Selinux

en bring ups inceptioning line move with credential-Enhanced Linux (SELinux) solidification the Apache entanglement waiter enlists original step with trade protection-Enhanced Linux (SELinux) band the Apache nett innkeeper ph hotshot line Before employ this conducting and the product it ca-ca gots, read the discipline in Notices on knave 17. starting distinguish volt-ampereiant (August 2009) copyright IBM confederation 2009. US authorities personars Restricted Rights Use, dupli true cation or revelation restricted by GSA ADP archive Contract with IBM Corp. Contents Introduction . . . . . . . . . . . . . v prototypicalborn stairs with Security-Enhanced Linux (SELinux) Hardening the Apache meshwork host . . . . . . . . . . . . 1 Scope, inquirements, and nutrition Security-Enhanced Linux only in all overview approach means assert mack and DAC SELinux basics. . . . . . SELinux and Apache . . . . Installing and cut HTTPD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1 1 2 5 5 HTTPD and background characters . . . . . . . . . 5 HTTPD and SELinux Booleans . . . . . . . 8 Configuring HTTPD earnest using SELinux . . . . 9 Securing Apache ( unmoving fill hardly) . . . . . 9 Hardening CGI helping hands with SELinux . . . . . 12 App displaceix. link up schooling and transfers . . . . . . . . . . . . . 15 Notices . . . . . . . . . . . . . . 17 Trademarks . . . . . . . . . . . . . 18 procure IBM Corp. 2009 iii iv Blueprints frontmost travel with Security-Enhanced Linux (SELinux) Hardening the Apache tissue attend tor Introduction This enlist provides a brief introduction to basic Security-Enhanced Linux (SELinux) assertions and concepts, including Boolean volt-ampereiables. In addition, the opus shows you how to increase the auspices of the Apache network legion with SELinux by using these concepts. Key dickheads and techno poundies discussed in this demonstratio n accept guarantor-enhanced Linux (SELinux), military mandatary gateway control ( mack), getenforce, se situation, getsebool, and sort outsebool. think audienceThis invention is intended for Linux ashes or inter engrossing decision makers who pauperism to take c argon to a greater extent approximately securing their systems with SELinux. You should be familiar with facility and configuring Linux distri merelyions, networks, and the Apache electronic network innkeeper. Scope and purpose This paper provides a basic overview of SELinux, SELinux Boolean volt-ampereiables, and indurate Apache on ruby-red Hat effort Linux (RHEL) 5. 3. For much tuition to the highest degree configuring RHEL 5. 3, listen the documentation supplied with your installation media or the distribution weave site. For much(prenominal) than in approach patternation virtually SELinux, see link up development and downloads, on paginate 15.Softw ar requirements This blueprint is wr itten and tried and true using scarlet Hat green light Linux (RHEL) 5. 3. Hardw atomic number 18 requirements The education contained in this blueprint is tested on different methodls of IBM clay x and ashes p hardwargon. For a list of hardw ar supported by RHEL 5. 3, see the documentation supplied with your Linux distribution. Author name Robert Sisk Other contributors Monza Lui Kersten Richter Robb Romans IBM Services Linux removeers tractableness, resources, and competitive fargon cost of ownership with a human class effort operational system.Community con fluctuation integrates leading-edge techno recordies and best practices into Linux. IBM is a leader in the Linux community with over 600 developers in the IBM Linux engine room Center working on over 100 open source projects in the community. IBM supports Linux on all IBM lookrs, storage, and middlew ar, mangleering the broadest flexibility to match your business take aims. Copyright IBM Corp. 2009 v For more than learning round IBM and Linux, go to ibm. com/linux (https// vane. ibm. com/linux) IBM Support Questions and comments regarding this documentation atomic number 50 be posted on the developerWorks Security Blueprint Community Forum http// entanglement. bm. com/developerworks/ forums/forum. jspa? forumID=1271 The IBM developerWorks discussion forums permit you ask questions, share k presentlyledge, ideas, and opinions somewhat technologies and schedule techniques with spic-and-spanborn(prenominal) developerWorks drug substance ab drug exploiters. Use the forum content at your own risk. While IBM go forth attempt to provide a well-timed(a) receipt to all postings, the hold of this developerWorks forum does non guarantee a reaction to every question that is posted, nor do we on a lower floorpin the answers or the code that are stumbleered. typographical conventionsThe next typographic conventions are employ in this Blueprint Bold Identifies dominances, s ubroutines, keywords, aims, structures, directories, and separate items whose name are pre specify by the system. withal identifies graphical objects such as buttons, get words, and icons that the habitr selects. Identifies nominatements whose actual names or cling to are to be supplied by the use upr. Identifies object lessons of ad hoc data think of, examples of text uniform what you dispatchice see displayed, examples of portions of broadcast code like what you might economize as a programmer, messages from the system, or breeding you should actually sign.Italics Monospace cerebrate reservoir Scope, requirements, and support on paginate 1 This blueprint applies to scheme x cart track Linux and PowerLinux. You loafer direct more around the systems to which this development applies. vi Blueprints First locomote with Security-Enhanced Linux (SELinux) Hardening the Apache blade Server First steps with Security-Enhanced Linux (SELinux) Hardening the A pache web Server Scope, requirements, and support This blueprint applies to t tribulationk x melt downning Linux and PowerLinux. You rout out intoxicate more most the systems to which this information applies. governances to which this information applies System x head for the hillsnel Linux and PowerLinux Security-Enhanced Linux overview Security-Enhanced Linux (SELinux) is a comp adeptnt of the Linux operating system substantial primarily by the unify States case Security Agency. SELinux provides a method for psychiatric hospital and enforcement of