wiki:ContentSpecification
Last modified 5 years ago Last modified on 03/12/09 04:40:03

This page is a draft and may contain errors. Procedures and examples have not been tested - run at own risk

Trademark Information

Fedora and the Fedora Infinity Design logo are trademarks or registered trademarks of Red Hat, Inc., in the U.S. and other countries.

Red Hat and the Red Hat "Shadow Man" logo are registered trademarks of Red Hat Inc. in the United States and other countries.

Linux® is the registered trademark of Linus Torvalds in the U.S. and other countries.

UNIX is a registered trademark of The Open Group.

Type Enforcement is a trademark of Secure Computing, LLC, a wholly owned subsidiary of McAfee, Inc., registered in the U.S. and in other countries. Neither McAfee nor Secure Computing, LLC, has consented to the use or reference to this trademark by the author outside of this guide.

Apache is a trademark of The Apache Software Foundation.

This plan, as well as content for the completed guide, will include material drawn from the Fedora 10 Security-Enhanced Linux User Guide. The Fedora 10 Security-Enhanced Linux User Guide guide was written by Murray McAllister and Daniel Walsh. Technical editors include Dominick Grift, Eric Paris, and James Morris. Any edits or changes in this plan or the completed guide were by Murray McAllister. Refer to the original document for details and document as it was first released.

Introduction

Brief Introduction to SELinux

Copy bits from "Chapter 2. Introduction" of the Fedora 10 Security-Enhanced Linux User Guide. <http://docs.fedoraproject.org/selinux-user-guide/f10/en-US/>.

Brief Introduction to Confined and Unconfined Services

Copy first/second paragraphs from the "Chapter 4. Targeted Policy", "4.1. Confined Processes", and "4.2. Unconfined Processes" sections of the Fedora 10 Security-Enhanced Linux User Guide. <http://docs.fedoraproject.org/selinux-user-guide/f10/en-US/>.

Services can be run in a variety of ways. To cater for this, you must tell SELinux how you are running services. This can be achieved via Booleans that allow parts of SELinux policy to be changed at runtime, without any knowledge of SELinux policy writing. This allows changes, such as allowing services access to NFS file systems, without reloading or recompiling SELinux policy.

The Apache HTTP Server

From the Apache HTTP Server Project page <http://httpd.apache.org/>:

The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows NT. The goal of this project is to provide a secure, efficient and extensible server that provides HTTP services in sync with the current HTTP standards [1].

In Fedora, the httpd package provides the Apache HTTP Server. If you want to use the Apache HTTP Server, and the httpd package is not installed, run the following command as the Linux root user to install it:

yum install httpd

[1] From the "The Number One HTTP Server On The Internet" section of the Apache HTTP Server Project page: <http://httpd.apache.org/>. Copyright © 2009 The Apache Software Foundation. Accessed 19 January 2009.

The Apache HTTP Server and SELinux

When SELinux is enabled, the Apache HTTP Server (httpd) runs confined by default. Confined services run in their own domains, and are separated from other confined services. To view the httpd process running in its own domain:

  1. Run the getenforce command to confirm SELinux is running in enforcing mode:
    $ getenforce
    Enforcing
    

The getenforce command returns Enforcing when SELinux is running in enforcing mode.

  1. As the Linux root user, run the "service httpd start" command to start the service.
  1. Run the "ps -eZ | grep httpd" command to view the httpd processes:
    $ ps -eZ | grep httpd
    unconfined_u:system_r:httpd_t:s0 2491 ?        00:00:00 httpd
    unconfined_u:system_r:httpd_t:s0 2493 ?        00:00:00 httpd
    unconfined_u:system_r:httpd_t:s0 2494 ?        00:00:00 httpd
    unconfined_u:system_r:httpd_t:s0 2495 ?        00:00:00 httpd
    unconfined_u:system_r:httpd_t:s0 2496 ?        00:00:00 httpd
    unconfined_u:system_r:httpd_t:s0 2497 ?        00:00:00 httpd
    unconfined_u:system_r:httpd_t:s0 2498 ?        00:00:00 httpd
    unconfined_u:system_r:httpd_t:s0 2499 ?        00:00:00 httpd
    unconfined_u:system_r:httpd_t:s0 2500 ?        00:00:00 httpd
    

This command displays that "unconfined_u:system_r:httpd_t:s0" is the SELinux context associated with the httpd process. The second last part, "httpd_t", is the type. A type defines a domain for processes, and a type for files. In this case, the httpd process is running in the "httpd_t" domain.

