Network service settings in SELinux: Apache, Samba, and NFS

SELinux's security protection measures are mainly focused on access control of various network services. For services such as Apache, Samba, NFS, vsftp, MySQL, and Bind dns, SELinux only opens up the most basic operation requirements. As for connecting to external networks, running scripts, accessing user directories, and sharing files, a certain SELinux policy must be adjusted to give full play to the role of the network server and achieve a direct balance between security and performance.

Apache configuration in SELinux Environment

File Type of Apache SELinux

When SELinux is enabled, Apache HTTP Server httpd runs in the restricted httpd_t domain by default and is separated from other restricted network services. Even if a network service is damaged by an attacker, the attacker's resources and possible damages are limited. The following example demonstrates the httpd process under SELinux.

$ ps -eZ | grep httpd unconfined_u:system_r:httpd_t:s0 2850 ? 00:00:00 httpd unconfined_u:system_r:httpd_t:s0 2852 ? 00:00:00 httpd ……

The httpd process related to SELinux context is system_u: system_r: httpd_t: s0. All httpd processes run in the httpd_t domain. The file type must be set correctly for httpd Access. For example, httpd can read files whose types are httpd_sys_content_t but cannot be written or modified. In addition, httpd cannot access the Samba access control files of the samba_cmd_t type file) or access the files marked as user_home_t in the user's home directory, it mainly prevents httpd from reading and writing files in the user's home directory and inheriting their access permissions. The file type that httpd can read and write is httpd_sys_content_rw_t. The default file root type of Apache is httpd_sys_content_t. Unless you set httpd, you can only access httpd_sys_content_t files and subdirectories in the/var/www/html/directory. In addition, SELinux defines some file types for httpd:

• Httpd_sys_content_t is mainly used to provide files for static content services, such as files used by HTML static websites. This type of Tag file can access read-only) httpd and execute script httpd. By default, this type of file and directory mark cannot be written or modified by httpd or other processes. Note: by default, the created file or the/var/www/html/httpd_sys_content_t type of the copied tag.
• Httpd_sys_script_exec_t is mainly used to set cgi scripts in the/var/www/cgi-bin/directory. By default, The SELinux policy prevents httpd from executing CGI scripts.
• Httpd_sys_content_rw_t use the type label of httpd_sys_content_rw_t to read and write the script to mark the type of the file httpd_sys_script_exec_t.
• Httpd_sys_content_ra_t use the type tag of httpd_sys_content_ra_t to read and attach the script file httpd_sys_script_exec_t.

To modify SELinux type attributes of files and directories, run the following commands: chcon, semanage fcontext, and restorecon. Note: Use the chcon command to re-Identify the file type. However, this identifier is not permanently modified. Once the system is restarted, it will be changed back. To change the file type permanently, use the semanage command. The three commands chcon, semanage fcontext, and restorecon are the focus of this article. The following describes how to use them:

1) chcon command

Purpose: The chcon command is used to modify the security context of the SELinux file.

Usage: chcon [Option] CONTEXT File

Main options:

-R: recursively changes the context of files and directories.

-- Reference: copy the security context from the source file to the target file

-H, -- no-dereference: affects the target link.

-V, -- verbose: outputs diagnostics for each check file.

-U, -- user = USER: Set to the security context of the target user.

-R, -- role = ROLE: Set the role of the target security field.

-T, -- type = TYPE: security context type set in the target.

-L, -- range = RANGE: set role ROLE in the target security context to the target security field.

-F: displays a small number of error messages.

2) restorecon command

Purpose: restore the security context of a SELinux file.

Usage: restorecon [-iFnrRv] [-e excludedir] [-o filename] [-f filename | pathname...]

Main options:

-I: Ignore nonexistent files.

-F: The infilename file infilename records the file to be processed.

-E: directory exclusion directory.

-R-r: recursive processing Directory.

-N: does not change the file tag.

-O outfilename: saves the file list to outfilename. If the file is incorrect.

-V: displays the process on the screen.

-F: forcibly restores the file security context.

Note: The restorecon command is similar to the chcon command, but it sets the security context of objects related to files based on the default file context file of the current policy. Therefore, the user does not specify a security context. On the contrary, restorecon uses entries in the file context file to match the file name and then applies the specific security context. In some cases, it restores the correct security context.

3) semanage fcontext command

Role: Manage File security context

Usage:

Semanage fcontext [-S store]-{a | d | m | l | n | D} [-frst] file_spec
Semanage fcontext [-S store]-{a | d | m | l | n | D}-e replacement target

Main options:

-A: add

-D: Delete

-M: Modify

-L: List

-N: The description header is not printed.