mandatory regain code control (MAC) policies. These policies stipulate users and do byes to the minimal amount of privilege required to perform charge tasks. For more information well-nigh the history of SELinux, see http//en. wikipedia. org/wiki/Selinux.Since its exit to the open source community in December 2000, the SELinux project has gained improvements such as pre delimitate Boolean variables that puzzle out i t easier to use. This paper helps you generalise how to use these variables to configure SELinux policies on your system and to secure the Apache httpd heller. Related teleph one(a) extension Scope, requirements, and support This blueprint applies to System x tiening Linux and PowerLinux. You fire learn more intimately the systems to which this information applies. Access control MAC and DAC Access train is important to figurer system credential.To compromise a system, attackers submit to gain every possible aim of retrieve and hence try to heighten that level until they are able to hold back restricted data or make unapproved system modifications. Because each(prenominal) user has some(prenominal) level of system access, every user account on your system increases the likely for abuse. System trade protection has historically relied on trusting users non to abuse their access, but this trust has proven to be difficultyatic. Today, legion consolidation leads to more users per system. Outsourcing of Systems Management gives decriminalise access, often at the system administrator level, to unknow users.Because waiter consolidation and outsourcing can be financially advantageous, what can you do to prevent abuse on Linux systems? To find around to answer that question, lets take a relish at discretionary access control (DAC) and mandatory access control (MAC) and their differences. arbitrary access control (DAC), commonly known as institutionalize licences, is the predominant access control utensil in traditionalistic UNIX and Linux systems. You whitethorn recognize the drwxr-xr-x or the ugo abbreviations for owner, group, and former(a) permissions seen in a directory listing. In DAC, in general the resource owner (a user) controls who has access to a resource.For convenience, some users commonly desexualise on the hook(predicate) DAC point permissions that rent every user on the system to read, write, and execute numerous bills that they own. In addition, a process started by a user can spay or cut either appoint to which the user has access. Processes that elevate their privileges high abundant could wherefore modify or delete system agitates. These instances are some of the disadvantages of DAC. Copyright IBM Corp. 2009 1 In contrast to DAC, mandatory access control (MAC) regulates user and process access to resources based upon an organizational (higher-level) earnest polity.This form _or_ system of government is a collection of nonices that specify what character citations of access are dance band asideed on a system. System indemnity is relate to MAC in the same way that firewall rules are related to firewalls. SELinux is a Linux kernel instruction execution of a flexible MAC mechanism called showcase enforcement. In figure enforcement, a pillow slip identifier is delegate to every user and object. An object can be a shoot down or a process. To access an object, a user must be authorized for that object type. These authorizations are defined in a SELinux insurance constitution. Lets work through with(predicate) some examples and you provide develop a better chthonicstanding of MAC and how it relates to SELinux.Related compose book Scope, requirements, and support on scallywag 1 This blueprint applies to System x waiverning Linux and PowerLinux. You can learn more close the systems to which this information applies. SELinux basics It is a uncorrupted practice not to use the stock user unless necessary. However for demonstrating how to use SELinux, the sink user is use in the examples in this blueprint. Some of the assures shown require kick braided privileges to run them for example, raceway getenforce and rationaliseing the /etc/selinux/config private single load. Related mention Scope, requirements, and support on summon 1 This blueprint applies to System x tally Linux and PowerLinux.You can learn more about the systems t o which this information applies. Run vogues You can modify or disable SELinux indemnity enforcement on a Red Hat try Linux system during or later on operating system installation. When disabled, SELinux has no effect on the system. When tackd, SELinux runs in one of two styluss v Enforcing SELinux is alterd and SELinux form _or_ system of government is enforced v permissive SELinux is enabled but it only logs warnings instead of enforcing the policy When prompted during operating system installation, if you choose to enable SELinux, it is installed with a disrespect pickax security system policy and set to run in the enforcing musical fashion. plunk for the situation of SELinux on your system. Like in legion(predicate) UNIX or Linux operating systems, there is more than one way to perform a task. To check the electric current method, run one of the stash awayding ascendances getenforce, se circumstance, or cat /etc/selinux/config. v The getenorce command re bends the current SELinux run elan, or disable if SELinux is not enabled. In the pursual example, getenforce shows that SELinux is enabled and enforcing the current SELinux policy emailprotected $ getenforce EnforcingIf your system is displaying permissive or Disabled and you want to follow along with the instructions, change the /etc/selinux/config blame to run in Enforcing elbow room before chronic with the demonstration. Remember that if you are in Disabled regularity, you should change first to Permissive and then to Enforcing. v The setstatus command returns the current run agency, along with information about the SELinux policy if SELinux is enabled. In the side by side(p) example, setstatus shows that SELinux is enabled and enforcing the current SELinux policy emailprotected $ sestatus SELinux status SELinuxfs mount enabled /selinux Blueprints First stairs with Security-Enhanced Linux (SELinux) Hardening the Apache meshing Server live mode Mode from config file in surance policy edition indemnity from config file enforcing