Reproduced Provisioning of network services in SELinux environment, configuring Apache, Samba, NFS

Original Address: http://www.ibm.com/developerworks/cn/linux/l-cn-selinux-services1/index.html?ca=drs-introduction

SELinux's security measures are mainly focused on access control of various network services. For services like Apache, Samba, NFS, Vsftp, MySQL, Bind DNS, SELinux only opens the most basic operational requirements. As for connecting the external network, running scripts, accessing the user directory, sharing files, etc., must undergo a certain SELinux policy adjustment in order to fully play the role of network server, security and performance directly to get a balance.

Apache configuration of the SELinux file type in the SELinux environment

When SELinux is enabled, the Apache HTTP server (httpd) runs in the restricted httpd_t domain by default and is separate from other restricted network services. Even if a network service is compromised by an attacker, the attacker's resources and possible damage are limited. The following example shows the httpd process under SELinux.

$ Ps-ez | grep httpd  unconfined_u:system_r:httpd_t:s0 2850?        00:00:00 httpd  unconfined_u:system_r:httpd_t:s0 2852?        00:00:00 httpd ...

The

and SELinux context-sensitive  httpd  processes are  system_u:system_r:httpd_t:s0. The  httpd  process runs in the  httpd_t  domain. The file type must be set correctly for httpd  access. For example, httpd  can read file types that are  httpd_sys_content_t but cannot be written and modified. In addition, httpd cannot access files of the samba_share_t type (Samba access-controlled files) and cannot access the user's home directory that is marked with the user_home_t file type, primarily to prevent httpd from reading and writing files in the user's home directory and inheriting their access rights. The file type that httpd  can read and write is  httpd_sys_content_rw_t. The default document root type for Apache is httpd_sys_content_t. Unless otherwise set httpd can only access files and subdirectories of type httpd_sys_content_t in the/var/www/html/directory. In addition, SELinux defines some file types for httpd:

• HTTPD_SYS_CONTENT_T is primarily used for files that provide static content services, such as those used by HTML static Web sites. This type of markup file can be accessed (read-only) httpd and execute script httpd. By default, this type of file and directory tags cannot be written to or modified by httpd or other processes. Note By default, the files that are created or copied to the/var/www/html/httpd_sys_content_t type are marked.
• The httpd_sys_script_exec_t is primarily used to set up CGI scripts in the/var/www/cgi-bin/directory. The SELinux policy prevents httpd from executing CGI scripts by default.
• httpd_sys_content_rw_t uses httpd_sys_content_rw_t type tags to read and write scripts to mark the type of file httpd_sys_script_exec_t.
• httpd_sys_content_ra_t uses the httpd_sys_content_ra_t type label to read and attach the tagged script file httpd_sys_script_exec_t type.

If you need to modify the SELinux type properties of files and directories, you can use three commands: Chcon, Semanage fcontext, and Restorecon commands. Description: Use the Chcon command to re-identify the type of file. However, such an identity is not a permanent modification, and once the system restarts, the identity will change back. For permanent changes to file types, you need to use the Semanage command. The Chcon, Semanage Fcontext, and Restorecon Three commands are the focus of this article. Here's how to use it first:

(1) Chcon command

Role: The Chcon command is used to change the SELinux file properties that are the security context for modifying the file

Usage: chcon [options] CONTEXT file

Main options:

-R: Recursively changes the context of files and directories.

--reference: Copy the security context from the source file to the destination file

-H,--no-dereference: Affects the target link.

-V,--verbose: Outputs the diagnostics for each check file.

-U,--user=user: Sets the security context for the target user.

-R,--Role=role: Set the role of the target security domain.

-T,--type=type: The security context type that is set on the target.

-L,--range=range: Sets the scope of the set role role in the target security context for the target safety realm.

-F: Displays a small number of error messages.

