Difference between revisions of "SELinux Notes"

SELinux is enabled by default on Centos 7 and on RHEL. It's a good thing to enable for internet-facing servers. It makes it far, far more complex to run a web server.

References:

• https://wiki.centos.org/HowTos/SELinux
• https://wiki.gentoo.org/wiki/SELinux/Tutorials/What_is_this_unconfined_thingie_and_tell_me_about_attributes
• https://stackoverflow.com/questions/5326531/php-warning-unknown-failed-to-open-stream
• https://wiki.centos.org/HowTos/SELinux
• https://www.lisenet.com/2016/advanced-apache-configuration-with-selinux-on-rhel-7/

Problem: apache can't access the files

   sudo /sbin/restorecon -R /var/www

   setsebool -P httpd_read_user_content 1

Running a web server:

If you can't run PHP, you may have the files in the wrong SELinux security context. You can change the security

1. Use ls -lZ /var/www/html/xxx to check the security context
2. You can give the web server read/write access to the files with:

   chcon -R -t httpd_sys_rw_content_t /var/www/html/xxx

CGI scripts under SELinux

In order to be able to execute a CGI script under SELinux, the script must be in the httpd_sys_rw_content_t security context. There are two ways to set the security context:

1. The context can be manually set on a per-file basis with the _chcon_ command
2. The context can be derrived from a selinux policy. Policies provide regular expressions that match filenames and automatically assign contexts.

The RedHat SELinux installation appears to install rules for the cgi-bin directory, but it does not allow you to use the .cgi extension.

You can see the selinux policies that might possibly apply to cgi-bin with:

   $ semanage fcontext --list | grep cgi-bin

You can explicitly the script the SELinux context cgi-bin directory with:

   $ chcon -t httpd_sys_script_exec_t /var/www/cgi-bin/script.cgi

You can take it away with:

   $ chcon -t unlabeled_t /var/www/cgi-bin/script.cgi

Check the file's SELinux attributes with `ls -laZ`:

   $ ls -laZ /var/www/cgi-bin/script.cgi

Looks like we can add a policy with the semanage command. I tried this to make everything in the bin directory within html executable:

   $ semanage fcontext -a -t httpd_sys_script_exec_t "/var/www/html/bin(/.*)?"
   $ restorecon -R -v /var/www/html/bin

References:

• https://serverfault.com/questions/691501/apache-permission-denied-exec-of-var-www-html-cgi-test-first-pl-failed

Disabling SELinux

• https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Working_with_SELinux-Changing_SELinux_Modes.html#sect-Security-Enhanced_Linux-Enabling_and_Disabling_SELinux-Permissive_Mode

• edit /etc/selinux/config and change SELINUX from 'enforcing' to 'permissive'