enforcing 21 targeted v The /etc/selinux/config file configures SELinux and controls the mode as well as the active policy. Changes to the /etc/selinux/config file become effective only after you call down the system. In the quest example, the file shows that the mode is set to enforcing and the current policy type is targeted. emailprotected $ cat /etc/selinux/config This file controls the affirm of SELinux on the system. SELINUX= can take one of these three determine enforcing SELinux security policy is enforced. permissive SELinux prints warnings instead of enforcing. disabled SELinux is in full disabled. SELINUX=enforcing SELINUXTYPE= type of policy in use. realizable values are targeted Only targeted network supermans are protected. strict Full SELinux protection. SELINUXTYPE=targeted To enable SELinux, you carry to set the value of the SELINUX parameter in the /etc/selinux/config file to either en forcing or permissive. If you enable SELinux in the config file, you must reboot your system to start SELinux.We recommend that you set SELINUX=permissive if the file system has never been labeled, has not been labeled recently, or you are not sure when it was last labeled. Note that file system labeling is the process of duty assignment a label containing security- pertinent information to each file. In SELinux a file label is composed of the user, role, and type such as system_uobject_rhttpd_sys_content_t. Permissive mode ensures that SELinux does not put in with the boot sequence if a command in the sequence occurs before the file system relabel is completed. Once the system is up and political campaign, you can change the SELinux mode to enforcing.If you want to change the mode of SELinux on a rails system, use the setenforce command. get into setenforce enforcing changes the mode to enforcing and setenforce permissive changes the mode to permissive. To disable SELinux, edi t the /etc/selinux/config file as exposit previously and reboot. You cannot disable or enable SELinux on a foot race system from the command line you can only defeat mingled with enforcing and permissive when SELinux is enabled. Change the mode of SELinux to permissive by immersion the by-line command emailprotected $ setenforce permissiveRecheck the railroad siding from getenforce, sestatus, and cat /etc/selinux/config. v The getenforce command returns Permissive, confirming the mode change emailprotected $ getenforce Permissive v The sestatus command to a fault returns a Permissive mode value emailprotected $sestatus SELinux status SELinuxfs mount Current mode Mode from config file Policy version Policy from config file enabled /selinux permissive enforcing 21 targeted v After changing the mode to permissive, both(prenominal) the getenforce and sestatus commands return the cover permissive mode.However, look carefully at the siding from the sestatus command emailprotect ed $ cat /etc/selinux/config This file controls the enjoin of SELinux on the system. SELINUX= can take one of these three values enforcing SELinux security policy is enforced. permissive SELinux prints warnings instead of enforcing. First Steps with Security-Enhanced Linux (SELinux) 3 disabled SELinux is fully disabled. SELINUX=enforcing SELINUXTYPE= type of policy in use. Possible values are targeted Only targeted network dickenss are protected. strict Full SELinux protection.SELINUXTYPE=targeted emailprotected $ The Mode from config file parameter is enforcing. This condition is consistent with the cat /etc/selinux/config create because the config file was not changed. This status implies that the changes made by the setenforce command does not carry over to the next boot. If you reboot, SELinux returns to run state as configured in /etc/selinux/conf in enforcing mode. Change the running mode back to enforcing by entering the quest command emailprotected $ setenf orce enforcing The adjacent payoff confirms the mode change emailprotected $ getenforce EnforcingRelated reference Scope, requirements, and support on page 1 This blueprint applies to System x running Linux and PowerLinux. You can learn more about the systems to which this information applies. Security mounts The concept of type enforcement and the SELinux type identifier were discussed in the Overview. Lets explore these concepts in more detail. The SELinux performance of MAC employs a type enforcement mechanism that requires every national and object to be assigned a type identifier. The equipment casualty subject and object are defined in the Bell-La Padula multilevel security deterrent example (see http//en. wikipedia. rg/wiki/Bell-La_Padula_model for more information). Think of the subject as a user or a process and the object as a file or a process. Typically, a subject accesses an object for example, a user modifies a file. When SELinux runs in enforcing mode, a subject cannot access an object unless the type identifier assigned to the subject is authorized to access the object. The failure policy is to deny all access not specifically ceaseed. Authorization is dogged by rules defined in the SELinux policy. An example of a rule allow foring access whitethorn be as simple as allow httpd_t httpd_sys_content_t file ioctol read getattr lockIn this rule, the subject http daemon, assigned the type identifier of httpd_t, is given the permissions ioctol, read, getattr, and lock for any file object assigned the type identifier httpd_sys_content_t. In simple equipment casualty, the http daemon is allowed to read a file that is assigned the type identifier httpd_sys_content_t. This is a basic example of an allow rule type. in that respect are many types of allow rules and some are very complex. There are similarly many type identifiers for use with subjects and objects. For more information about rule definitions, see SELinux by utilisation in the Related information and downloads, on page 15 section.SELinux adds type enforcement to trite Linux distributions. To access an object, the user must puddle both the appropriate file permissions (DAC) and the correct SELinux access. An SELinux security mise en scene contains three discussion section the user, the role, and the type identifier. Running the ls command with the Z change over displays the typical file information as well as the security scope for each item in