Red hat linux types

11.2. Types

The main permission control method used in SELinux targeted policy to provide advanced process isolation is Type Enforcement. All files and processes are labeled with a type: types define a SELinux domain for processes and a SELinux type for files. SELinux policy rules define how types access each other, whether it be a domain accessing a type, or a domain accessing another domain. Access is only allowed if a specific SELinux policy rule exists that allows it.

This is a generic type used for the location of files (and the actual files) to be shared via rsync . If a special directory is created to house files to be shared with rsync , the directory and its contents need to have this label applied to them.

This type is used for the rsync log file, located at /var/log/rsync.log by default. To change the location of the file rsync logs to, use the —log-file=FILE option to the rsync command at run-time.

This type is used for the rsyncd lock file, located at /var/run/rsyncd.lock . This lock file is used by the rsync server to manage connection limits.

This type is used for files and directories which you want to use as rsync domains and isolate them from the access scope of other services. Also, the public_content_t is a general SELinux context type, which can be used when a file or a directory interacts with multiple services (for example, FTP and NFS directory as an rsync domain).

Источник

2.2. Types

The main permission control method used in SELinux targeted policy to provide advanced process isolation is Type Enforcement. All files and processes are labeled with a type: types define a SELinux domain for processes and a SELinux type for files. SELinux policy rules define how types access each other, whether it be a domain accessing a type, or a domain accessing another domain. Access is only allowed if a specific SELinux policy rule exists that allows it.

Читайте также:  All about linux administration

The following example creates a new file in the /var/www/html/ directory, and shows the file inheriting the httpd_sys_content_t type from its parent directory ( /var/www/html/ ):

~]$ ls -dZ /var/www/html drwxr-xr-x root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html
~]$ ls -Z /var/www/html/file1 -rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/file1

The ls -Z command shows file1 labeled with the httpd_sys_content_t type. SELinux allows httpd to read files labeled with this type, but not write to them, even if Linux permissions allow write access. SELinux policy defines what types a process running in the httpd_t domain (where httpd runs) can read and write to. This helps prevent processes from accessing files intended for use by another process.

For example, httpd can access files labeled with the httpd_sys_content_t type (intended for the Apache HTTP Server), but by default, cannot access files labeled with the samba_share_t type (intended for Samba). Also, files in user home directories are labeled with the user_home_t type: by default, this prevents httpd from reading or writing to files in user home directories.

The following lists some of the types used with httpd . Different types allow you to configure flexible access:

Use this type for static web content, such as .html files used by a static website. Files labeled with this type are accessible (read only) to httpd and scripts executed by httpd . By default, files and directories labeled with this type cannot be written to or modified by httpd or other processes. Note that by default, files created in or copied into /var/www/html/ are labeled with the httpd_sys_content_t type.

Use this type for scripts you want httpd to execute. This type is commonly used for Common Gateway Interface (CGI) scripts in /var/www/cgi-bin/ . By default, SELinux policy prevents httpd from executing CGI scripts. To allow this, label the scripts with the httpd_sys_script_exec_t type and enable the httpd_enable_cgi Boolean. Scripts labeled with httpd_sys_script_exec_t run in the httpd_sys_script_t domain when executed by httpd . The httpd_sys_script_t domain has access to other system domains, such as postgresql_t and mysqld_t .

Читайте также:  Linux web host server

Files labeled with this type can be written to by scripts labeled with the httpd_sys_script_exec_t type, but cannot be modified by scripts labeled with any other type. You must use the httpd_sys_rw_content_t type to label files that will be read from and written to by scripts labeled with the httpd_sys_script_exec_t type.

Files labeled with this type can be appended to by scripts labeled with the httpd_sys_script_exec_t type, but cannot be modified by scripts labeled with any other type. You must use the httpd_sys_ra_content_t type to label files that will be read from and appended to by scripts labeled with the httpd_sys_script_exec_t type.

Scripts labeled with this type run without SELinux protection. Only use this type for complex scripts, after exhausting all other options. It is better to use this type instead of disabling SELinux protection for httpd , or for the entire system.

~]$ grep httpd /etc/selinux/targeted/contexts/files/file_contexts

Procedure 2.1. Changing the SELinux Context

The type for files and directories can be changed with the chcon command. Changes made with chcon do not survive a file system relabel or the restorecon command. SELinux policy controls whether users are able to modify the SELinux context for any given file. The following example demonstrates creating a new directory and an index.html file for use by httpd , and labeling that file and directory to allow httpd access to them:

Run the mkdir -p /my/website command as the root user to create a top-level directory structure to store files to be used by httpd .

Files and directories that do not match a pattern in file-context configuration may be labeled with the default_t type. This type is inaccessible to confined services:

~]$ ls -dZ /my drwxr-xr-x root root unconfined_u:object_r:default_t:s0 /my

Run the chcon -R -t httpd_sys_content_t /my/ command as the root user to change the type of the /my/ directory and subdirectories, to a type accessible to httpd . Now, files created under /my/website/ inherit the httpd_sys_content_t type, rather than the default_t type, and are therefore accessible to httpd:

~]# chcon -R -t httpd_sys_content_t /my/ ~]# touch /my/website/index.html ~]# ls -Z /my/website/index.html -rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 /my/website/index.html

Refer to the Temporary Changes: chcon section of the Red Hat Enterprise Linux 6 SELinux User Guide for further information about chcon .

Читайте также:  How to rename files in linux terminal

Use the semanage fcontext command ( semanage is provided by the policycoreutils-python package) to make label changes that survive a relabel and the restorecon command. This command adds changes to file-context configuration. Then, run restorecon , which reads file-context configuration, to apply the label change. The following example demonstrates creating a new directory and an index.html file for use by httpd , and persistently changing the label of that directory and file to allow httpd access to them:

Run the mkdir -p /my/website command as the root user to create a top-level directory structure to store files to be used by httpd .

~]# semanage fcontext -a -t httpd_sys_content_t "/my(/.*)?"

The «/my(/.*)?» expression means the label change applies to the /my/ directory and all files and directories under it.

Run the restorecon -R -v /my/ command as the root user to apply the label changes ( restorecon reads file-context configuration, which was modified by the semanage command in step 2):

~]# restorecon -R -v /my/ restorecon reset /my context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0 restorecon reset /my/website context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0 restorecon reset /my/website/index.html context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0

Refer to the Persistent Changes: semanage fcontext section of the Red Hat Enterprise Linux SELinux User Guide for further information on semanage.

Источник

Оцените статью
Adblock
detector