(2) Restorecon command

Role: Restore SELinux file Properties file properties that is the security context for recovering files

Usage: Restorecon [-IFNRRV] [-e Excludedir] [-o filename] [-f filename | pathname ...]

Main options:

-I: Ignores files that do not exist.

The files to be processed are recorded in the-f:infilename file infilename.

-e:directory exclude Directories.

-r–r: Recursive processing directory.

-N: Does not change the file label.

-O Outfilename: Save the file list to Outfilename, in case the file is not correct.

–v: Displays the process to the screen.

-F: Force recovery of File security context.

The Restorecon command is similar to the Chcon command, but it sets the security context of the object associated with the file based on the current policy default file context file, so the user does not specify a security context, instead, the Restorecon uses the entry of the file context file to match the file name. The specific security context is then applied, and in some cases, it is restored with the correct security contexts.

(3) semanage fcontext command

Role: Managing File Security Contexts

Usage:

Semanage Fcontext [-S store]-{a|d|m|l|n| D} [-frst] File_spec
Semanage Fcontext [-S store]-{a|d|m|l|n| D}-E replacement target

Main options:

-A: Add

-D: Delete

-M: Modify

-L: List

-N: Do not print the description header

-D: Delete all

-F: File

-S: User

-T: Type

R: Role

Apache's SELinux Boolean variable

For network services, SElinux only opens the minimum operational requirements, and in order to perform the functions of the Apache server you must also turn on the Boolean value to allow certain behaviors including allowing HTTPD script network access, allowing httpd to access NFS and CIFS file systems, allowing for universal gateways Interface (CGI) script. You can query the current boolean variable using the command Getsebool. You can then use the following Setsebool command to open the Boolean variable:

#setsebool –p  httpd_enable_cgi on

The following are common Boolean variables:

• Allow_httpd_anon_write disabled When this Boolean variable allows httpd to only the tag file public_content_rw_t type of Read access. Enable this Boolean variable to allow the httpd to write to a file tag with a common file directory package?? Contains a common file transfer service, such as the public_content_rw_t type.
• Allow_httpd_mod_auth_pam Enable this Boolean variable to allow the Mod_auth_pam module to access httpd.
• Allow_httpd_sys_script_anon_write This Boolean variable defines whether the HTTP script allows write access to a file tag in a public File transfer service public_content_rw_t type.
• Httpd_builtin_scripting This Boolean variable defines the access to the httpd script. In this Boolean variable is enabled and is often required for PHP content.
• Httpd_can_network_connect when disabled, this Boolean variable prevents HTTP scripts and modules from initiating connections from the network or remote ports. Open this Boolean variable to allow this access.
• httpd_can_network_connect_db This Boolean variable prevents the launching of an HTTP script and module that connects to the database server when disabled. Open this Boolean variable to allow this access.
• Httpd_can_network_relay Open this when the Boolean variable httpd is using a forward or reverse proxy.
• This Boolean variable prevents the HTTP module from sending messages when Httpd_can_sendmail is disabled. This prevents httpd that are found in the spam attack vulnerability. Open this Boolean variable to allow the HTTP module to send mail.
• Httpd_dbus_avahi is closed when this Boolean variable denies the service Avahi access through D-bus httpd. Open this Boolean variable to allow this access.
• This Boolean variable prevents httpd from executing CGI scripts when httpd_enable_cgi is disabled. Open this Boolean variable to let httpd execute the CGI script.
• Httpd_enable_ftp_server Open this Boolean variable will allow the FTP port and behavior of HTTPD as the FTP server.
• This Boolean variable prevents access to the httpd of the user's home directory when Httpd_enable_homedirs is disabled. Opening this Boolean variable allows httpd to access the user's home directory.
• When HTTPD_EXECMEM is enabled, this Boolean variable allows the httpd to execute the memory address required by the program. It is not recommended to enable this Boolean variable from a security standpoint because it reduces the buffer overflow, but some modules and applications (such as Java and Mono applications) require this privilege for protection.
• Httpd_ssi_exec This Boolean variable defines whether the elements in a server-side include (SSI) Web page can be executed.
• Httpd_tty_comm This Boolean variable defines whether the httpd is allowed to access the control terminal. This access is usually not required, however, such as the configuration of an SSL certificate file, the terminal accesses the required display and processes a password hint.
• Httpd_use_cifs Open this Boolean variable to allow httpd to access the files tagged on the cifs file system, such as the file system mounted by Samba, the cifs_t type.
• Httpd_use_nfs Open this Boolean variable to allow httpd to access the tag file nfs_t type on the NFS file system, such as file system, via NFS mount.

