SELinux : Change File Types2021/03/02 |
It's possible to modify access control settings to change File Type without changing boolean value.
This example is based on [targeted] Policy environment.
|
|
[1] | Settings of default SELinux Contexts are placed under the [(policy directory)/contexts/files] like follows. |
[root@dlp ~]# ll /etc/selinux/targeted/contexts/files total 1004 -rw-r--r--. 1 root root 405989 Feb 25 13:10 file_contexts -rw-r--r--. 1 root root 572087 Feb 25 13:10 file_contexts.bin -rw-r--r--. 1 root root 13770 Feb 25 13:10 file_contexts.homedirs -rw-r--r--. 1 root root 18938 Feb 25 13:10 file_contexts.homedirs.bin -rw-r--r--. 1 root root 0 Feb 19 20:04 file_contexts.local -rw-r--r--. 1 root root 0 Feb 19 20:04 file_contexts.subs -rw-r--r--. 1 root root 565 Feb 19 20:04 file_contexts.subs_dist -rw-r--r--. 1 root root 139 Feb 19 20:04 media[root@dlp ~]# head /etc/selinux/targeted/contexts/files/file_contexts /.* system_u:object_r:default_t:s0 /[^/]+ -- system_u:object_r:etc_runtime_t:s0 /a?quota\.(user|group) -- system_u:object_r:quota_db_t:s0 /nsr(/.*)? system_u:object_r:var_t:s0 /sys(/.*)? system_u:object_r:sysfs_t:s0 /xen(/.*)? system_u:object_r:xen_image_t:s0 /mnt(/[^/]*)? -d system_u:object_r:mnt_t:s0 /mnt(/[^/]*)? -l system_u:object_r:mnt_t:s0 /bin/.* system_u:object_r:bin_t:s0 /dev/.* system_u:object_r:device_t:s0 |
[2] |
For example, Modify File Type for the case to use CGI on httpd.
The boolean value for using CGI on httpd is set [on] by default,
so it's possible to run CGI under the default directory [/var/www/cgi-bin/] on httpd settings with default SELinux settings.
|
[root@dlp ~]# semanage boolean -l | grep httpd_enable_cgi httpd_enable_cgi (on , on) Allow httpd to enable cgi[root@dlp ~]# grep "cgi" /etc/selinux/targeted/contexts/files/file_contexts | grep "httpd" /opt/.*\.cgi -- system_u:object_r:httpd_sys_script_exec_t:s0 /usr/.*\.cgi -- system_u:object_r:httpd_sys_script_exec_t:s0 /var/www/[^/]*/cgi-bin(/.*)? system_u:object_r:httpd_sys_script_exec_t:s0 /var/www/html/[^/]*/cgi-bin(/.*)? system_u:object_r:httpd_sys_script_exec_t:s0 /usr/lib/cgi-bin(/.*)? system_u:object_r:httpd_sys_script_exec_t:s0 /var/www/cgi-bin(/.*)? system_u:object_r:httpd_sys_script_exec_t:s0 /usr/lib/cgi-bin/(nph-)?cgiwrap(d)? -- system_u:object_r:httpd_suexec_exec_t:s0 /var/log/cgiwrap\.log.* -- system_u:object_r:httpd_log_t:s0 # create a test script and access to it, then it's OK to access [root@dlp ~]# curl localhost/cgi-bin/index.py CGI Test Page |
However, if you'd like to use CGI on another directory, accesses are denied like follows even if httpd settings are correct. |
[root@dlp ~]# curl localhost/cgi-enabled/index.py <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>500 Internal Server Error</title> </head><body> <h1>Internal Server Error</h1> <p>The server encountered an internal error or misconfiguration and was unable to complete your request.</p> ..... ..... # [httpd_sys_content_t] is assinged [root@dlp ~]# ls -lZ /var/www/html/cgi-enabled total 4 -rwxr-xr-x. 1 root root unconfined_u:object_r:httpd_sys_content_t:s0 246 Feb 25 13:28 index.py |
On that case, it needs to change File Type to the one which SELinux allows CGI.
|
[3] | Change File Type like follows. But be careful, this change with [chcon] command will be back when using [restorecon] command or re-label to filesystem. |
[root@dlp ~]# chcon -t httpd_sys_script_exec_t /var/www/html/cgi-enabled/index.py [root@dlp ~]# ls -lZ /var/www/html/cgi-enabled total 4 -rwxr-xr-x. 1 root root unconfined_u:object_r:httpd_sys_script_exec_t:s0 246 Feb 25 13:28 index.py[root@dlp ~]# curl localhost/cgi-enabled/index.py CGI Test Page # accessed |
[4] | If you'd like to change Types permanently, set like follows. |
[root@dlp ~]# semanage fcontext -a -t httpd_sys_script_exec_t /var/www/html/cgi-enabled/index.py [root@dlp ~]# grep "cgi-enabled" /etc/selinux/targeted/contexts/files/file_contexts.local
/var/www/html/cgi-enabled/index.py system_u:object_r:httpd_sys_script_exec_t:s0
# written as default Context
[root@dlp ~]# ls -lZ /var/www/html/cgi-enabled total 4 -rwxr-xr-x. 1 root root unconfined_u:object_r:httpd_sys_content_t:s0 246 Feb 25 13:28 index.py # reset with [restotecon] [root@dlp ~]# restorecon /var/www/html/cgi-enabled/index.py [root@dlp ~]# ls -lZ /var/www/html/cgi-enabled
total 4
-rwxr-xr-x. 1 root root unconfined_u:object_r:httpd_sys_script_exec_t:s0 246 Feb 25 13:28 index.py
# restored
[root@dlp ~]# curl localhost/cgi-enabled/index.py CGI Test Page # accessed |
Sponsored Link |