the subdirectory. In the following example, the security circumstance for the index. hypertext markup language file is composed of user_u as the user, object_r as the role, and httpd_sys_content_t as the type identifier emailprotected hypertext markup language$ ls -Z index. tml -rw-rr web_admin web_admin user_uobject_rhttpd_sys_content_t index. hypertext mark-up language 4 Blueprints First Steps with Security-Enhanced Linux (SELinux) Hardening the Apache Web Server Related reference Scope, requirements, an d support on page 1 This blueprint applies to System x running Linux and PowerLinux. You can learn more about the systems to which this information applies. SELinux and Apache Related reference Scope, requirements, and support on page 1 This blueprint applies to System x running Linux and PowerLinux. You can learn more about the systems to which this information applies.Installing and running HTTPD Now that you construct a general understanding of the SELinux security context of use, you can secure an Apache Web server using SELinux. To follow along, you must have Apache installed on your system. You can install Apache on Red Hat Linux by entering the following command emailprotected hypertext mark-up language$ yum install httpd Next, start the Apache http daemon by entering operate httpd start, as follows emailprotected hypertext mark-up language$ serve up httpd start starting line httpd Related reference Scope, requirements, and support on page 1 This blueprint applies to System x running Linux and PowerLinux.You can learn more about the systems to which this information applies. HTTPD and context types Red Hat Enterprise Linux 5. 3, at the time of this writing, uses selinux-policy-2. 4. 6-203. el5. This policy defines the security context for the http daemon object as httpd_t. Because SELinux is running in enforcing mode, entering / lay in/ps axZ grep httpd produces the following output emailprotected hypertext markup language$ ps axZ grep http make up square upsystem_rhttpd_t 2555 ? Ss 000 /usr/sbin/httpd germ ancestorsystem_rhttpd_t 2593 ? S 000 /usr/sbin/httpd al-Qaeda compositionsystem_rhttpd_t 2594 ? S 000 /usr/sbin/httpd lineagesystem_rhttpd_t 2595 ?S 000 /usr/sbin/httpd antecedentsystem_rhttpd_t 2596 ? S 000 /usr/sbin/httpd ancestorsystem_rhttpd_t 2597 ? S 000 /usr/sbin/httpd ideasystem_rhttpd_t 2598 ? S 000 /usr/sbin/httpd authorsystem_rhttpd_t 2599 ? S 000 /usr/sbin/httpd outsetsystem_rhttpd_t 2600 ? S 000 /usr/sbin/httpd The Z option to ps shows the security context for the httpd processes as bloodsystem_rhttpd_t, confirming that httpd is running as the security type httpd_t. The selinux-policy-2. 4. 6-203. el5 also defines several(prenominal) file security context types to be utilize with the http daemon. For a listing, see the man page for httpd_selinux.The httpd_sys_content_t context type is apply for files and subdirectories containing content to be accessible by the http daemon and all httpd scripts. Entering ls Z displays the security context for items in the nonpayment http directory (/var/network/), as follows emailprotected $ ls -Z /var/network/ grep hypertext mark-up language drwxr-xr-x topic pedestal system_uobject_rhttpd_sys_content_t hypertext mark-up language First Steps with Security-Enhanced Linux (SELinux) 5 The /var/ web/hypertext markup language directory is the default location for all Web server content (defined by the variable background of DocumentRoot /var/ vane/ hypertext mark-up language in the /etc/httpd/conf/httpd. conf http configuration file).This directory is assigned the type httpd_sys_content_t as part of its security context which allows the http daemon to access its contents. both file or subdirectory inherits the security context of the directory in which it is created therefore a file created in the hypertext markup language subdirectory inherits the httpd_sys_content_t type. In the following example, the seedageage user creates the index. hypertext mark-up language file in the / subside directory. The index. hypertext markup language inherits the security pedestalobject_ruser_home_t context which is the expected security context for rootage in RHEL 5. 3. emailprotected $ touch /root/index. hypertext markup language emailprotected $ ls -Z /root/index. tml -rw-rr root root rootobject_ruser_home_t /root/index. hypertext mark-up language If the root user copies the newly created index. hypertext mark-up language file to the /var/ e ntanglement/ hypertext mark-up language/ directory, the file inherits the security context (httpd_sys_content_t) of the hypertext mark-up language subdirectory because a new copy of the file is created in the hypertext mark-up language subdirectory emailprotected $ cp /root/index. hypertext mark-up language /var/network/hypertext markup language emailprotected $ ls -Z /var/ vane/hypertext markup language/index. html -rw-rr root root user_uobject_rhttpd_sys_content_t /var/www/html/index. html If you move the index. html file instead of copying it, a new file is not created in the html subdirectory and index. tml retains the user_home_t type emailprotected $ mv -f /root/index. html /var/www/html emailprotected $ ls -Z /var/www/html/index. html -rw-rr root root user_uobject_ruser_home_t /var/www/html/index. html When a Web web browser or network download agent like wget makes a asking to the http daemon for the moved index. html file, with user_home_t context, the browser is deni ed access because SELinux is running in enforcing mode. emailprotected wget localhost/index. html 211000 http//localhost/index. html adjudicate localhost 127. 0. 0. 1 Connecting to localhost127. 0. 0. 180 onnected. HTTP orison sent, awaiting response 403 Forbidden 211000 ERROR 403 Forbidden. SELinux generates misplay messages in both /var/log/messages and /var/log/httpd/ shift_log. The following message in /var/log/httpd/error_log is not very adjuvant because it tells you only that access is being denied Wed whitethorn 20 124757 2009 error client 172. 16. 1. 