Hi,
Some time ago I wrote an introductory article about SELinux on my blog. I'm currently updating it for my new blog, and I found a curious change in SELinux policy. Here goes.
For demonstration purposes, I'm using some static webpages, more exactly the default pages found in /usr/share/httpd/noindex, which I simply copied over to /var/www/html.
As a first practical example, I'm copying this stuff over to /tmp/backup and then move it back again. A vaguely similar example has been given by Thomas Cameron in his presentation "SELinux for mere mortals", and I'm reproducing it here with some minor modifications.
$ cd /var/www/html/ $ mkdir /tmp/backup $ cp -R * /tmp/backup/ $ rm -rf * $ mv /tmp/backup/* . $ find . -type d -exec chmod 0755 {} ; $ find . -type f -exec chmod 0644 {} ;
When I wrote the article back in november 2017, this resulted in a classic "Forbidden" error, since the SELinux context of these files is not httpd_sys_content_t as it should be, but user_tmp_t.
But when I try to repeat the experiment now, Apache shows no error. Which seems strange.
Any idea what's going on ?
Niki
Le 30/01/2019 à 16:22, Nicolas Kovacs a écrit :
Some time ago I wrote an introductory article about SELinux on my blog. I'm currently updating it for my new blog, and I found a curious change in SELinux policy. Here goes.
For demonstration purposes, I'm using some static webpages, more exactly the default pages found in /usr/share/httpd/noindex, which I simply copied over to /var/www/html.
As a first practical example, I'm copying this stuff over to /tmp/backup and then move it back again. A vaguely similar example has been given by Thomas Cameron in his presentation "SELinux for mere mortals", and I'm reproducing it here with some minor modifications.
$ cd /var/www/html/ $ mkdir /tmp/backup $ cp -R * /tmp/backup/ $ rm -rf * $ mv /tmp/backup/* . $ find . -type d -exec chmod 0755 {} ; $ find . -type f -exec chmod 0644 {} ;
When I wrote the article back in november 2017, this resulted in a classic "Forbidden" error, since the SELinux context of these files is not httpd_sys_content_t as it should be, but user_tmp_t.
But when I try to repeat the experiment now, Apache shows no error. Which seems strange.
Any idea what's going on ?
The tl;dr version of my last post is : Apache is not supposed to show static web pages with a user_tmp_t SELinux context. So why does it show them anyway ?
Cheers,
Niki
On 1/30/19 7:57 AM, Nicolas Kovacs wrote:
The tl;dr version of my last post is : Apache is not supposed to show static web pages with a user_tmp_t SELinux context. So why does it show them anyway ?
Policy allows that, currently:
# sesearch -A -s httpd_t -t user_tmp_t Found 15 semantic av rules: allow daemon user_tmp_t : file { getattr append } ; allow httpd_t user_tmp_t : file { ioctl read write getattr lock append map } ; allow domain tmpfile : file { ioctl read getattr lock append open } ; allow httpd_t file_type : dir { getattr search open } ; allow httpd_t user_tmp_t : dir { ioctl read write getattr lock add_name remove_name search open } ; allow httpd_t file_type : filesystem getattr ; allow httpd_t user_home_type : file { ioctl read getattr lock open } ; allow httpd_t user_home_type : dir { getattr search open } ; allow httpd_t user_home_type : dir { ioctl read getattr lock search open } ; allow httpd_t user_home_type : dir { getattr search open } ; allow httpd_t user_home_type : dir { getattr search open } ; allow domain file_type : file map ; allow domain file_type : chr_file map ; allow domain file_type : blk_file map ; allow httpd_t user_home_type : lnk_file { read getattr } ;
-
Gordon Messmer -
Nicolas Kovacs