manual icon indicating copy to clipboard operation
manual copied to clipboard

Published 20 hours ago verified publisher icon Uberspace

mention SELinux

Open luto opened this issue 6 years ago • 4 comments

Since SELinux is now active (and enforced), we should mention it here. A good place might be in the article for the web document root or maybe a standalone article?

Some things I think we should mention are:

Basics

Files not only are subject to the traditional discretionary access controls (DAC) — aka file system permissions (ugo/rwxst) — but with SELinux also to mandatory access control (MAC).

This means that besides drwxr-xr-x. there is also a label, you can notice this by the . suffix. You can view the label for a file with ls -Z or stat (for example):

$ ls ~
drwxr-xr-x. janto janto unconfined_u:object_r:home_bin_t:s0 bin
drwxr-xr-x. janto janto unconfined_u:object_r:user_home_t:s0 etc
lrwxrwxrwx. root  root  unconfined_u:object_r:user_home_t:s0 html -> /var/www/virtual/janto/html
drwxr-xr-x. janto janto unconfined_u:object_r:user_home_t:s0 logs
drwx------. janto janto unconfined_u:object_r:mail_home_rw_t:s0 Maildir
drwxr-xr-x. janto janto unconfined_u:object_r:user_tmp_t:s0 tmp
drwxr-xr-x. janto janto unconfined_u:object_r:user_home_t:s0 users

BTW: the -Z switch works with a lot of commands (e.g. id -Z, mv -Z, ps -Z).

The Label

The label is the representation of a context and everything in the SELinux world has one; it decides what can be done by, with and to it.

The label has 4 fields, divided by : (the last field can have colons in it, but still, only 4 fields). These are user, role type and sensitifity. Right now we only care about the type.

So the unconfined_u:object_r:user_home_t:s0 from above has a type of user_home_t.

Files and Labels

Files you create — in your home — generally have the user_home_t label (because they inherit the label from their parent folder). The same goes for downloaded or checked-out files, etc.

$ touch ~/test
$ ls -Z ~/test
-rw-rw-r--. janto janto unconfined_u:object_r:user_home_t:s0 /home/janto/test
$ wget -O ~/index.html google.de
$ ls -Z ~/index.html
-rw-rw-r--. janto janto unconfined_u:object_r:user_home_t:s0 /home/janto/index.html

Notice ~/bin changes the type to home_bin_t:

$ touch ~/bin/cmd.py
$ ls -Z ~/bin/cmd.py
-rw-rw-r--. janto janto unconfined_u:object_r:home_bin_t:s0 /home/janto/bin/cmd.py

Gotchas

If you create a new file, it immediately inherit the context of it's parent. This works for cp too, cause it creates new files. But not for mv, since the existing content is carried allong with the file.

$ cp ~/test ~/html/
$ ls -Z ~/html/
-rw-rw-r--. janto janto unconfined_u:object_r:httpd_sys_content_t:s0 test

But:

$ mv ~/index.html ~/html/
$ ls -Z ~/html/
-rw-rw-r--. janto janto unconfined_u:object_r:user_home_t:s0 index.html
-rw-rw-r--. janto janto unconfined_u:object_r:httpd_sys_content_t:s0 test

An easy way to cope with this is to make it a habbit to restore the parent to it's default with restorecon:

$ restorecon -Rv ~/html
restorecon reset /var/www/virtual/janto/html/index.html context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
$ ls -Z ~/html
-rw-rw-r--. janto janto unconfined_u:object_r:httpd_sys_content_t:s0 index.html
-rw-rw-r--. janto janto unconfined_u:object_r:httpd_sys_content_t:s0 test

NOTICE: This is important, since Apache will throw a 403 if the content in ~/html is not labled with httpd_sys_content_t (or similar, see below for more).

Changing Labels

To set a file's context, you can use the chcon command:

$ chcon -t httpd_sys_content_rw_t ~/web-data

This change will survive a reboot. However, this does not update the SELinux user space definition list. So after a restorecon the directory will be reset to the original context.

Conclusion

Well, this is just the basics and the whole semange thing is probably not needed for users. Instead, we should mention man httpd_selinux — make sure this works on our hosts https://git.uberspace.is/uberspace/uberspace7/issues/611 — and some neccesarry types for daily operation like:

  • httpd_sys_content_t: read-only directories and files
  • httpd_sys_content_ra_tappend only
  • httpd_sys_content_rw_t: readable and writable directories and files
  • httpd_sys_script_exec_t: executable scripts
  • httpd_log_t logs
  • httpd_cache_t mod_cache

luto avatar Nov 14 '18 15:11 luto

FWIW I just opened a (small) PR explaining the permission "pitfall" for web server content, since I was confused by this: #180

The-Compiler avatar Jul 08 '20 11:07 The-Compiler

FWIW I just opened a (small) PR explaining the permission "pitfall" for web server content, since I was confused by this: #180

@The-Compiler, your PR reads "For the webserver user to be able to access the files, they need to have a SELinux role of httpd_sys_rw_content_t."

Wouldn't httpd_sys_content_t be a better value to put as default in the docs, i.e. allow read-only access from DocumentRoot only by default?!

Sgt-Nukem avatar Aug 09 '20 08:08 Sgt-Nukem

@Sgt-Nukem that's in fact what the documented restorecon -R command does when you execute it: it sets httpd_sys_content_t according to the SELinux policy:

[root@stardust ~]# semanage fcontext --list |grep /var/www
/var/www(/.*)?                                     all files          system_u:object_r:httpd_sys_content_t:s0

I updated the text to match reality in a15e8cfaf921b14fa5d83861c866d1153e182670.

luto avatar Aug 09 '20 10:08 luto

Whoops, sorry and thanks!

The-Compiler avatar Aug 09 '20 14:08 The-Compiler