SELinux policy defines how processes running in confined domains, for example, httpd_t, interact with files, other processes, and the system in general. Files must be labeled correctly to allow httpd access to them. For example, httpd can read files labeled with the httpd_sys_content_t type, but can not write to them, even if Linux permissions allow write access. Booleans must be turned on to allow certain behavior, such as allowing scripts network access, httpd accessing NFS and CIFS file systems, and httpd being allowed to execute Common Gateway Interface (CGI) scripts.

If httpd.conf is configured to make httpd listen on a port other than TCP ports 80, 443, 488, 8008, 8009, and 8443, the "semanage port" command must be used to add the new port number to SELinux policy configuration. If the new port number is not added to policy, httpd fails to start.

Types

Type Enforcement is the main permission control used in SELinux targeted policy. The following example creates a new file in the /var/www/html/ directory, and shows that the file inherited the httpd_sys_content_t type from its parent directory (/var/www/html/):

  1. Run the "ls -dZ /var/www/html" command to view the SELinux context of the /var/www/html/ directory:
    $ ls -dZ /var/www/html/
    drwxr-xr-x  root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/
    
  1. As the Linux root user, run the "touch /var/www/html/file1" command to create a new file.
  1. Run the "ls -Z /var/www/html/file1" command to view the SELinux context:
    $ ls -Z /var/www/html/file1
    -rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/file1
    

The "ls -Z" command shows that file1 is labeled with the httpd_sys_content_t type. SELinux allows httpd to read files labeled with this type, but not write to them, even if Linux permissions allow write access. SELinux policy defines what types a process running in the httpd_t domain (where httpd runs in) can read and write to. This helps prevent processes from accessing files intended for use by another process. For example, httpd can access files labeled with the httpd_sys_content_t type (intended for the Apache HTTP Server), but by default, can not access files labeled with the samba_share_t type (intended for Samba). Also, files in user home directories are labeled with the user_home_t type: this prevents httpd from being used to read files in user home directories.

Common types available for use with httpd:

  • httpd_sys_content_t: files and directories labeled with this type are accessible to httpd, as well as scripts executed by httpd. By default, files created in or copied into the /var/www/html/ directory are labeled with the httpd_sys_content_t type. By default, files and directories labeled with this type can not be written to or modified by httpd, or other processes.
  • httpd_sys_script_exec_t: files labeled with this type are executable by httpd. This type is commonly used for Common Gateway Interface (CGI) scripts in the /var/www/cgi-bin/ directory. The httpd_enable_cgi Boolean must be turned on to allow httpd to execute scripts.
    • do httpd_sys_script_exec_t labeled files transition to httpd_sys_script_t domain when executed?
    • what is are sys types, "access to all sys types"?
  • httpd_sys_content_rw_t: files labeled with this type can be written to by scripts labeled with the httpd_sys_script_exec_t type. Label files with the httpd_sys_content_rw_t type if you want scripts, labeled with the httpd_sys_script_exec_t type, to write data to them. The httpd_sys_content_rw_t type only allows files to be written to by scripts labeled with the httpd_sys_script_exec_t type.
    • does this overwrite the contents of the file if it exists?
  • httpd_sys_content_ra_t: files labeled with this type can be appeneded to by scripts labeled with the httpd_sys_script_exec_t type. Label files with the httpd_sys_content_ra_t type if you want scripts, labeled with the httpd_sys_script_exec_t type, to append data to them. The httpd_sys_content_ra_t type only allows files to be appended to by scripts labeled with the httpd_sys_script_exec_t type.
  • httpd_unconfined_script_exec_t: scripts labeled with this type run without SELinux protection. Only use this type for complex scripts, after exhausting all other options. It is better to use this type instead of turning SELinux protection off for httpd, or for the entire system.
  • allow httpd to write image files (directory labeled with the httpd_tmp_t type?).

