danwalsh


Dan Walsh's Blog

Got SELinux?


Previous Entry Add to Memories Share Next Entry
Security Vs Usability
danwalsh
One of the interesting things about working in the security field, is walking the balance between security and usability.  

On one of the many mailing lists I read, an admin as complaining about his Apache server being hacked.  Some application had been hacked in a way that it got apache to write to a particular directory and then executed the code it has written.

I decided to look at how SELinux Policy controlled httpd_t.  I wanted to know what file types was httpd_t allowed to write and execute.

In Fedora 19, I executed the following command.

> sesearch -A -C -s httpd_t -p execute -c file | grep write
DT allow httpd_t httpdcontent : file { ioctl read write create getattr setattr lock append unlink link rename execute open } ; [ httpd_enable_cgi httpd_unified && httpd_builtin_scripting && ]


This indicates that the apache deamon (httpd_t) is allowed to write and execute files that have a label that has the attribute httpdcontent.  But they would have to have the httpd_enable_cgi, httpd_unified, and httpd_builtin_scripting booleans turned on.

#semanage boolean -l | grep httpd_enable_cgi
httpd_enable_cgi               (on   ,   on)  Allow httpd cgi support
# semanage boolean -l | grep httpd_unified
httpd_unified                  (off  ,  off)  Unify HTTPD handling of all content files.
# semanage boolean -l | grep httpd_builtin_scripting
httpd_builtin_scripting        (on   ,   on)  Allow httpd to use built in scripting (usually php)


Out of the box we enable httpd_enable_cgi, so cgi scripts will run with your apache server.  We also enable httpd_builtin_scripting, which allows you to run php scripts within the same processes as apache, this also enabled other builtin scripting tools like mod_python and mod_perl.

We disable httpd_unified, which basically says httpd_t has full access to all httpdcontent files.

# seinfo -ahttpdcontent -x
   httpdcontent
      httpd_sys_content_t
      httpd_user_ra_content_t
      httpd_user_rw_content_t
      httpd_sys_ra_content_t
      httpd_sys_rw_content_t
      httpd_user_content_t


So rather then treating each type differently we combine all access.  We used to have this turned on by default for people who did not understand SELinux, probably still is in RHEL5 and maybe RHEL6.  But in latest Fedora and RHEL7 we will turn it off by default.

If you are running a web site that does not do any scripting, it would probably be advisable to turn off the other two booleans.

No HTML allowed in subject

  
 
   
 

(will be screened)

You are viewing danwalsh