Red Hat Type Enforcement CHCON

Posted under » Linux » Apache » LAMP Security on 27 Dec 2019

The main permission control method used in Redhat SELinux targeted policy to provide advanced process isolation is Type Enforcement. All files and processes are labeled. Access is only allowed if a specific SELinux policy rule exists that allows it.

Run the ls -dZ /var/www/html command to view the SELinux context of /var/www/html/

$ ls -dZ /var/www/html
drwxr-xr-x  root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html

Normally when you touch a file (file.txt) this is the default when you -Z

$ ls -Z /var/www/html/file.txt
-rw-r--r--  root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/file.txt

The ls -Z command shows file.txt labeled with the httpd_sys_content_t type. SELinux allows httpd to read files labeled with this type, but not write to them, even if Linux permissions allow write access. SELinux policy defines what types a process running in the httpd_t domain (where httpd runs) can read and write to. This helps prevent processes from accessing files intended for use by another process.

The following lists some of the types used with httpd. Different types allow you to configure flexible access:

httpd_sys_content_t
Use this type for static web content, such as .html files used by a static website. Files labeled with this type are accessible (read only) to httpd and scripts executed by httpd. By default, files and directories labeled with this type cannot be written to or modified by httpd or other processes. Note that by default, files created in or copied into /var/www/html/ are labeled with the httpd_sys_content_t type.

httpd_sys_script_exec_t
Use this type for scripts you want httpd to execute. This type is commonly used for Common Gateway Interface (CGI) scripts in /var/www/cgi-bin/. By default, SELinux policy prevents httpd from executing CGI scripts. To allow this, label the scripts with the httpd_sys_script_exec_t type and enable the httpd_enable_cgi Boolean. Scripts labeled with httpd_sys_script_exec_t run in the httpd_sys_script_t domain when executed by httpd. The httpd_sys_script_t domain has access to other system domains, such as postgresql_t and mysqld_t.

httpd_sys_rw_content_t
Files labeled with this type can be written to by scripts labeled with the httpd_sys_script_exec_t type, but cannot be modified by scripts labeled with any other type. You must use the httpd_sys_rw_content_t type to label files that will be read from and written to by scripts labeled with the httpd_sys_script_exec_t type.

httpd_sys_ra_content_t
Files labeled with this type can be appended to by scripts labeled with the httpd_sys_script_exec_t type, but cannot be modified by scripts labeled with any other type. You must use the httpd_sys_ra_content_t type to label files that will be read from and appended to by scripts labeled with the httpd_sys_script_exec_t type.

httpd_unconfined_script_exec_t
Scripts labeled with this type run without SELinux protection. Only use this type for complex scripts, after exhausting all other options. It is better to use this type instead of disabling SELinux protection for httpd, or for the entire system.

Changing the SELinux Context CHCON

Run the chcon -R -t httpd_sys_content_t /my/ command as the root user to change the type of the /my/ directory and subdirectories, to a type accessible to httpd

chcon -R -t httpd_sys_content_t /my/

If you just want to make file.txt read and writable.

chcon unconfined_u:object_r:httpd_sys_rw_content_t:s0 /var/www/html/file.txt

web security linux ubuntu python django git Raspberry apache mysql php drupal cake javascript css AWS data