd unconfined_u:system_r:unconfined_t7727
? 00:00:00 httpd unconfined_u:system_r:unconfined_t7728
? 00:00:00 httpd unconfined_u:system_r:unconfined_t7729
? 00:00:00 httpd unconfined_u:system_r:unconfined_t7730
? 00:00:00 httpd
Change into a directory where your Linux user has write access to, and run the wget http://localhost/test2file
command. Unless there are any changes to the default configuration, this command succeeds:
--2008-09-07 01:41:10-- http://localhost/test2file Resolving localhost... 127.0.0.1 Connecting to localhost|127.0.0.1|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 0 [text/plain] Saving to: `test2file.1' [ <=> ]--.-K/s in 0s 2008-09-07 01:41:10 (0.00 B/s) - `test2file.1' saved [0/0]
Although the httpd
process does not have access to files labeled with the samba_share_t
type, httpd
is running in the unconfined unconfined_t
domain, and falls back to using DAC rules, and as such, the wget
command succeeds. Had httpd
been running in the confined httpd_t
domain, the wget
command would have failed.
The /sbin/restorecon
command restores the default SELinux context for files. As the Linux root user, run the restorecon -v /usr/sbin/httpd
command to restore the default SELinux context for /usr/sbin/httpd
:
# restorecon -v /usr/sbin/httpd restorecon reset /usr/sbin/httpd context system_u:object_r:unconfined_notrans_exec_t:s0->system_u:object_r:httpd_exec_t:s0
Run the ls -Z /usr/sbin/httpd
command to confirm that /usr/sbin/httpd
is labeled with the httpd_exec_t
type:
$ ls -Z /usr/sbin/httpd -rwxr-xr-x root root system_u:object_r:httpd_exec_t /usr/sbin/httpd
As the Linux root user, run the /sbin/service httpd restart
command t restart httpd
. After restarting, run the ps -eZ | grep httpd
to confirm that httpd
is running in the confined httpd_t
domain:
# /sbin/service httpd restart Stopping httpd: [ OK ] Starting httpd: [ OK ] # ps -eZ | grep httpd unconfined_u:system_r:httpd_t 8880 ? 00:00:00 httpd unconfined_u:system_r:httpd_t 8882 ? 00:00:00 httpd unconfined_u:system_r:httpd_t 8883 ? 00:00:00 httpd unconfined_u:system_r:httpd_t 8884 ? 00:00:00 httpd unconfined_u:system_r:httpd_t 8885 ? 00:00:00 httpd unconfined_u:system_r:httpd_t 8886 ? 00:00:00 httpd unconfined_u:system_r:httpd_t 8887 ? 00:00:00 httpd unconfined_u:system_r:httpd_t 8888 ? 00:00:00 httpd unconfined_u:system_r:httpd_t 8889 ? 00:00:00 httpd
As the Linux root user, run the rm -i /var/www/html/test2file
command to remove test2file
.
If you do not require httpd
to be running, as the Linux root user, run the /sbin/service httpd stop
command to stop httpd
:
# /sbin/service httpd stop Stopping httpd: [ OK ]
The examples in these sections demonstrate how data can be protected from a compromised confined-process (protected by SELinux), as well as how data is more accessible to an attacker from a compromised unconfined-process (not protected by SELinux).