At the core of every SELinux system are the policies. These are the exact rules that define the access rights and relationships between all our objects. As we have learned earlier, all our system’s objects have labels, and one of them is a type identifier that can then be used to enforce rules laid down by policies. In every SELinux enabled the system, by default, all access to any object is prohibited unless a policy rule has been defined otherwise. Here, in this process, we will show you how we can query and customize SELinux policies. As you may notice, some of the commands have already been applied in other processes, such as for the httpd or ftpd daemons. Here, you will find out how policies work.
To Start With: What Do You Need?
To complete this process, you will require a working installation of the CentOS 7 operating system with root privileges. It is assumed that you are working through this segment process by process, so by now you should have installed the SELinux tools from the previous process and generated all SELinux man pages for the policies. For our tests here, we will use the Apache web server, so please make sure it is installed and running on your system (Refer to the process Installing Apache and serving web pages in, Providing Web Services).
The Process
- To begin, log in as root and type the following command to show all SELinux Boolean policy settings, filtered by the httpd daemon only:
semanage boolean -l | grep httpd - To get more information about a specific policy and its contained Booleans, read the corresponding man page; for example, for httpd type the following:
man httpd_selinux - Here, within the manual pages for the httpd policy, we will, among others, find detailed information about every httpd policy Boolean available. For example, there is a section about httpd_use_nfso. To toggle single policy features, use the setsebool command together with the policy Boolean name with the on or off parameter, as shown here:
setsebool httpd_use_nfs on setsebool httpd_use_nfs off
How Does It Work?
Here in this process, we have shown you how to work with SELinux Booleans. Remember that SELinux follows the model of least privilege, which means that SELinux policies enable only the least amount of features to any object; like a system service, they need to perform their task and nothing more. These features of a policy can be controlled (activated or deactivated) using corresponding SELinux Booleans at runtime without the need to understand the inner workings of policy writing. It is a concept to make policies customizable and extremely flexible. In other processes, we have already worked with enabling SELinux Booleans to add special policy features, such as enabling Apache or FTP home directories, which are all disabled by default.
What did we learn from this experience?
SELinux Booleans are like switches to enable or disable certain functionalities in your SELinux policy. We started this process using the semanage command to show all Booleans available on the system, and we filtered by http to get only those related to this service. As you can see, there are a huge number of Booleans available in your system, and most of them are disabled or off (the model of least privilege); to get more information about a specific policy and its Boolean values, use the SELinux man pages that we installed in a previous process. Sometimes, it can be difficult to find a specific man page of interest. Use the following command to search for man page names that are available: man -k _selinux | grep http. In our example, httpd_selinux is the correct man page to get detailed information about the httpd policy. Finally, if we decide to switch a specific SELinux Boolean feature, we will use the setsebool command. You should remember that setting Booleans in this way only works until reboot. To make those settings permanent, use the -p flag, for example, setsebool -P httpd_use_nfs on.
There's more…
With all our knowledge from the previous processes so far, we are now able to show an example where we put everything together. Here, we will see SELinux security contexts and policies in action for the httpd service. If the Apache web server is running, we can get the SELinux domain name of the httpd process using the following line:ps auxZ | grep httpd
This will show us that the httpd domain (type) is called httpd_t. To get the SELinux label of our web root directory, type in the following command:ls -alZ /var/www/html
This will tell us that the security context type of our Apache web server’s web root directory is called httpd_sys_content_t. Now, with this information, we can get the exact rules for the Apache domain from our policy:sesearch --allow | grep httpd_t
This will print out every httpd policy rule available. If we filter the output for the httpd_sys_content_t context type, the following line comes up for files again:allow httpd_t httpd_sys_content_t : file { ioctl read getattr lock open }
This shows us which source target context is allowed to access, which destination target context, and with which access rights. In our example for the Apache web server, this specifies that the httpd process that runs as domain httpd_t can access, open, and modify all the files on the filesystem that match the httpd_sys_content_t context type (all files in the /var/www/html directory match this criterion). Now, to validate this rule, create a temporary file and move it to the Apache web root directory: echo "CentOS7 Cookbook" > /tmp/test.txt;mv /tmp/test.txt /var/www/html. Any file inherits the security context of the directory in which it is created. If we had created the file directly in the web root directory, or had copied the file instead of moving it (copying means creating a copy), it would automatically be in the correct httpd_sys_content_t context and fully accessible by Apache. But, as we moved the file from the /tmp directory, it will stay as the user_tmp_t type in the web root directory. If you now try to fetch the URL, for example,, curl http://localhost/test.txt, you should get a 403 forbidden message. This is because the user_tmp_t type is not part of the httpd_t policy rule for file objects, because, as said before, everything that is not defined in a policy rule will be blocked by default. To make the file accessible, we will now change its security context label to the correct type:semanage fcontext -a -t httpd_sys_content_t /var/www/html/test.txt restorecon -v /var/www/html/test.txt
Now, again fetch curl http://localhost/test.txt, which should be accessible, and print out the correct text: CentOS7 cookbook.
Remember that, if you copy a file, the security context type is inherited from the targeted parent directory. If you want to preserve the original context when copying, use cp
preserve=context instead.