-D: delete all

-F: File

-S: User

-T: Type

R: Role

Boolean variable of Apache SELinux

For network services, SElinux only opens the minimum operating requirements. To make full use of the functions of the Apache server, a Boolean value must be enabled to allow some behaviors, including allowing access to the httpd script network, allow httpd to access NFS and CIFS file systems, and execute Common Gateway Interface CGI) scripts. You can use the getsebool command to query the current Boolean variable. Then you can use the following setsebool command to open the Boolean variable:

#setsebool – P httpd_enable_cgi on

The following are commonly used Boolean variables:

• When allow_httpd_anon_write is disabled, this Boolean variable allows httpd to only read and access the public_content_rw_t file. Enable this Boolean variable to write allowed httpd to the file tag and a public file directory package contains a public file transfer service, such as public_content_rw_t type.
• Allow_httpd_mod_auth_pam enables this Boolean variable to allow the mod_auth_pam module to access httpd.
• Allow_httpd_sys_script_anon_write this Boolean variable defines whether the HTTP script allows write access to the file marked in a public File Transfer Service public_content_rw_t type.
• Httpd_builtin_scripting: the Boolean variable defines the access to httpd scripts. When this Boolean variable is enabled, PHP content is often required.
• When httpd_can_network_connect is disabled, this Boolean variable prevents HTTP scripts and modules that initiate connection from the network or remote port. Open this Boolean variable to allow such access.
• When httpd_can_network_connect_db is disabled, this Boolean variable prevents the initiation of an HTTP script and module connected to the database server. Open this Boolean variable to allow such access.
• Httpd_can_network_relay open this when the httpd of the Boolean variable is using a forward or reverse proxy.
• When httpd_can_sendmail is disabled, this Boolean variable prevents the HTTP module from sending emails. This prevents httpd found in the spam Attack Vulnerability. Open this Boolean variable to allow the HTTP module to send emails.
• When httpd_dbus_avahi is disabled, this Boolean variable rejects avahi access from the service through the httpd of the D-BUS. Open this Boolean variable to allow such access.
• When httpd_enable_cgi is disabled, this Boolean variable prevents httpd from executing CGI scripts. Open this Boolean variable to let httpd execute the CGI script.
• Httpd_enable_ftp_server opening this Boolean variable will allow httpd to act as the FTP port and behavior of the FTP server.
• When httpd_enable_homedirs is disabled, this Boolean variable blocks access to the httpd in the user's home directory. Open this Boolean variable to allow httpd to access the user's home directory.
• When httpd_execmem is enabled, this Boolean variable allows the memory address required by the httpd execution program. We recommend that you do not enable this Boolean variable for security reasons because it reduces buffer overflow, but protection for certain modules and applications such as Java and Mono applications requires this privilege.
• The Boolean variable httpd_ssi_exec defines whether the elements in the webpage containing SSI on the server can be executed.
• The httpd_tty_comm Boolean variable defines whether the httpd is a control terminal that is allowed to access. This type of access is usually not required. However, if an SSL Certificate file is configured, a password prompt is displayed and processed for terminal access.
• Httpd_use_cifs open this Boolean variable to allow httpd to access the files marked on the CIFS file system, such as the file system mounted through Samba, cifs_t type.
• Httpd_use_nfs open this Boolean variable to allow httpd to access the nfs_t type of the marked file on the NFS file system. For example, the file system is mounted through NFS.

Several configuration instances:

1) run a static web Page

Run the following command: mkdir/mywebsite to create a folder as the document root directory of the Apache server. Run the following command to view the file attributes:

# ls -dZ /mywebsite drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 /mywebsite

According to SELinux policy rules and inheritance principles, the/mywebsite directory and the files in it will have the default_t type, including the files or subdirectories created in the future will also inherit and own this type, in this way, restricted httpd processes cannot be accessed. You can use the chcon and restorecon commands to modify the file type attributes of/mywebsite, so that the created files and copied files have the same httpd_sys_content_t type, in this way, restricted httpd processes can be accessed.

# chcon -R -t httpd_sys_content_t /mywebsite # touch /mywebsite/index.html # ls -Z /mywebsite /website/index.html -rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 /mywebsite /index.html

Modify the/etc/httpd/conf/httpd. conf file:

#DocumentRoot "/var/www/html" DocumentRoot "/mywebsite"

Restart the Apache server.

