SELinux And Non-Default Home Directory Locations

SELinux greatly enhances security by going beyond discretionary access control (DAC) and implementing mandatory access control (MAC). MAC allows implementation of additional restrictions on how processes can access objects, such as files, ports, and other processes. Normally, httpd process has access to files under /var/www. However, if that process is compromised, it can be used to access other files on the system. Under MAC, processes are limited to certain types of data.

For example, “httpd_sys_content_t” type normally associated with web content is accessible by the httpd process, provided that access control list (ALC) under DAC allows this. Using DAC alone, a seriously misconfigured web server can expose sensitive files, such as /etc/passwd, as default ACL allows it to be world readable. SELinux prevents such exposers as /etc/passwd is labeled as type “passwd_file_t”, which is not accessible by the httpd process.

By default, recent versions of Red Hat Enterprise Linux come with SELinux in enforcing mode with the targeted policy. Targeted policy protects typical processes running on the system and allows them to access files normally associated with them in their default locations. Admins normally run into trouble with SELinux when trying to allow process access files innon-default locations. For example, let say /web directory is created to host web pages. Even with correct ACL, httpd process won’t have access to /web because it’ll be labeled as type “default_t”, which isn’t accessible by httpd. Running a couple of commands will fix this:

#This changes /web to labeled as “httpd_sys_content_t”

semanage fcontext -a -t httpd_sys_content_t /web

#This immediately updates the label of /web as defined above

restorecon /web

Other directories and files created under /web will also be labeled as “httpd_sys_content_t” due to the inheritance.

Although above example is straight forward, /home directory imposes additional challenges as various directories and files nested within it are assigned as different types. This is for a good reason as you may want httpd process to be able to access ~/public_html, but it prevents compromised httpd process from accessing rest of the user’s files.  Examples of different file and directory types are shown below:

[root@enterprise web]# ls -Zd /home
drwxr-xr-x. root root system_u:object_r:home_root_t:s0 /home
[root@enterprise web]# ls -Z /home
drwx--x--x. lim lim unconfined_u:object_r:user_home_dir_t:s0 lim
[root@enterprise ~]# ls -aZ /home/lim
drwx--x--x. lim  lim  unconfined_u:object_r:user_home_dir_t:s0 .
drwxr-xr-x. root root system_u:object_r:home_root_t:s0 ..
-rw-------. lim  lim  unconfined_u:object_r:user_home_t:s0 .bash_history
-rw-r--r--. lim  lim  unconfined_u:object_r:user_home_t:s0 .bash_logout
-rw-r--r--. lim  lim  unconfined_u:object_r:user_home_t:s0 .bash_profile
-rw-r--r--. lim  lim  unconfined_u:object_r:user_home_t:s0 .bashrc
drwx------. lim  lim  unconfined_u:object_r:cache_home_t:s0 .cache
drwxr-xr-x. lim  lim  unconfined_u:object_r:config_home_t:s0 .config
drwxr-xr-x. lim  lim  unconfined_u:object_r:user_home_t:s0 Desktop
drwxr-xr-x. lim  lim  unconfined_u:object_r:user_home_t:s0 Documents
drwxr-xr-x. lim  lim  unconfined_u:object_r:user_home_t:s0 Downloads
-rw-------. lim  lim  unconfined_u:object_r:pulseaudio_home_t:s0 .esd_auth
drwx------. lim  lim  unconfined_u:object_r:gnome_home_t:s0 .gnome2
drwx------. lim  lim  unconfined_u:object_r:user_home_t:s0 .gnome2_private
-rw-------. lim  lim  unconfined_u:object_r:iceauth_home_t:s0 .ICEauthority
drwx------. lim  lim  unconfined_u:object_r:gconf_home_t:s0 .local
drwxr-xr-x. lim  lim  unconfined_u:object_r:mozilla_home_t:s0 .mozilla
drwxr-xr-x. lim  lim  unconfined_u:object_r:audio_home_t:s0 Music
drwxr-xr-x. lim  lim  unconfined_u:object_r:user_home_t:s0 Pictures
drwxr-xr-x. lim  lim  unconfined_u:object_r:user_home_t:s0 Public
drwxr-xr-x. lim  lim  unconfined_u:object_r:httpd_user_content_t:s0 public_html
drwx------. lim  lim  unconfined_u:object_r:ssh_home_t:s0 .ssh
drwxr-xr-x. lim  lim  unconfined_u:object_r:user_home_t:s0 Templates
drwxr-xr-x. lim  lim  unconfined_u:object_r:user_home_t:s0 Videos
-rw-------. lim  lim  unconfined_u:object_r:user_home_t:s0 .viminfo
-rw-------. lim  lim  unconfined_u:object_r:xauth_home_t:s0 .Xauthority

This poses a major challenge for organizations that use non-default location for home directories as simple relabeling of the root directory of alternate home directories and relying on inheritance won’t work. There’s no need to set SELinux to permissive mode or disabling it altogether as there are simple steps to overcome this.

First, open /etc/selinux/semanage.conf with a text editor and set “usepasswd” to “true”.  This will allow semanage to scan /etc/passwd (also works with LDAP) correctly label home directories in non-default locations instead of /home only.  Then run the following commands:

#This sets /home2’s labels to be same as /home

semanage fcontext -a -e /home /home2

#This updates the labels of /home2, with the –R option doing it recursively for existing subdirectories.

restorecon –R /home2

Afterwards, existing and newly created user home directories will be labeled correctly.  If you’re interested in seeing how semanage correctly labels contents of home directories, check out /etc/selinux/targeted/modules/active/homedir_template.

About Author

This is a guest post written by: Hyung Lim. If any queries, you contact the author: hyung.lim@gmail.com.