The type for files and directories can be changed with the chcon command. Changes made with chcon do not survive a file system relabel or the restorecon command. SELinux policy controls whether users are able to modify the SELinux context for any given file. The following example demonstrates creating a new directory and an index.html file for use by httpd, and labeling that file and directory to allow httpd access to them:

  1. Create a new top-level directory structure to store files to be used by httpd:
    # mkdir -p /my/website/
    
  2. Files and directories that do not match any other pattern in file-context configuration may be labeled with the default_t type. This type is inaccessible to confined services:
    $ ls -dZ /my/
    drwxr-xr-x  root root unconfined_u:object_r:default_t:s0 /my/
    
  3. As the Linux root user, run the chcon -R -t httpd_sys_content_t /my/ command to change the type of the /my/ directory and subdirectories, to a type accessible to httpd. Now, files created under /my/website/ inherit the httpd_sys_content_t type, rather than the default_t type, and are therefore accessible to httpd:
    # chcon -R -t httpd_sys_content_t /my/
    # touch /my/website/index.html
    $ ls -Z /my/website/index.html 
    -rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 /my/website/index.html
    

Refer to the Temporary Changes: chcon section of the Fedora 10 SELinux User Guide for further information on chcon.

Use the semanage fcontext command to make label changes that survive a relabel and the restorecon command. This command adds changes to file-context configuration. To make the label change, run the restorecon command, which reads file-context configuration. The following example demonstrates creating a new directory and an index.html file for use by httpd, and persistently changing the label of that directory and file to allow httpd access to them:

  1. Create a new top-level directory structure to store files to be used by httpd:
    # mkdir -p /my/website/
    
  2. As the Linux root user, run the following command to add the label change to file-context configuration:
    # semanage fcontext -a -t httpd_sys_content_t "/my/website(/.*)?"
    

The "/my/website(/.*)?" expression means that the label change will apply to the /my/website/ directory, as well as all files and directory under it.

  1. As the Linux root user, run the touch /my/website/index.html command to create a new file.
  1. As the Linux root user, run the restorecon -R -v /my/website/ command to make the label changes (restorecon reads file-context configuration, which was modified by the semanage command in step 2):
    # restorecon -R -v /my/website/
    restorecon reset /my/website context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
    restorecon reset /my/website/index.html context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
    

Refer to the Persistent Changes: semanage fcontext section of the Fedora 10 SELinux User Guide for further information on semanage.

Booleans

Booleans allow parts of SELinux policy to be changed at runtime, without any knowledge of SELinux policy writing. This allows changes, such as allowing services access to NFS file systems, without reloading or recompiling SELinux policy.

Common Booleans available to cater for the way httpd is running:

  • httpd_enable_cgi: by default, SELinux prevents httpd from executing CGI scripts. To allow httpd to execute CGI scripts:
    • label the desired scripts with the httpd_sys_script_exec_t type (or, if all other options are exhausted, httpd_unconfined_script_exec_t).
    • turn the httpd_enable_cgi Boolean on (setsebool -P httpd_enable_cgi on. Do not use the -P option if you do not want changes to persist across reboots.
  • httpd_enable_homedirs: by default, SELinux prevents httpd from accessing user home directories. To allow access to user home directories, for example, /home/*/public_html/ directories:
    • turn the httpd_enable_homedirs Boolean on.
    • configure /etc/httpd/conf/httpd.conf as desired.
    • create the desired /home/username/public_html/ directory, and set appropriate permissions (link to a document on this).
    • file context configuration defines that directories named www, web, public_html, and public_git under /home/*/, are to be labeled with the httpd_sys_content_t type:
      $ grep public_html /etc/selinux/targeted/contexts/files/*
      /etc/selinux/targeted/contexts/files/file_contexts.homedirs:/home/[^/]*/((www)|(web)|(public_html)|(public_git))(/.+)?  system_u:object_r:httpd_user_content_t:s0
      
