LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 12-21-2016, 01:01 PM   #1
fanoflq
Member
 
Registered: Nov 2015
Posts: 397

Rep: Reputation: Disabled
Unable to set SELinux context in CentOS7


Code:
[user1@server1 ~]$ ls -Zd mydir
drwxrwxr-x. user1 user1 unconfined_u:object_r:httpd_sys_script_exec_t:s0 mydir
[user1@server1 ~]$ ls -Zl mydir
total 0
-rw-rw-r--. 1 unconfined_u:object_r:httpd_sys_script_exec_t:s0 user1 user1 0 Dec 21 11:40 file1
[user1@server1 ~]$ ls -Zd /var/www/
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/
[user1@server1 ~]$ ls -Zl /var/www/
total 0
drwxr-xr-x. 2 system_u:object_r:httpd_sys_script_exec_t:s0 root root  6 Nov 14 11:05 cgi-bin
drwxr-xr-x. 2 system_u:object_r:httpd_sys_content_t:s0 root root 23 Nov 14 11:05 html
Now I change the SELinux security context for mydir and its files:

Code:
[user1@server1 ~]$ sudo semanage fcontext -a -t httpd_sys_content_t "mydir(/.*)?"
[sudo] password for user1: 
[user1@server1 ~]$ sudo restorecon -R -v mydir

#But is did not change at all!  WHY? 
[user1@server1 ~]$ ls -Zd mydir
drwxrwxr-x. user1 user1 unconfined_u:object_r:httpd_sys_script_exec_t:s0 mydir
[user1@server1 ~]$ ls -Zl mydir
total 0
-rw-rw-r--. 1 unconfined_u:object_r:httpd_sys_script_exec_t:s0 user1 user1 0 Dec 21 11:40 file1
What did I missed?
Thank you.
 
Old 12-21-2016, 02:58 PM   #2
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,912

Rep: Reputation: 1513Reputation: 1513Reputation: 1513Reputation: 1513Reputation: 1513Reputation: 1513Reputation: 1513Reputation: 1513Reputation: 1513Reputation: 1513Reputation: 1513
Where is "mydir"?

If it is in a users home directory then you need to use the booleans to enable access.

Note: (this seems to be in error on Fedora) Normally you would use httpd_enable_homedirs to enable access to home directories, then the user can set httpd_user_content_t on the public directory directory. httpd_user_script_t on a directory for cgi.

The CGI really ought to be in the httpd cgi-bin directory after a security validation study as it can grant a remote shell access to the apache account - which in turn gives access to other user data.

Last edited by jpollard; 12-21-2016 at 03:01 PM.
 
Old 12-21-2016, 03:11 PM   #3
fanoflq
Member
 
Registered: Nov 2015
Posts: 397

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by jpollard View Post
Where is "mydir"?

If it is in a users home directory then you need to use the booleans to enable access.

Note: (this seems to be in error on Fedora) Normally you would use httpd_enable_homedirs to enable access to home directories, then the user can set httpd_user_content_t on the public directory directory. httpd_user_script_t on a directory for cgi.

The CGI really ought to be in the httpd cgi-bin directory after a security validation study as it can grant a remote shell access to the apache account - which in turn gives access to other user data.

I am not setting anything specific for http server.
You are suggesting various types of SELinux security contexts to use.

I am just testing if I can set context type for any directory or file.
But I cannot do that with sudo. Why?
 
Old 12-21-2016, 03:22 PM   #4
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,912

Rep: Reputation: 1513Reputation: 1513Reputation: 1513Reputation: 1513Reputation: 1513Reputation: 1513Reputation: 1513Reputation: 1513Reputation: 1513Reputation: 1513Reputation: 1513
Quote:
Originally Posted by fanoflq View Post
I am not setting anything specific for http server.
You are suggesting various types of SELinux security contexts to use.

I am just testing if I can set context type for any directory or file.
But I cannot do that with sudo. Why?
It all depends on WHERE things are defined to be allowed.

User directories are for users, not httpd_sys_content_t (which is read only) content. A "restorecon" will restore them to the defined proper label. httpd_usr_content_t is allowed, and the USER is permitted to set it.
 
Old 12-21-2016, 03:32 PM   #5
rknichols
Senior Member
 
Registered: Aug 2009
Distribution: Rocky Linux
Posts: 4,786

Rep: Reputation: 2216Reputation: 2216Reputation: 2216Reputation: 2216Reputation: 2216Reputation: 2216Reputation: 2216Reputation: 2216Reputation: 2216Reputation: 2216Reputation: 2216
Type script_exec_t won't be affected by restorecon because it is what SELinux calls a "customizable type," one that is frequently used on files that can be located in arbitrary places in the filesystem. The file /etc/selinux/targeted/contexts/customizable_types lists those types. You can use chcon to set the type to something else, but neither restorecon nor a complete system relabel operation will change it.

[EDIT] There is a "-F" option for restorecon that will force even customizable types to be reset.

Last edited by rknichols; 12-21-2016 at 03:37 PM. Reason: Add mention of "-F" option
 
Old 12-21-2016, 03:41 PM   #6
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,912

Rep: Reputation: 1513Reputation: 1513Reputation: 1513Reputation: 1513Reputation: 1513Reputation: 1513Reputation: 1513Reputation: 1513Reputation: 1513Reputation: 1513Reputation: 1513
Quote:
Originally Posted by rknichols View Post
Type script_exec_t won't be affected by restorecon because it is what SELinux calls a "customizable type," one that is frequently used on files that can be located in arbitrary places in the filesystem. The file /etc/selinux/targeted/contexts/customizable_types lists those types. You can use chcon to set the type to something else, but neither restorecon nor a complete system relabel operation will change it.
I think that depends on the model...

What I see is "httpd_user_script_exec_t" is allowed in home directories (well, /home/public_html/cgi-bin/....) and won't be altered.

The list I find is:
httpd_user_content_t
httpd_user_script_exec_t
httpd_user_htaccess_t
httpd_user_ra_content_t

But this is on Fedora24 which I believe was used on CentOS7.

It would be best to look in /etc/selinux/targeted/contexts/file_contexts and file_contexts.homedirs to verify what is allowed.

Last edited by jpollard; 12-21-2016 at 03:43 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
CentOS7 / Apache / custom DocumentRoot / SELinux issue AdultFoundry Linux - Server 1 01-08-2016 09:05 AM
Set SELinux context on fstab mounted partition? Nick_C Linux - Security 5 11-04-2012 12:08 PM
Set SELinux context recursively per files vs directories bluegospel Linux - Newbie 11 07-05-2011 08:05 PM
unable to set executable context rado.ovcarcik Fedora 3 02-23-2006 04:55 AM
Unable to logon on as non-root user after update as unable to set executable context pls198 Fedora 2 04-09-2004 11:41 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 08:07 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration