SELinux advanced application target policy management non-restricted processes and users (1)

1. Manage Non-Restricted Processes

Non-Restricted processes run in non-restricted domains. For example, the init process runs in the unrestricted initrc_t domain, the unrestricted kernel process runs in the kernel_t domain, and the unrestricted user runs in the unconfined_t domain. SELinux policy rules still apply to non-restricted processes. However, rules that allow processes to run in non-restricted domains allow almost all accesses. Therefore, if a non-restricted process is controlled by hackers, SELinux cannot prevent hackers from obtaining access to system resources and data. Of course, DAC rules are still applicable, because the SELinux mechanism adds a layer of enhancements to Linux at the DAC level, rather than simply replacing DAC.

The following provides a specific example to illustrate how the httpd process on the Apache Http Server can run without any restrictions and access data that should be accessed by the Samba server. It is worth noting that in ora 10, httpd processes are restricted to running in the httpd_t domain by default. The following example assumes that httpd and wget are installed in the user system, which is a multi‑thread download tool similar to Flashget software in Windows), settroubleshoot-server, audit, and other toolkit, in addition, The SELinux mechanism runs in the enforcing mode.

1) run the sestatus command to confirm that SELinux is running in Linux and runs in enforcing mode. The running result is consistent with that shown in Figure 1:

Figure 1 run the sestatus command to check whether SELinux runs in Linux

2) create a new test file testfile2 as the root user. The file path is under the working directory of the httpd process, as shown below:

 
 

  
  
#touch /var/www/html/testfile2 
 
 

3) run the ls-z command to view the SELinux context information of the newly created file, as shown in Figure 2:

Figure 2 use the ls-Z command to view the SELinux context information of the newly created File

From the above results, we can clearly see that Linux users run in non-restricted domains by default, so the context information of the testfile2 file is identified as unconfined_u. In addition, RBAC is used for processes rather than files. In addition, the role does not have a special meaning for files, so it is granted object_r as a general role. The httpd_sys_content type allows the httpd process to access the file.

4) use the chron command to temporarily change the file ID. Once the system is restarted, the change will become invalid. To change the file ID permanently, run the semanage command. Run the following command to change the file type to the one accessible by the Samba server:

 
 

  
  
#chcon -t samba_share_t /var/www/html/testfile2 
 
 

Then, run the ls-z command to view the modified result:

 
 

  
  
# ls -Z /var/www/html/testfile2  
  
  
-rw-r--r--  root root unconfined_u:object_r:samba_share_t:s0 /var/www/html/testfile2 
 
 

5) Stop the httpd process before modifying it from the limit to a non-limit. Run the following command:

 
 

  
  
#/sbin/service httpd stop 
 
 

6) run the following command as the root user to change the httpd process type and change it from restriction to non-restriction:

 
 

  
  
#chcon -t unconfined_exec_t /usr/sbin/httpd 
 
 

Then, run the ls-z command to view the process to make sure the modification takes effect, as shown below:

 
 

  
  
# ls -Z /usr/sbin/httpd  
  
  
-rwxr-xr-x  root root system_u:object_r:unconfined_exec_t:s0 /usr/sbin/httpd 
 
 

7) in order for httpd to take effect at runtime, restart the httpd process, as shown in Figure 6-22:

8) run the ps-ez | grep httpd command to check whether the httpd process runs in a non-restricted domain, as shown in Figure 3:

Figure 3 Start the httpd process and view