  • since a context is already defined, either run the "restorecon -R -v /home/username/public_html/" or "chcon -R -t httpd_sys_content_t /home/username/public_html/" command to change the type, to a type accessible to httpd.
  • httpd_tty_comm: required for SSL.
  • httpd_unified: what is "httpd context"? All httpd_*?
  • httpd_can_sendmail: off by default. prevents HTTP modules from sending mail, which can prevent spam attacks should a vulnerability be found in httpd.
  • httpd_builtin_scripting: what is built in scripting?
  • httpd_can_network_connect: all HTTP scripts and modules to connect to the network. Off by default. What is the difference between this and httpd_can_network_connect_db?
  • httpd_can_network_relay: allow httpd to act as a relay. This must be turned on when httpd is being used as a forward or reverse proxy? <http://httpd.apache.org/docs/2.0/mod/mod_proxy.html>
  • httpd_use_cifs: access content on CIFS file systems that are labeled with the cifs_t type, such as a file systems mounted via Samba.
  • httpd_use_nfs: access content on NFS file systems that are labeled with the nfs_t type, such as file systems mounted via NFS.
  • httpd_enable_ftp_server: what labeling does this require?
  • allow_httpd_anon_write: allow httpd to write to files labeled with the public_content_rw_t type.
  • allow_httpd_sys_script_anon_write: allow scripts (CGI?) to write to files labeled with the public_content_rw_t type.

Configuration Examples

  • share files between Apache HTTP Server, FTP, and Samba:
    • label files with the public_content_t type to allow Apache HTTP Server, FTP, and Samba to access them.
    • label files with the public_content_rw_t type to allow Apache HTTP Server, FTP, and Samba write access to them.
    • Booleans must be set for each domain to allow write access to files labeled with the public_content_rw_t type. These Booleans use the allow_domain_anon_write naming convention, for example, allow_httpd_anon_write for the Apache HTTP Server, and allow_smbd_anon_write for Samba. These Booleans are off by default.
  • serve mounted ISOs via httpd (mount /dev/cd-rom-device /mount/point -o context="system_u:object_r:httpd_sys_content_t:s0").
  • make only httpd run permissive (add: "semanage permissive -a httpd_t". remove: "semanage permissive -d httpd_t").
    • explain files are created with the correct context when using permissive domains (unlike disable trans Booleans).
    • benefits: do not have to run the whole system in permissive mode to troubleshoot issues. Refer to the Permissive Domains section of the Fedora 10 SELinux User Guide for possible text to use...
  • change the port httpd listens on:
    • configured /etc/httpd/conf/httpd.conf
    • list ports: semanage port -l | grep http_port_t
    • add port to policy configuration: semanage port -a -t http_port_t -p tcp 7777
    • remove added port from policy configuration: semanage port -d -t http_port_t -p tcp 7777
    • if port is changed in httpd.conf and that port does not exist in policy configuration for http_port_t, httpd fails to start.

Samba

From the Samba website <http://us1.samba.org/samba/>:

Samba is an Open Source/Free Software suite that has, since 1992, provided file and print services to all manner of SMB/CIFS clients, including the numerous versions of Microsoft Windows operating systems. Samba is freely available under the GNU General Public License[1].

In Fedora 11, the samba package provides the Samba server. If you want to use the Samba server, and the samba package is not installed, run the following command as the Linux root user to install it:

yum install samba

[1] The Samba website: <http://us1.samba.org/samba/>. Accessed 20 January 2009.

Samba and SELinux

When running SELinux, Samba runs confined by default. SELinux policy defines how the Samba server, smbd, interacts with files, processes, and with the system in general. Files and directories must be labeled correctly so they can be exported through Samba. Booleans must be set to allow home directories and NFS file systems to be exported through Samba, as well as to allow Samba to act as a domain controller. The "semanage port" command is required to allow smbd to listen on ports other than TCP ports 137, 138, 139, and 445.

