Organizational Research By

Surprising Reserch Topic

Question:SELinux security contexts


 

SELinux security contexts:

Fedora Core 3 and Red Hat Enterprise Linux 4 introduced SELinux (Security Enhanced Linux) security policies and context labels.
To view the security context labels applied to your web page files use the command: ls -Z

The system enables/disables SELinux policies in the file /etc/selinux/config
SELinux can be turned off by setting the directive SELINUX. (Then reboot the system):

SELINUX=disabled
or using the command setenforce 0 to temporarily disable SELinux until the next reboot.

When using SELinux security features, the security context labels must be added so that Apache can read your files. The default security context label used is inherited from the directory for newly created files. Thus a copy (cp) must be used and not a move (mv) when placing files in the content directory. Move does not create a new file and thus the file does not recieve the directory security context label. The context labels used for the default Apache directories can be viewed with the command: ls -Z /var/www
The web directories of users (i.e. public_html) should be set with the appropriate context label (httpd_sys_content_t).

Assign a security context for web pages: chcon -R -h -t httpd_sys_content_t /home/user1/public_html
Options:

  • -R: Recursive. Files and directories in current directory and all subdirectories.
  • -h: Affect symbolic links.
  • -t: Specify type of security context.

Use the following security contexts:

Context Type Description
httpd_sys_content_t Used for static web content. i.e. HTML web pages.
httpd_sys_script_exec_t Use for executable CGI scripts or binary executables.
httpd_sys_script_rw_t CGI is allowed to alter/delete files of this context.
httpd_sys_script_ra_t CGI is allowed to read or append files of this context.
httpd_sys_script_ro_t CGI is allowed to read files and directories of this context.

Set the following options: setsebool httpd-option true
(or set to false)

Policy Description
httpd_enable_cgi Allow httpd cgi support.
httpd_enable_homedirs Allow httpd to read home directories.
httpd_ssi_exec Allow httpd to run SSI executables in the same domain as system CGI scripts.
Then restart Apache:
  • Red Hat/Fedora/Suse and all System V init script based Linux systems: /etc/init.d/httpd restart
  • Red Hat/Fedora: service httpd restart

The default SE boolean values are specified in the file: /etc/selinux/targeted/booleans

asked Sep 13, 2013 in LINUX by anonymous
edited Sep 12, 2013
0 votes
19 views



Related Hot Questions



Government Jobs Opening


...