If you want to thoroughly modify the file type attribute of/mywebsite to make the setting valid after restart, you can use the semanage fcontext and restorecon commands

# semanage fcontext -a -t httpd_sys_content_t "/mywebsite(/.*)?" # restorecon -R -v /mywebsite

2) share NFS and CIFS file systems

By default, the policy for mounting the NFS file system to the client's NFS defines a default context tag. The default context uses the nfs_t type. By default, the Samba shared client is installed with a policy to define a default context tag. The default context uses the cifs_t type. According to SELinux policy configuration, the Apache service may not be able to read the nfs_t or cifs_t type. You can enable or disable a Boolean value to control which service is allowed to access the nfs_t and cifs_t types.

For example, after using the setsebool command to open the httpd_use_nfs Boolean variable, httpd can access nfs shared resources of the nfs-t type:

# setsebool -P httpd_use_nfs on

For example, after you use the setsebool command to open the httpd_use_cifs Boolean variable, httpd can access cifs_t-type cifs shared resources:

# setsebool -P httpd_use_cifs on

3) change the port number

According to the policy configuration, the Service may only be allowed to run on a specific port number. Try to change the port on which the service runs. If the policy is not changed, the Service may fail to be started. First, check whether SELinux allows HTTP to listen on the TCP port. Run the following command:

# Semanage port-l | grep-w http_port_t

Http_port_t tcp 80,443,488,800 8, 8009,844 3

By default, SELinux allows HTTP to listen on TCP ports 80,443,488,800, 8443, or. Suppose you want to change port 80 to 12345. The following describes how to modify the port number:

Modify the configuration file/etc/httpd/conf/httpd. conf

# Change this to Listen on specific IP addresses as shown below to # prevent Apache from glomming onto all bound IP addresses (0.0.0.0) #Listen 12.34.56.78:80 Listen 10.0.0.1:12345

Use the command to modify:

# semanage port -a -t http_port_t -p tcp 12345

Then confirm:

# semanage port -l | grep -w http_port_t http_port_t tcp 12345, 80, 443, 488, 8008, 8009, 8443

Samba configuration in SELinux Environment

File Type of Samba SELinux

In The SELinux environment, the smbd and nmbd daemon of the Samba server run in the restricted smbd_t domain. And is isolated from other restricted network services. The following example demonstrates the smb process under SELinux.

$ ps -eZ | grep smb unconfined_u:system_r:smbd_t:s0 16420 ? 00:00:00 smbd unconfined_u:system_r:smbd_t:s0 16422 ? 00:00:00 smbd

By default, smbd can only read and write files of the samba_assist_t type, and cannot read and write files of the httpd_sys_content_t type. If you want smbd to read and write files of the httpd_sys_content_t type, you can remark the file type. You can also modify the Boolean value, for example, to allow Samba to provide shared resources such as NFS file systems. To modify SELinux type attributes of files and directories, run the following commands: chcon, semanage fcontext, and restorecon.

Boolean variable of SELinux of Samba

SELinux also provides some Boolean variables for Samba to adjust the SELinux policy. If you want the Samba server to share the NFS file system, run the following command:

# Setsebool-P samba_assist_nfs on

The following are commonly used Boolean variables;

• Allow_smbd_anon_write enables this Boolean variable to allow smbd to retain a common file in a region.
• Samba_create_home_dirs enable this Boolean variable to allow Samab to create a new home directory independently. This is usually used for the PAM mechanism.
• Samba_domain_controller allows Samba as the domain controller when this Boolean variable is enabled, as well as the permissions granted to it to execute related commands, such as using useradd, groupadd, and passwd.
• Samba_enable_home_dirs enables this Boolean variable to allow Samba to share the user's home directory.
• Samba_export_all_rw enables this Boolean variable to allow publishing of any files or directories and read and write permissions.
• Samba_run_unconfined enables this Boolean variable to allow Samba to run scripts in the/var/lib/samba/scripts directory.
• If this Boolean variable is enabled for samba_cmd_nfs, Samba is allowed to share the NFS file system.
• Use_samba_home_dirs enables this Boolean variable to use the main directory of the Remote Server Samba.
• Virt_use_samba allows virtual machines to access CIFS files.

Configure an instance

1) share a new directory

Create a directory as the shared resource of Samba, and create a file under the directory to check whether the sharing is successful.

#mkdir /myshare #touch /myshare/file1

Set the file types in the Created directory and Directory

#semanage fcontext -a -t samba_share_t "/myshare(/.*)?" # restorecon -R -v /myshare

Modify the Samba configuration file/etc/samba/smb. conf and add the following shared resource definitions ::

[Myshare] comment = My share path =/myshare public = yes writeable = yes create a samba user # smbpasswd-a testuser New SMB password: Enter a password Retype new SMB password: enter the same password again Added user testuser.