Types

  • samba_share_t: use this type on files and directories that you want to share through Samba. Read and write permissions are controlled in /etc/samba/smb.conf and by standard Linux permissions.
  • samba_etc_t: used on certain files under /etc/samba/, such as smb.conf. Do not manually label files with the samba_etc_t type. If files under /etc/samba/ are not labeled correctly, run the restorecon -R -v /etc/samba/ command as the Linux root user to restore such files to their default contexts. If /etc/samba/smb.conf is not labeled with the samba_etc_t type, the service smb start command may fail and an SELinux denial may be logged. The following is an example denial logged to /var/log/messages, when /etc/samba/smb.conf was labeled with the httpd_sys_content_t type:
    setroubleshoot: SELinux is preventing smbd (smbd_t) "read" to ./smb.conf (httpd_sys_content_t). For complete SELinux messages. run sealert -l deb33473-1069-482b-bb50-e4cd05ab18af
    
  • samba_log_t: this type is used on log files in the /var/log/samba/ directory, and should not have to be changed manually. If files in the /var/log/samba/ directory are labeled with the wrong type, run the restorecon -R -v /var/log/samba/ command as the Linux root user to restore such files to their default contexts.

Booleans

Note: SELinux denials are not logged if Linux permissions deny access first.

  • use "semanage boolean -l | grep smb" and "semanage boolean -l | grep samba" as a base. man samba_selinux.
  • samba_export_all_ro: export any file or directory, allowing read-only permissions. This allows files and directories that are not labeled with the samba_share_t type to be shared through Samba. Permissions in /etc/samba/smb.conf and Linux permissions must be set accordingly.
  • samba_export_all_rw: export any file or directory, allowing read and write permissions. This allows files and directories that are not labeled with the samba_share_t type to be exported through Samba. Permissions in /etc/samba/smb.conf and Linux permissions must be set accordingly.
  • samba_domain_controller: turn this Boolean on if you want to use Samba as a domain controller. (Look into functions, such as password changes, that would fail if this Boolean is turned off).
  • differences between use_samba_home_dirs, samba_create_home_dirs, and samba_enable_home_dirs. When to use use_samba_home_dirs, samba_create_home_dirs, and samba_enable_home_dirs.

Configuration Examples

Check Samba tutorials (sharing printers, home directories, and so on), and make sure SELinux does not cause problems. Document workarounds/labeling/Booleans if problems arise.

Only set the samba_share_t type on files and directories that you have created, such as /mysambashare.

Share files and directories that you have created:

  • mkdir /mysambashare
  • semanage fcontext -a -t samba_share_t "/mysambashare(/.*)?"
  • restorecon -R -v /mysambashare/

Do not label system files and directories with the samba_share_t type. Doing so may cause SELinux to deny legitimate access or, potentially, allow Samba more access than required or desired. To share system files and directories read only:

  • temporary: setsebool samba_export_all_ro on
  • persistent: setsebool -P samba_export_all_ro on

To share system files and directories, allowing read and write permissions:

  • temporary: setsebool samba_export_all_rw on
  • persistent: setsebool -P samba_export_all_rw on

Domain controller (authenticating users, sharing printers and files?).

File Transfer Protocol (FTP) Server

From the Red Hat Enterprise Linux Deployment Guide[1]:

File Transfer Protocol (FTP) is one of the oldest and most commonly used protocols found on the Internet today. Its purpose is to reliably transfer files between computer hosts on a network without requiring the user to log directly into the remote host or have knowledge of how to use the remote system. It allows users to access files on remote systems using a standard set of simple commands[2].

The Very Secure FTP Daemon (vsftpd) is designed from the ground up to be fast, stable, and, most importantly, secure. Its ability to handle large numbers of connections efficiently and securely is why vsftpd is the only stand-alone FTP distributed with Red Hat Enterprise Linux[3].

In Fedora, the vsftpd package provides the Very Secure FTP daemon. If you want an FTP server, and the vsftpd package is not installed, run the following command as the Linux root user to install it:

yum install vsftpd

[1] <http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/index.html>

[2] The first paragraph of "Chapter 23. FTP" of the Red Hat Enterprise Linux 5 Deployment Guide: http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/ch-ftp.html. Copyright © 2007 Red Hat, Inc.

[3] The first paragraph of the "23.2.1. vsftpd" section of the Red Hat Enterprise Linux 5 Deployment Guide: http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/s1-ftp-servers.html#s2-ftp-servers-vsftpd. Copyright © 2007 Red Hat, Inc.

FTP and SELinux

When running SELinux, the FTP server, vsftpd, runs confined by default. SELinux policy defines how vsftpd interacts with files, processes, and with the system in general. For example, when an authenticated user logs in via FTP, they can not read from or write to files in their home directories: SELinux prevents vsftpd from accessing user home directories by default. Also, by default, vsftpd does not have access to NFS or CIFS file systems, and anonymous users do not have write access, even if such write access is configured in "/etc/vsftpd/vsftpd.conf". Booleans can be turned on to allow the previously mentioned access. Also, the "semanage port" command is required to allow vsftpd to use a different data port, other than TCP port 20.

Types

By default, anonymous users have access to the /var/ftp/ directory when they log in via FTP. This directory is labeled with the public_content_t type, allowing only read access, even if write access is configured in "/etc/vsftpd/vsftpd.conf". Note: the public_content_t type is accessible to other services, such as Apache HTTP Server, Samba, and NFS. The following types are used for sharing files through FTP:

  • public_content_t: label files and directories you have created with the public_content_t type to share them read-only through vsftpd. Other services, such as Apache HTTP Server, Samba, and NFS, also have access to files labeled with this type. Files labeled with the public_content_t type can not be written to, even if Linux permissions allow write access. If you require write access, use the public_content_rw_t type.
  • public_content_rw_t: label files and directories you have created with the public_content_rw_t type to share them with read and write permissions through vsftpd. Other services, such as Apache HTTP Server, Samba, and NFS, also have access to files labeled with this type; however, Booleans for each service must be turned on before such services can write to files labeled with this type.

Booleans

  • ftp_home_dir: when an authenticated user logs in via FTP, they can not read from or write to files in their home directories: SELinux prevents vsftpd from accessing user home directories by default. Turn this Boolean on to allow authenticated users to read and write to files in their home directories. [ Give an example of the error when running "ls" and the ftp_home_dir Boolean is off. ]
  • allow_ftpd_full_access: allows authenticated users (logged in via FTP) to potentially read and write to all files on a system, even if those files are not labeled with the public_content_t or public_content_rw_t types. When the allow_ftpd_full_access Boolean is turned on, only Linux permissions are used to control access. Use this Boolean with caution.
  • allow_ftpd_use_cifs: by default, Samba shares mounted on the client side are labeled with a default context defined by policy. In common policies, this default context uses the cifs_t type. Turning this Boolean on allows vsftpd to access files and directories labeled with the cifs_t type; therefore, turning this Boolean on allows you to share file systems mounted via Samba through vsftpd.
  • allow_ftpd_use_nfs: by default, NFS mounts on the client side are labeled with a default context defined by policy for NFS file systems. In common policies, this default context uses the nfs_t type. Turning this Boolean on allows vsftpd to access files and directories labeled with the nfs_t type; therefore, turning this Boolean on allows you to share file systems mounted via NFS through vsftpd.

Configuration Examples

Create an FTP site to allow a dedicated user to upload files. This FTP site is then shared via the Apache HTTP Server. This example creates a new top-level directory to store files for the FTP site and a website:

  1. Create a new top-level directory structure:
    # mkdir -p /myftp/pub
    
  1. Set Linux permissions on the /myftp/pub/ directory to allow a Linux user write access. This example changes the owner and group from "root" to owner "user1" and group "root". The "user1" user is the Linux user you want to give write access to:
    # chown user1:root /myftp/pub
    # chmod 775 /myftp/pub
    

The chown command changes the owner and group permissions. The chmod command changes the mode, allowing the Linux user1 user read, write, and execute permissions, and members of the root group read, write, and execute permissions. Everyone else has read and execute permisisons - this is required to allow the Apache HTTP Server to read files from this directory.

  1. When running SELinux, files and directories must be labeled correctly to allow access. Setting Linux permissions is not enough. Files labeled with the public_content_t type allow them to be read by FTP, Apache HTTP Server, Samba, and so on. Files labeled with the public_content_rw_t type can be written to by FTP. Other services, such as Samba, require Booleans to be set before they can write to files labeled with the public_content_rw_t type.

Label the top-level directory (/myftp/) with the public_content_t type, to prevent newly-created files under /myftp/ or copied files from being written to or modified by services:

# semanage fcontext -a -t public_content_t /myftp
# restorecon -R -v /myftp/
restorecon reset /myftp context system_u:object_r:default_t:s0->system_u:object_r:public_content_t:s0
  1. Confirm /myftp/ is labeled with the public_content_t type, and /myftp/pub is labeled with the default_t type:
    $ ls -dZ /myftp
    drwxr-xr-x  root root system_u:object_r:public_content_t:s0 /myftp
    $ ls -dZ /myftp/pub
    drwxrwxr-x  user1 root system_u:object_r:default_t:s0   /myftp/pub
    
  1. Label the /myftp/pub/ directory with the public_content_rw_t type, to allow files to be uploaded via FTP:
    # semanage fcontext -a -t public_content_rw_t "/myftp/pub(/.*)?"
    # restorecon -R -v /myftp/
    restorecon reset /myftp/pub context system_u:object_r:default_t:s0->system_u:object_r:public_content_rw_t:s0
    
  1. Confirm /myftp/ is labeled with the public_content_t type, and /myftp/pub/ is labeled with the public_content_rw_t type:
    $ ls -dZ /myftp
    drwxr-xr-x  root root system_u:object_r:public_content_t:s0 /myftp
    $ ls -dZ /myftp/pub
    drwxrwxr-x  user1 root system_u:object_r:public_content_rw_t:s0 /myftp/pub
    
  1. Run the "echo "Hello" >> /myftp/pub/file1" command to create a new text file.
  1. Change into the /var/www/html/ directory. As the Linux root user, run the "ln -s /myftp/pub/index.file1 file1" command to create a symbolic link to /myftp/pub/file1.
  1. Using a web browser, navigate to http://localhost/file1. Since /myftp/pub/file1 is labeled with the public_content_rw_t type, the Apache HTTP Server can read this file.

Reminders:

  • the ftp_home_dir Boolean must be turned on if you are upload files from a home directory.
  • turn the allow_httpd_anon_write Boolean on to allow httpd to write to files labeled with the public_content_rw_t type.
  • turn the allow_httpd_sys_script_anon_write Boolean on to allow CGI scripts to write to files labeled with the public_content_rw_t type.

Network File System (NFS)

From the Red Hat Enterprise Linux Deployment Guide[1]:

A Network File System (NFS) allows remote hosts to mount file systems over a network and interact with those file systems as though they are mounted locally. This enables system administrators to consolidate resources onto centralized servers on the network[2].

In Fedora, the nfs-utils package provides the NFS server. If you want an NFS server, and the nfs-utils package is not installed, run the following command as the Linux root user to install it:

yum install nfs-utils

[1] <http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/index.html>

[2] <http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/ch-nfs.html> accessed 27 January 2009.

NFS and SELinux

When using SELinux targeted policy, NFS can share file systems with read and write permissions by default. When running the MLS policy, SELinux prevents NFS from sharing files and directories. Booleans can be turned on to allow files and directories to be mounted read-only and read-write, or turned off to prevent NFS from sharing files or directories.