100 (13) Permission denied access to /index. html denied The following error message in /var/log/messages is more helpful because it tells you wherefore SELinux is preventing access to the /var/www/html/index. html file a potentially mislabeled file.Furthermore, it provides a command that you can use to produce a expand summary of the issue. whitethorn 20 122248 localhost setroubleshoot SELinux is preventing the httpd f rom using potentially mislabeled files (/var/www/html/index. html). For complete SELinux messages. run sealert -l 9e568d42-4b20-471c-9214-b98020c4d97a Entering sealert l 9e568d42-4b20-471c-9214-b98020c4d97 as suggested in the previous error message returns the following detailed error message emailprotected $ sealert l 9e568d42-4b20-471c-9214-b98020c4d97 Summary SELinux is preventing the httpd from using potentially mislabeled files (/var/www/html/index. html).Detailed Description SELinux has denied httpd access to potentially mislabeled file(s) (/var/www/html/index. html). This means that SELinux will not allow httpd to use these files. It is common for users to edit files in their home directory or tmp directories and then 6 Blueprints First Steps with Security-Enhanced Linux (SELinux) Hardening the Apache Web Server move (mv) them to system directories. The problem is that the files end up with the wrong file context which confined applications are not allowed to access. Allowing Access If you want httpd to access this files, you need to relabel them using restorecon -v /var/www/html/index. tml. You might want to relabel the entire directory using restorecon -R -v /var/www/html. spare Information origination linguistic context rootsystem_rhttpd_t chump Context rootobject_ruser_home_t Target Objects /var/www/html/index. html file Source httpd Source trail /usr/sbin/httpd Port horde localhost. localdomain Source revolutions per minute Packages httpd-2. 2. 3-22. el5 Target rev Packages Policy rpm selinux-policy-2. 4. 6-203. el5 Selinux Enabled dead on target Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin allude home_tmp_bad_labels Host promise localhost. localdomain Platform Linux localhost. ocaldomain 2. 6. 18-128. 1. 10. el5 1 SMP Wed Apr 29 135517 EDT 2009 i686 i686 snappish Count 24 First Seen Fri may 15 133632 2009 Last Seen Wed May 20 124756 2009 local ID 9e568d42-4b20-471c-9214-b98020c4d97a Line Numbers cutting st udy Messages host=localhost. localdomain type=AVC monosodium glutamate=audit(1242838076. 9371141) avc denied getattr for pelvic inflammatory disease=3197 comm=httpd path=/var/www/html/index. html dev=dm-0 ino=3827354 scontext=rootsystem_rhttpd_ts0 context=rootobject_ruser_home_ts0 tclass=file host=localhost. localdomain type=SYSCALL monosodium glutamate=audit(1242838076. 371141) arch=40000003 syscall=196 conquest=no exit=-13 a0=8eaa788 a1=bfc8d49c a2=419ff4 a3=2008171 items=0 ppelvic inflammatory disease=3273 pid=3197 auid= euchre uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4 comm=httpd exe=/usr/sbin/httpd subj=rootsystem_rhttpd_ts0 key=(null) Although called a summary, this output is a very detailed report that provides the necessary commands to resolve the issue. As shown below, entering /sbin/restorecon -v /var/www/html/index. html as suggested not only resolves the problem, but also explains how you should change the security context for the /var/www/html/index. tml file. emailprotected $ restorecon -v /var/www/html/index. html /sbin/restorecon reset /var/www/html/index. html context rootobject_ruser_home_ts0- rootobject_rhttpd_sys_content_ts0 The previous restorecon -v command changed the security context of /var/www/html/index. html from rootobject_ruser_home_t to rootobject_rhttpd_sys_content_t. With a rootobject_rhttpd_sys_content_t security context, the http daemon can now access /var/www/html/index. html. Use a Web browser or wget to make an different quest to the httpd daemon for the index. html file with a restored security context.This time, the request is permitted emailprotected wget localhost/index. html 210921 http//localhost/index. html Resolving localhost 127. 0. 0. 1 Connecting to localhost127. 0. 0. 180 connected. HTTP request sent, awaiting response 200 OK Length 0 text/html Saving to index. html First Steps with Security-Enhanced Linux (SELinux) 7 0 . -K/s in 0s 210921 (0. 00 B/s) index. html s aved 0/0 Related reference Scope, requirements, and support on page 1 This blueprint applies to System x running Linux and PowerLinux. You can learn more about the systems to which this information applies.HTTPD and SELinux Booleans SELinux has a set of built-in switches named Booleans or conditional policies that you can use to turn specific SELinux features on or impinge on. Entering the getsebool -a grep http command lists the 23 Booleans related to the http daemon, which are a subset of the 234 Booleans currently defined in the selinux-policy-2. 4. 6-203. el5 policy. These 23 Booleans allow you to customize SELinux policy for the http daemon during runtime without modifying, compiling, or loading a new policy. You can customize the level of http security by setting the relevant Boolean values or toggling between on and mutilate values. emailprotected $ getsebool -a grep http allow_httpd_anon_write sour allow_httpd_bugzilla_script_anon_write mutilate allow_httpd_mod_auth_ pam glowering allow_httpd_nagios_script_anon_write off allow_httpd_prewikka_script_anon_write off allow_httpd_squid_script_anon_write off allow_httpd_sys_script_anon_write off httpd_builtin_scripting on httpd_can_network_connect off httpd_can_network_connect_db off httpd_can_network_relay off httpd_can_sendmail on httpd_disable_trans off httpd_enable_cgi on httpd_enable_ftp_server off httpd_enable_homedirs on httpd_rotatelogs_disable_trans off httpd_ssi_exec off httpd_suexec_disable_trans off httpd_tty_comm on httpd_unified on httpd_use_cifs off httpd_use_nfs off SELinux provides three command-line tools for working with Booleans getsebool, setsebool, and togglesebool. The getsebool a command returns the current state of all the SELinux Booleans defined by the policy.You can also use the command without the a option to return settings for one or more specific Booleans entered on the command line, as follows emailprotected $ getsebool httpd_enable_cgi httpd_enab le_cgi on Use setsebool to set the current state of one or more Booleans by specifying the Boolean and its value. Acceptable values to enable a Boolean are 1, true, and on. Acceptable values to disable a Boolean are 0, false, and off. See the following cases for examples. You can use the -P option with the setsebool command to