Selinux allowing write to httpd_sys_content_t in enforcing mode

Support for security such as Firewalls and securing linux
jeremyardley
Posts: 14
Joined: 2011/09/19 03:30:11

Selinux allowing write to httpd_sys_content_t in enforcing mode

Postby jeremyardley » 2017/07/16 23:57:47

My problem is that an e-commerce site I'm setting up allows the administrator to edit some configuration files through the web interface.

These files are labeled with the read-only label httpd_sys_content_t It should not be possible for files of that label type to be modified by the web server (nginx / php-fpm)

See https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Confined_Services/sect-Managing_Confined_Services-The_Apache_HTTP_Server-Types.html

I have other files that have been blocked and I've had to make special rules - e.g. the latest release of targeted policy prevents nginx writing to the php-fpm socket.

My system details

Code: Select all

sestatus

SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted

semanage boolean -l | grep http

httpd_can_network_relay        (off  ,  off)  Allow httpd to act as a relay
httpd_can_network_connect_db   (off  ,  off)  Allow HTTPD scripts and modules to connect to databases over the network.
httpd_use_gpg                  (off  ,  off)  Allow httpd to run gpg in gpg-web domain
httpd_dbus_sssd                (off  ,  off)  Allow Apache to communicate with sssd service via dbus
httpd_enable_cgi               (on   ,   on)  Allow httpd cgi support
httpd_verify_dns               (off  ,  off)  Allow Apache to query NS records
httpd_use_cifs                 (off  ,  off)  Allow httpd to access cifs file systems
allow_httpd_mod_auth_pam       (off  ,  off)  Allow Apache to use mod_auth_pam
httpd_run_stickshift           (off  ,  off)  Allow Apache to run in stickshift mode, not transition to passenger
httpd_enable_homedirs          (off  ,  off)  Allow httpd to read home directories
allow_httpd_sys_script_anon_write (off  ,  off)  Allow apache scripts to write to public content.  Directories/Files must be labeled public_rw_content_t.
httpd_dbus_avahi               (on   ,   on)  Allow Apache to communicate with avahi service via dbus
httpd_unified                  (on   ,   on)  Unify HTTPD handling of all content files.
httpd_builtin_scripting        (on   ,   on)  Allow httpd to use built in scripting (usually php)
httpd_use_fusefs               (off  ,  off)  Allow httpd to access FUSE file systems
httpd_can_network_connect      (on   ,   on)  Allow HTTPD scripts and modules to connect to the network using TCP.
httpd_tty_comm                 (on   ,   on)  Unify HTTPD to communicate with the terminal. Needed for entering the passphrase for certificates at the terminal.
allow_httpd_anon_write         (on   ,   on)  Allow Apache to modify public files used for public file transfer services. Directories/Files must be labeled public_rw_content_t.
httpd_read_user_content        (off  ,  off)  Allow httpd to read user content
httpd_use_nfs                  (off  ,  off)  Allow httpd to access nfs file systems
httpd_tmp_exec                 (off  ,  off)  Allow Apache to execute tmp content.
httpd_run_preupgrade           (off  ,  off)  Allow Apache to run preupgrade
httpd_manage_ipa               (off  ,  off)  Allow httpd processes to manage IPA content
httpd_can_sendmail             (on   ,   on)  Allow http daemon to send mail
httpd_can_check_spam           (off  ,  off)  Allow http daemon to check spam
named_bind_http_port           (off  ,  off)  Allow BIND to bind apache port.
httpd_can_network_memcache     (off  ,  off)  Allow httpd to connect to memcache server
httpd_can_network_connect_cobbler (off  ,  off)  Allow HTTPD scripts and modules to connect to cobbler over the network.
httpd_serve_cobbler_files      (off  ,  off)  Allow HTTPD scripts and modules to server cobbler files.
awstats_purge_apache_log_files (off  ,  off)  Determine whether awstats can purge httpd log files.
httpd_execmem                  (off  ,  off)  Allow httpd scripts and modules execmem/execstack
httpd_ssi_exec                 (off  ,  off)  Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
httpd_use_openstack            (off  ,  off)  Allow httpd to access openstack ports
httpd_enable_ftp_server        (off  ,  off)  Allow httpd to act as a FTP server by listening on the ftp port.
allow_httpd_mod_auth_ntlm_winbind (off  ,  off)  Allow Apache to use mod_auth_ntlm_winbind
httpd_setrlimit                (off  ,  off)  Allow httpd daemon to change system limits


# Alterable files :-
ls -lZ
-rw-r--r--. nginx nginx system_u:object_r:httpd_sys_content_t:s0 define_checkout_success.php
-rw-r--r--. nginx nginx system_u:object_r:httpd_sys_content_t:s0 define_conditions.php


jeremyardley
Posts: 14
Joined: 2011/09/19 03:30:11

Re: Selinux allowing write to httpd_sys_content_t in enforcing mode

Postby jeremyardley » 2017/07/18 14:18:03

I've found the explanation.

The SE Boolean httpd_unified allows the httpd process to write to web content even when the content is labelled with the read-only httpd_sys_content_t label.

This boolean is turned off by default in RHEL 7 but is on by default in RHEL 6 (my problem system)

Further information from Dan Walsh

http://danwalsh.livejournal.com/56760.html


Return to “CentOS 6 - Security Support”

Who is online

Users browsing this forum: No registered users and 1 guest