Types

  • by default, NFS mounts on the client side are labeled with a default context defined by policy for NFS file systems. In common policies, this default context uses the nfs_t type. [1]

[1] <http://docs.fedoraproject.org/selinux-user-guide/f10/en-US/sect-Security-Enhanced_Linux-Mounting_File_Systems-Mounting_an_NFS_File_System.html>

Booleans

  • use "semanage boolean -l | grep nfs" as a base. man nfs_selinux.
  • semanage boolean -l | grep nfs
  • use_nfs_home_dirs to use an NFS-mounted home directory.
  • nfs_export_all_ro to allow files and directories to be exported read-only.
  • nfs_export_all_rw to allow files and directories to be exported read-write.

Configuration Examples

DNS: Berkeley Internet Name Domain (BIND)

From the Internet Systems Consortium, Inc. (ISC)[1] webiste:

BIND is open-source software that implements the Domain Name System (DNS) protocols for the Internet. It is a reference implementation of those protocols, but it is also production-grade software, suitable for use in high-volume and high-reliability applications[2].

In Fedora, the bind package provides a DNS server. If you want a DNS server, and the bind package is not installed, run the following command as the Linux root user to install it:

yum install bind

[1] <https://www.isc.org/>

[2] <https://www.isc.org/software/bind> accessed 27 January 2009.

BIND and SELinux

The default permissions on the "/var/named/slaves/", "/var/named/dynamic/", and "/var/named/data/" directories allow zone files to be updated via zone transfers and dynamic DNS updates. Files in "/var/named/" are labeled with the name_zone_t type. By default, SELinux policy does not allow the BIND daemon (named) to write to files labeled with the name_zone_t type, which is used for master zone files.

For a slave server, configure /etc/named.conf to place slave zone files in "/var/named/slaves". The following is an example of a domain entry in /etc/named.conf for a slave DNS server, that stores the zone file for "testdomain.com" in "/var/named/slaves/":

zone "testdomain.com" {
                        type slave;
                        masters { IP-address; };
                        file "/var/named/slaves/db.testdomain.com";
		      };

Notes:

  • if a zone file is labeled name_zone_t, the named_write_master_zones Boolean must be on to allow zone transfers and dynamic DNS to update that file. Also, the mode of the parent directory has to be changed to allow the named user or group read, write, and execute access.
  • if zone files in /var/named/ are labeled with name_cache_t type, a file system relabel or running "restorecon -R /var/" will change their type to name_zone_t.

Types

  • named_zone_t: master zone files. Other services can not modify these. named can only modify if the named_write_master_zones Boolean is turned on (off by default)
  • named_cache_t: by default, named can write to files labeled with this type, without additional Booleans being set. Files copied or created in the "/var/named/slaves/", "/var/named/dynamic/", and "/var/named/data/" directories are automatically labeled with the named_cache_t type.

Booleans

  • named_write_master_zones: allow named to write to zone files labeled with the named_zone_t type.

Configuration Examples

Dynamic DNS Updates

Use the "/var/named/dynamic/" directory for zone files you want updated via dynamic DNS, for example, using nsupdate to update zone files. Files created in or copied into "/var/named/dynamic/" inherit Linux permissions that allow named to write to them. Also, such files are labeled with the name_cache_t type: SELinux allows named to write to files labeled with the named_cache_t type.

If a zone file in "/var/named/dynamic/" is labeled with the name_zone_t type, dynamic DNS updates may be successful for a certain period of time, as the update is written to a journal file first, and then merged. If the zone file is labeled with the name_zone_t type when the journal attempts to be merged, an error such as the following is logged to "/var/log/messages":

named[PID]: dumping master file: rename: /var/named/dynamic/zone-name: permission denied

As well, the following SELinux denial is logged to "/var/log/messages":

setroubleshoot: SELinux is preventing named (named_t) "unlink" to zone-name (named_zone_t). For complete SELinux messages.

To resolve this labeling issue, run the restorecon -R -v /var/named/dynamic command as the Linux root user.