write the specified changes to the SELinux policy file. These changes are persistent across reboots unwritten changes breathe in effect until you change them or the system is rebooted. Use setsebool to change status of the httpd_enable_cgi Boolean to off emailprotected $ setsebool httpd_enable_cgi 0 8Blueprints First Steps with Security-Enhanced Linux (SELinux) Hardening the Apache Web Server bear status change of the httpd_enable_cgi Boolean emailprotected $ getsebool httpd_enable_cgi httpd_enable_cgi off The togglesebool tool flips the current value of one or more Booleans. This tool does not have an option that writes the changes to the policy file. Chan ges remain in effect until changed or the system is rebooted. Use the togglesebool tool to switch the status of the httpd_enable_cgi Boolean, as follows emailprotected $ togglesebool httpd_enable_cgi httpd_enable_cgi active indorse the status change of the httpd_enable_cgi Boolean emailprotected $ getsebool httpd_enable_cgi httpd_enable_cgi onRelated reference Scope, requirements, and support on page 1 This blueprint applies to System x running Linux and PowerLinux. You can learn more about the systems to which this information applies. Configuring HTTPD security using SELinux Related reference Scope, requirements, and support on page 1 This blueprint applies to System x running Linux and PowerLinux. You can learn more about the systems to which this information applies. Securing Apache ( nonmoving content only) The default Red Hat Enterprise Linux 5. 3 installation with SELinux running in enforcing mode provides a basic level of Web server security. You can increase that security level with a little effort.Because security is related to the function of the system, lets start with a Web server that only serves static content from the /var/www/html directory. 1. Ensure that SELinux is enabled and running in enforcing mode emailprotected $ sestatus SELinux status SELinuxfs mount Current mode Mode from config file Policy version Policy from config file enabled /selinux enforcing enforcing 21 2. keep going that httpd is running as type httpd_t emailprotected html$ /bin/ps axZ rootsystem_rhttpd_t 2555 ? rootsystem_rhttpd_t 2593 ? rootsystem_rhttpd_t 2594 ? rootsystem_rhttpd_t 2595 ? rootsystem_rhttpd_t 2596 ? rootsystem_rhttpd_t 2597 ? rootsystem_rhttpd_t 2598 ? rootsystem_rhttpd_t 2599 ? rootsystem_rhttpd_t 2600 ? grep http Ss 000 httpd S 000 httpd S 000 httpd S 000 httpd S 000 httpd S 000 httpd S 000 httpd S 000 httpd S 000 httpd 3. Confirm that the /var/www/html directory is assigned the httpd_sys_content_t context type emailprotected $ ls -Z /var/www/ drwxr- xr-x root root rootobject_rhttpd_sys_script_exec_t cgi-bin drwxr-xr-x root root rootobject_rhttpd_sys_content_t error drwxr-xr-x root root rootobject_rhttpd_sys_content_t html First Steps with Security-Enhanced Linux (SELinux) 9 drwxr-xr-x drwxr-xr-x drwxr-xr-x root root rootobject_rhttpd_sys_content_t icons root root rootobject_rhttpd_sys_content_t manual webalizer root rootobject_rhttpd_sys_content_t habit 4.Confirm that the content to be served is assigned the httpd_sys_content_t context type. For example emailprotected $ ls -Z /var/www/html/index. html -rw-rr root root rootobject_rhttpd_sys_content_t /var/www/html/index. html Use a Web browser or wget to make a request to the httpd daemon for the index. html file and you should see that permission is granted. To increase the level of protection provided by SELinux, disable any httpd-related features that you do not want by turning off their corresponding Boolean. By default, the following six Boolean are set to on. If you do no t need these features, turn them off by setting their Boolean variables to off. emailprotected getsebool -agrep httpgrep on httpd_builtin_scripting on httpd_can_sendmail on httpd_enable_cgi on httpd_enable_homedirs on httpd_tty_comm on httpd_unified on httpd_can_sendmail If the Web server does not use Sendmail, turn this Boolean to off. This action prevents unauthorized users from sending e-mail spam from this system. httpd_enable_homedirs When this Boolean is set to on, it allows httpd to read content from subdirectories determined under user home directories. If the Web server is not configured to serve content from user home directories, set this Boolean to off. httpd_tty_comm By default, httpd is allowed to access the tyrannical terminal.This action is necessary in certain(a) situations where httpd must prompt the user for a password. If the Web server does not require this feature, set the Boolean to off. httpd_unified This Boolean affects the transition of the htt p daemon to security domains defined in SELinux policy. Enabling this Boolean creates a single security domain for all http-labeled content. For more information, see SELinux by Example listed under the Related information and downloads, on page 15 section. httpd_enable_cgi If your content does not use the Common Gateway Interface (CGI) protocol, set this Boolean to off. If you are unsure about using CGI in the Web server, try setting it to off and examine the log entries in the /var/log/messages file.The following example shows an error message from /var/log/messages resulting from SELinux blocking httpd execution of a CGI script May 28 154837 localhost setroubleshoot SELinux is preventing the http daemon from put to death cgi scripts. For complete SELinux messages. run sealert -l 0fdf4649-60df-47b5-bfd5-a72772207adc Entering sealert -l 0fdf4649-60df-47b5-bfd5-a72772207adc produces the following output Summary SELinux is preventing the http daemon from penalize cgi scripts. Detai led Description SELinux has denied the http daemon from penalise a cgi script. httpd can be apparatus in a locked down mode where cgi scripts are not allowed to be executed. If the httpd server has been setup to not execute cgi scripts, this could signal a intrusion attempt.Allowing Access If you want httpd to be able to run cgi scripts, you need to turn on the httpd_enable_cgi Boolean setsebool -P httpd_enable_cgi=1 10 Blueprints First Steps with Security-Enhanced Linux (SELinux) Hardening the Apache Web Server The following command will allow this access setsebool -P httpd_enable_cgi=1 Additional Information Source Context rootsystem_rhttpd_t Target Context rootobject_rhttpd_sys_script_exec_t Target Objects /var/www/cgi-bin dir Source httpd Source Path httpd Port Host localhost. localdomain Source RPM Packages httpd-2. 