Several configuration instances:

(1) Run a static web page

Suppose you use the following command: Mkdir/mywebsite, create a folder as the document root of the Apache server. You can view its file properties using the following command:

# Ls-dz/mywebsite  drwxr-xr-x. Root root Unconfined_u:object_r:default_t:s0/mywebsite

According to the SELinux policy and inheritance principles, the/mywebsite directory and its files will have the default_t type, including files created later or subdirectories will inherit and have this type, so that the restricted httpd process is inaccessible, you can use Chcon and re The Storecon command modifies the file type properties of the/mywebsite, making sure that the resulting file and the copied file have the same httpd_sys_content_t type so that the restricted httpd process can access it.

# chcon-r-T httpd_sys_content_t/mywebsite  # touch/mywebsite/index.html  # ls-z/mywebsite/website/index.html -rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0/mywebsite/index.html

Modify the/etc/httpd/conf/httpd.conf file below to read:

#DocumentRoot "/var/www/html" DocumentRoot "/mywebsite"

Then restart the Apache server.

You can use the Semanage fcontext and Restorecon commands if you want to completely modify the/mywebsite file type properties so that the settings are still valid after restarting

# semanage Fcontext-a-T httpd_sys_content_t "/mywebsite (/.*)?" # Restorecon-r-v/mywebsite

(2) Sharing NFS and CIFS file systems

By default, the NFS Mount NFS file System Policy in the client defines a default context tag for this default context using the nfs_t type. Additionally, by default, the Samba sharing client has a default context tag installed on the policy definition. This default context uses the cifs_t type. Depending on the SELinux policy configuration, the Apache service may not be able to read nfs_t or cifs_t types. Control which service is allowed access to the nfs_t and cifs_t types by setting Boolean on or off.

For example, after opening the HTTPD_USE_NFS Boolean variable with the Setsebool command, httpd can access the NFS shared resources of the NFS-T type:

# setsebool-p Httpd_use_nfs on

For example, after you open the Httpd_use_cifs boolean variable with the Setsebool command, httpd can access the cifs_t type of CIFS shared resource:

# setsebool-p Httpd_use_cifs on

(3) Change the port number

Depending on the policy configuration, the service may only be allowed to run on a specific port number. Attempts to change the service to run the port, without changing the policy, may cause the service to start failing. First look at the SELinux allow HTTP to listen on the TCP port, using the command:

# Semanage Port-l | Grep-w http_port_t

http_port_t TCP 80, 443, 488, 8008, 8009, 8443

As you can see by default, SELinux allows HTTP to listen on TCP port 80,443,488,8008,8009 or 8443. Suppose you want to change the port number 80 to 12345, here's how to modify the port number:

Modify the configuration file/etc/httpd/conf/httpd.conf to

# Listen on specific IP addresses as shown below to  # Prevent Apache from glomming onto all bound IP ad Dresses (0.0.0.0)  #Listen 12.34.56.78:80  Listen 10.0.0.1:12345

Use the command to modify:

# semanage Port-a-T http_port_t-p TCP 12345

Then confirm:

# Semanage Port-l | Grep-w http_port_t  http_port_t                    tcp      12345, 80, 443, 488, 8008, 8009, 8443

Back to top of page

SELinux file types for Samba configuration samba in SELinux environment

In the SELinux environment, the SMBD and NMBD daemons of the Samba server are running in the restricted smbd_t domain. and other restricted network services are isolated from each other. The following example shows the SMB process under SELinux

$ Ps-ez | grep smb  unconfined_u:system_r:smbd_t:s0 16420?        00:00:00 smbd  unconfined_u:system_r:smbd_t:s0 16422?        00:00:00 SMBD

By default, SMBD can read and write only files of type samba_share_t, and cannot read and write files of type httpd_sys_content_t. If you want SMBD to read and write files of the httpd_sys_content_t type, you can re-tag the file type. You can also modify Boolean values such as allowing Samba to provide shared resources such as the NFS file system. If you need to modify the SELinux type properties of files and directories, you can use three commands: Chcon, Semanage fcontext, and Restorecon commands.

The SELinux boolean variable of Samba

SELinux also provides some boolean variables for Samba to adjust the selinux policy, and if you want the Samba server to share the NFS file system, you can use the following command:

# setsebool-p Samba_share_nfs on

The following are commonly used Boolean variables;

• Allow_smbd_anon_write Open This Boolean variable enables a common file that allows SMBD to keep a zone.
• Samba_create_home_dirs Open This Boolean variable enable allows samab to create new home directories independently. This is usually used for the PAM mechanism.
• Samba_domain_controller allows Samba to execute related commands, such as using Useradd,groupadd and passwd, when this Boolean variable is enabled, as well as the permissions assigned to it as a domain controller.
• Samba_enable_home_dirs Enable this Boolean variable to allow Samba to share the user's home directory.
• SAMBA_EXPORT_ALL_RW Enable this Boolean variable to allow the publication of any file or directory, allowing read and write permissions.
• Samba_run_unconfined Enable this Boolean variable to allow scripts in the Samba run/var/lib/samba/scripts directory to be allowed.
• Samba_share_nfs Enabling this Boolean variable will allow Samba to share the NFS file system.
• Use_samba_home_dirs Enable this Boolean variable to use the home directory of the remote server samba.
• Virt_use_samba allows virtual machines to access CIFS files.

Configuration instance

(1) Share a new directory

Restricted Create a directory as a shared resource for Samba, and then establish a file in the directory to verify that the share was successful.

#mkdir/myshare  #touch/myshare/file1

Set the type of files created in the directory and directory

#semanage fcontext-a-T samba_share_t "/myshare (/.*)?" # Restorecon-r-v/myshare

To modify the Samba profile/etc/samba/smb.conf, add a shared resource definition that includes the following lines:

[MyShare]  Comment = My share  path =/myshare public  = yes  writeable = yes create a samba user # smbpasswd-a testuser  New SMB password:enter a password  retype new SMB password:enter the same password again  Added user testuser.

Start Samba Service

Service SMB Start

Query the shared resources that you can use:

$ smbclient-u testuser-l localhost

Use the Mount command to mount the shared resource and verify the file:

#mount//localhost/myshare/test/-o user= testuser  # ls/test/

(2) Sharing a Web page

If you want to share a Web page file directory such as Apache server/var/www/html, you cannot use the file type. You can now use the Samba_export_all_ro and SAMBA_EXPORT_ALL_RW two Boolean variables to achieve the purpose of sharing directories and files. The steps are as follows:

To modify the Samba configuration file, add the following line:

[Website]  Comment = sharing a website  path =/var/www/html/public  = yes  writeable = yes

Open Samba_export_all_ro Boolean variable

#setsebool-P Samba_export_all_ro on

Set permissions:

#chmod 777/var/www/html/

Shared directory:

#mount//localhost/myshare/test/-o user= testuser  # ls/test/

Back to top of page

SELinux file Types for NFS configuration NFS in SELinux environment

In an SELinux environment, the daemon for Server for NFS is running in a restricted nfs_t domain. and other restricted network services are isolated from each other. The SELinux policy does not allow the use of NFS to share remote files. If you must share remote files, you can use Boolean variables such as Nfs_export_all_ro and NFS_EXPORT_ALL_RW to adjust the SELinux policy. According to the SELinux policy, the default file system used by client to install NFS file systems is nfs_t, and SELinux defines some file types for NFSD:

• var_lib_nfs_t This type is used for existing and new file replication or in the/var/lib/nfs directory that is created. In normal operation this type should not need to be changed. To revert to the default settings, you can run the command with Superuser privileges: Restorecon-r-v/var/lib/nfs.
• NFSD_EXEC_T/USR/SBIN/RPC.NFSD Program Files and other NFS executable files and libraries are all of this type. No files of this type are used by other files.

The SELinux boolean variable for NFS

SELinux provides several Boolean variables to adjust for NFS, and you can strike a balance between system security and NFS functionality. For example:

The native NFS share is set to read writable and requires an open correlation Boolean variable:

#setsebool-P NFS_EXPORT_ALL_RW on

If you want to share the home directory of remote NFS to the native, you need to open related Boolean variables:

#setsebool-P use_nfs_home_dirs on

The following are commonly used Boolean variables;

• Allow_ftpd_use_nfs This Boolean variable allows FTPD to access NFS mounts when enabled.
• Allow_nfsd_anon_write This Boolean variable allows writing to a common directory anonymous NFSD when enabled.
• HTTPD_USE_NFS When enabled this Boolean variable allows the httpd to access a file stored on an NFS file system.
• Nfs_export_all_ro This Boolean variable allows any file or directory to be exported through NFS when enabled, allowing read-only permissions.
• NFS_EXPORT_ALL_RW This Boolean variable allows any file or directory exported through NFS to allow read and write permissions when enabled.
• Qemu_use_nfs This Boolean variable allows QEMU to use the NFS file system when enabled.
• Samba_share_nfs Enabling this Boolean variable will allow Samba to share the NFS file system.
• Use_nfs_home_dirs This Boolean variable allows the NFS home directory to be supported when enabled.
• Virt_use_nfs This Boolean variable allows virtual machines to access NFS files when enabled.
• Xen_use_nfs This Boolean variable allows Xen to use NFS files when enabled.

An example

In this example, the IP address of the NFS server 192.168.1.1,NFS client IP address is 192.168.1.10, the two hosts are on the same subnet (192.168.1.0/24).

First, use the Setsebool command on the NFS server side to ensure that the NFS_EXPORT_ALL_RW Boolean variable is turned on, allowing the NFS client to install the NFS file system in a read-only manner. Then create a top-level directory as a shared resource, and then create a file in the directory to provide client access with the following command:

#setsebool  -P nfs_export_all_rw on  #mkdir –p/share/nfs  #cp/etc/profile/share/nfs/test # chmod  -R 777 /share/nfs

Edit the/etc/exports file below to join the shared resource.

/share/nfs  192.168.1.10 (rw)

Make sure that the firewall modifications are set up correctly. Then start the NFS service

# Service NFS Start  starting NFS services:  [  OK  ]  starting NFS quotas:  [  OK  ]  starting NFS daemon:  [  OK  ]  starting NFS mountd:  [  OK  ]

Run the exports command to ensure that the shared resource is advertised and use the Showmount command to query the shared resource.

#exportfs-rv  exporting 192.168.1.10:/share/nfs  # showmount-e  Export list for nfs-srv:  /share/ NFS 192.168.1.10

Below the NFS client can use the command to mount the shared resources for Server for NFS:

# Mount.nfs 192.168.1.1:/share/nfs/mnt  # ls/mnt Total  0  -rwxrwxrwx.  1 root root 0 2012-01-16 12:07 test

Summarize

The 2nd section discusses the configuration of Vsftp, MySQL, and Bind DNS services.

Reproduced Provisioning of network services in SELinux environment, configuring Apache, Samba, NFS