Start the Samba Service

service smb start

Query available shared resources:

$ smbclient -U testuser -L localhost

Use the mount command to mount shared resources and check files:

#mount //localhost/myshare /test/ -o user= testuser # ls /test/

2) share a webpage

If you want to share a webpage file directory such as/var/www/html on the Apache server, you cannot use the file type. In this case, you can use two Boolean variables samba_export_all_ro and samba_export_all_rw to share directories and files. The procedure is as follows:

Modify the samba configuration file and add the following lines:

[website] comment = Sharing a website path = /var/www/html/ public = yes writeable = yes

Enable the samba_export_all_ro Boolean variable

#setsebool -P samba_export_all_ro on

Set permissions:

#chmod 777 /var/www/html/

Shared directory:

#mount //localhost/myshare /test/ -o user= testuser # ls /test/

 

Back to Top

NFS configuration in SELinux Environment

File Type of NFS SELinux

In The SELinux environment, the nfs server daemon runs in the restricted nfs_t domain. And is isolated from other restricted network services. The SELinux policy does not allow NFS to share remote files. To share remote files, you can use Boolean variables such as nfs_export_all_ro and nfs_export_all_rw to adjust SELinux policies. According to SELinux's policy, the default file system used by the client to install the NFS file system is nfs_t. In addition, SELinux also defines some file types for nfsd:

• Var_lib_nfs_t is used to copy existing and new files or in the created/var/lib/nfs directory. This type does not need to be changed during normal operation. To restore to the default settings, run the command restorecon-R-v/var/lib/nfs with the superuser permission.
• Nfsd_exec_t/usr/sbin/rpc. nfsd program files and other NFS executable files and libraries are of this type. Other files do not use any files of this type.

Boolean variable of NFS SELinux

SELinux provides several Boolean variables to adjust NFS. You can strike a balance between system security and NFS functions. For example:

Set NFS sharing on the local machine to readable and writable. The related Boolean variables must be enabled:

#setsebool -P nfs_export_all_rw on

If you want to share the remote NFS home directory to the local machine, you need to open the relevant Boolean variable:

#setsebool -P use_nfs_home_dirs on

The following are commonly used Boolean variables;

• When allow_ftpd_use_nfs is enabled, this Boolean variable allows ftpd to access NFS mounting.
• Allow_nfsd_anon_write When enabled, this Boolean variable can be written to an anonymous nfsd public directory.
• Httpd_use_nfs When enabled, this Boolean variable allows httpd to access files stored on an NFS file system.
• When nfs_export_all_ro is enabled, this Boolean variable allows any file or directory to be exported through NFS and read-only permission.
• When nfs_export_all_rw is enabled, this Boolean variable allows read and write permissions to any files or directories exported through NFS.
• When qemu_use_nfs is enabled, this Boolean variable allows QEMU to use the NFS file system.
• If this Boolean variable is enabled for samba_cmd_nfs, Samba is allowed to share the NFS file system.
• When use_nfs_home_dirs is enabled, this Boolean variable supports the NFS main directory.
• When _ use_nfs is enabled, this Boolean variable allows virtual machines to access NFS files.
• This Boolean variable allows Xen to use NFS files when xen_use_nfs is enabled.

Example

In this example, the IP address of the NFS server is 192.168.1.1, the IP address of the NFS client is 192.168.1.10, and the two hosts are on the same subnet 192.168.1.0/24 ).

First, run the setsebool command on the NFS server to ensure that the nfs_export_all_rw Boolean variable is enabled, so that the NFS client can install the NFS file system in read-only mode. Create a top-level directory as a shared resource, and create a file in the directory to provide access to the client. The command is as follows:

#setsebool -P nfs_export_all_rw on #mkdir – p /share/nfs #cp /etc/profile /share/nfs/test ＃ chmod - R 777 /share/nfs

Edit the/etc/exports file below to add the shared resources.

/share/nfs 192.168.1.10(rw)

Make sure that the firewall settings are correct. Then start the nfs service

# service nfs start Starting NFS services: [ OK ] Starting NFS quotas: [ OK ] Starting NFS daemon: [ OK ] Starting NFS mountd: [ OK ]

Run the exports command to make sure that shared resources are published. Run the showmount command to query shared resources.

#exportfs -rv exporting 192.168.1.10:/share/nfs # showmount -e Export list for nfs-srv: /share/nfs 192.168.1.10

The NFS client can mount the shared resources of the NFS server by running the following command:

# mount.nfs 192.168.1.1:/share/nfs /mnt # ls /mnt total 0 -rwxrwxrwx. 1 root root 0 2012-01-16 12:07 test

Http://www.ibm.com/developerworks/cn/linux/l-cn-selinux-services1/index.html? Ca = drs-