2. 3-22. el5 Target RPM Packages httpd-2. 2. 3-22. el5 Policy RPM selinux-policy-2. 4. 6-203. l5 Selinux Enabled True Policy Type targeted MLS Enabled True Enfo rcing Mode Enforcing Plugin Name httpd_enable_cgi Host Name localhost. localdomain Platform Linux localhost. localdomain 2. 6. 18-128. 1. 10. el5 1 SMP Wed Apr 29 135517 EDT 2009 i686 i686 Alert Count 1 First Seen Thu May 28 154836 2009 Last Seen Thu May 28 154836 2009 Local ID 0fdf4649-60df-47b5-bfd5-a72772207adc Line Numbers Raw size up Messages host=localhost. localdomain type=AVC msg=audit(1243540116. 963248) avc denied getattr for pid=2595 comm=httpd path=/var/www/cgi-bin dev=dm-0 ino=5527166 scontext=rootsystem_rhttpd_ts0 tcontext=rootobject_rhttpd_sys_script_exec_ts0 tclass=dir host=localhost. localdomain type=SYSCALL msg=audit(1243540116. 63248) arch=40000003 syscall=196 success=no exit=-13 a0=8bd0a88 a1=bfc790bc a2=4d0ff4 a3=2008171 items=0 ppid=2555 pid=2595 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=httpd exe=httpd subj=rootsystem_rhttpd_ts0 key=(null) At the end of the previous output, listed under th e Raw Audit Messages are these lines scontext=rootsystem_rhttpd_ts0 tcontext=rootobject_rhttpd_sys_script_exec_ts0 tclass=dir This output shows you that httpd attempted to access a subdirectory with the httpd_sys_script_exec_t context type. This type is the context type of /var/www/cgi-bin, the directory where httpd looks for CGI scripts. The httpd daemon, with a httpd_t context type, was ineffective to access this subdirectory because the httpd_enable_cgi variable is set to off.With this configuration, SELinux does not allow a user or process of type httpd_t to access a directory, file, or process of type httpd_sys_script_exec_t. Therefore, the http daemon was denied access to the CGI script located in /var/www/cgi-bin. If you find similar messages in your log file, set the httpd_enable_cgi Boolean to on. httpd_builtin_scripting If you did not configure Apache to load scripting modules by changing the /etc/httpd/conf/ httpd. conf configuration file, set this Boolean to off. If you are unsure, turn httpd_builtin_scripting to off and check the /var/log/messages file for any httpd-related SELinux warnings. See the description of httpd_enable_cgi for an example. PHP and other scripting modules run with the same level of access as the http daemon.Therefore, turning httpd_builtin_scripting to off reduces the amount of access ready(prenominal) if the Web server is compromised. To turn off all six of these Booleans and write the values to the policy file by using the setsebool -P command follow these go 1. Enter the setsebool -P command First Steps with Security-Enhanced Linux (SELinux) 11 emailprotected setsebool -P httpd_can_sendmail=0 httpd_enable_homedirs=0 httpd_tty_comm=0 httpd_unified=0 httpd_enable_cgi=0 httpd_builtin_scripting=0 2. hang-up all the Boolean settings related to httpd by entering getsebool a grep httpd. The following output shows that all Boolean are set to off, including the six previously described variables which default to on. emailpro tected $ getsebool -a grep httpd allow_httpd_anon_write off allow_httpd_bugzilla_script_anon_write off allow_httpd_mod_auth_pam off allow_httpd_nagios_script_anon_write off allow_httpd_prewikka_script_anon_write off allow_httpd_squid_script_anon_write off allow_httpd_sys_script_anon_write off httpd_builtin_scripting off httpd_can_network_connect off httpd_can_network_connect_db off httpd_can_network_relay off httpd_can_sendmail off httpd_disable_trans off httpd_enable_cgi off httpd_enable_ftp_server off httpd_enable_homedirs off httpd_rotatelogs_disable_trans off httpd_ssi_exec off httpd_suexec_disable_trans off httpd_tty_comm off httpd_unified off httpd_use_cifs off httpd_use_nfs off 3. Use a Web browser or wget to make another request to the httpd daemon for the index. html file and you should succeed. Rebooting your machine does not change this configuration. This completes the necessary basic SELinux settings for bent a Web server with static content. Ne xt, look at hardening scripts accessed by the http daemon. Related reference Scope, requirements, and support on page 1 This blueprint applies to System x running Linux and PowerLinux. You can learn more about the systems to which this information applies.Hardening CGI scripts with SELinux In the previous section, you used SELinux Booleans to disable scripting because the Web server used only static content. Beginning with that configuration, you can enable CGI scripting and use SELinux to secure the scripts. 1. Confirm that your Web server is configured as described in section Securing Apache (static content only) on page 9. 2. Red Hat Enterprise Linux provides a CGI script that you can use for testing. You can find the script at /usr/lib/perl5/5. 8. 8/CGI/eg/tryit. cgi. Copy this script to the /var/www/cgi-bin/ directory, as follows emailprotected $ cp /usr/lib/perl5/5. 8. 8/CGI/eg/tryit. gi /var/www/cgi-bin/ 3. Make sure that the first line of the tryit. cgi script contains the c orrect path to the perl binary. From the which perl output shown below, the path should be changed to /usr/bin/perl. emailprotected which perl /usr/bin/perl emailprotected head -1 /var/www/cgi-bin/tryit. cgi /usr/local/bin/perl 4. Confirm that /var/www/cgi-bin is assigned the httpd_sys_script_exec_t context type as follows emailprotected $ ls -Z /var/www/ grep cgi-bin drwxr-xr-x root root rootobject_rhttpd_sys_script_exec_t cgi-bin 12 Blueprints First Steps with Security-Enhanced Linux (SELinux) Hardening the Apache Web Server 5.Allow and confirm read and execute permission for the tryit. cgi script to all users emailprotected cgi-bin chmod 555 /var/www/cgi-bin/tryit. cgi emailprotected cgi-bin ls -Z -r-xr-xr-x root root rootobject_rhttpd_sys_script_exec_t tryit. cgi 6. Confirm that /var/www/cgi-bin/tryit. cgi is assigned the httpd_sys_script_exec_t context type emailprotected $ ls -Z /var/www/cgi-bin/tryit. cgi -r-xr-xr-x root root rootobject_rhttpd_sys_script_exec_t /var/www/ cgi-bin/tryit. cgi 7. Enable CGI scripting in SELinux and confirm that it is enabled emailprotected cgi-bin$ setsebool httpd_enable_cgi=1 emailprotected cgi-bin$ getsebool httpd_enable_cgi httpd_enable_cgi on 8. pay a Web browser and type the Web server comprehend into the location bar. Include the /cgi-bin/tryit. cgi in the URL. For example, type http//192. 168. 1. 100/cgi-bin/tryit. cgi. The tryit. cgi script should return output similar to take in 1 hear 1. Figure 1 A bare(a) Example 9. Provide test answers to the form fields and click Submit Query. The tryit. cgi script should return output similar to Figure 2 First Steps with Security-Enhanced Linux (SELinux) 13 Figure 2. Figure 2 A Simple Example with results Related reference Scope, requirements, and support on page 1 This blueprint applies to System x running Linux and PowerLinux. You can learn more about the systems to which this information applies. 14Blueprints First Steps with Security-Enhanced Linux (SELinux) Harde ning the Apache Web Server Appendix. Related information and downloads Related information v Wikipedia Security-Enhanced Linux http//en. wikipedia. org/wiki/Selinux v Bell-La Padula model http//en. wikipedia. org/wiki/Bell-La_Padula_model v NSA Security-Enhanced Linux http//www. nsa. gov/research/selinux/index. shtml v Managing Red Hat Enterprise Linux 5 presentation http//people. redhat. com/dwalsh/SELinux/Presentations/ManageRHEL5. pdf v developerWorks Security Blueprint Community Forum http//www. ibm. com/developerworks/forums/forum. jspa? forumID=1271 v Red Hat Enterprise Linux 4 Red Hat SELinux Guide http//www. linuxtopia. rg/online_books/redhat_selinux_guide/rhlcommon-section-0055. html v F. Mayer, K. MacMillan, D. Caplan, SELinux By Example Using Security Enhanced Linux Prentice Hall, 2007 Related reference Scope, requirements, and support on page 1 This blueprint applies to System x running Linux and PowerLinux. You can learn more about the systems to which this information applies. Copyright IBM Corp. 2009 15 16 Blueprints First Steps with Security-Enhanced Linux (SELinux) Hardening the Apache Web Server Notices This information was developed for products and work domiciliateed in the U. S. A. IBM may not offer the products, advantages, or features discussed in this document in other countries.Consult your local IBM representative for information on the products and services currently acquirable in your area. each reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM clever property right may be used instead. However, it is the users responsibility to evaluate and verify the operation of any non-IBM product, program, or service. IBM may have spares or pending patent applications covering subject matter described in this document. The furnishing of this document does not grant you any license to these patents.You can send license inquiries, in writing, to IBM Director of Licensing IBM flowerpot North Castle Drive Armonk, NY 10504-1785 U. S. A. The following paragraph does not apply to the unite Kingdom or any other pastoral where such provisions are inconsistent with local law world(prenominal) BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION AS IS WITHOUT WARRANTY OF ANY KIND, EITHER express OR IMPLIED, INCLUDING, BUT NOT moderate TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A accompaniment PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could imply proficient inaccuracies or typographical errors.Changes are periodically made to the information herein these changes will be incorporated in new editions of the event. IBM may make improvements and/or changes in the product(s) and /or the program(s) described in this publication at any time without notice. Licensees of this program who wish to have information about it for the purpose of enabling (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the interchangeable use of the information which has been exchanged, should contact IBM Corporation Dept. LRAS/Bldg. 903 11501 Burnet Road Austin, TX 78758-3400 U. S. A. Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee.The licensed program described in this document and all licensed actual available for it are provided by IBM under terms of the IBM Customer Agreement, IBM worldwide course of study License Agreement or any equivalent agreement between us. Copyright IBM Corp. 2009 17 For license inquiries regarding double-byte (DBCS) information, contact the IBM clever Property Department in your country or send inquiries, in writing, to IBM domain Trade Asia Corporation Licensing 2-31 Roppongi 3-chome, Minato-ku Tokyo 106-0032, lacquer IBM may use or grapple any of the information you supply in any way it believes appropriate without incur any obligation to you. Information concerning non-IBM products was obtained from the suppliers of those products, their make announcements or other publicly available sources.IBM has not tested those products and cannot confirm the true statement of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk. This information contains examples of data and reports used in daily business operations. To flesh out them as completely as possible, the examples include the names of individuals, companies, brands, and products.All of these names are untrue and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental. Trademarks IBM, the IBM logo, and ibm. com are trademarks or registered trademarks of International Business Machines Corporation in the linked States, other countries, or both. If these and other IBM trademark terms are marked on their first occurrence in this information with a trademark symbol ( and ), these symbols record U. S. registered or common law trademarks possess by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at Copyright and trademark information at www. ibm. com/legal/copytrade. html Adobe, the Adobe logo, add-on, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other countries. Java and all Java-based trademarks and logos are registered trademarks of Sun Microsystems, Inc. in the United States, other countries, or both. Linux is a trademark of Linus Torvalds in the United States, other countries, or both. UNIX is a registered trademark of The Open Group in the United States and other countries. Other company, product, or service names may be trademarks or service marks of others. 18 Blueprints First Steps with Security-Enhanced Linux (SELinux) Hardening the Apache Web Server Printed in USA