Red Hat Training
A Red Hat training course is available for Red Hat Enterprise Linux
3.2. Unconfined Processes
Unconfined processes run in unconfined domains, for example, unconfined services executed by
init end up running in the unconfined_service_t domain, unconfined services executed by kernel end up running in the kernel_t domain, and unconfined services executed by unconfined Linux users end up running in the unconfined_t domain. For unconfined processes, SELinux policy rules are applied, but policy rules exist that allow processes running in unconfined domains almost all access. Processes running in unconfined domains fall back to using DAC rules exclusively. If an unconfined process is compromised, SELinux does not prevent an attacker from gaining access to system resources and data, but of course, DAC rules are still used. SELinux is a security enhancement on top of DAC rules – it does not replace them.
To ensure that SELinux is enabled and the system is prepared to perform the following example, complete the Procedure 3.1, “How to Verify SELinux Status” described in Section 3.1, “Confined Processes”.
The following example demonstrates how the Apache HTTP Server (
httpd) can access data intended for use by Samba, when running unconfined. Note that in Red Hat Enterprise Linux, the httpd process runs in the confined httpd_t domain by default. This is an example, and should not be used in production. It assumes that the httpd, wget, dbus and audit packages are installed, that the SELinux targeted policy is used, and that SELinux is running in enforcing mode.
Procedure 3.3. An Example of Unconfined Process
- The
chconcommand relabels files; however, such label changes do not survive when the file system is relabeled. For permanent changes that survive a file system relabel, use thesemanageutility, which is discussed later. As the root user, enter the following command to change the type to a type used by Samba:~]#chcon -t samba_share_t /var/www/html/testfileView the changes:~]$ls -Z /var/www/html/testfile-rw-r--r-- root root unconfined_u:object_r:samba_share_t:s0 /var/www/html/testfile - Enter the following command to confirm that the
httpdprocess is not running:~]$systemctl status httpd.servicehttpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled) Active: inactive (dead)If the output differs, enter the following command as root to stop thehttpdprocess:~]#systemctl stop httpd.service - To make the
httpdprocess run unconfined, enter the following command as root to change the type of the/usr/sbin/httpdfile, to a type that does not transition to a confined domain:~]#chcon -t bin_t /usr/sbin/httpd - Confirm that
/usr/sbin/httpdis labeled with thebin_ttype:~]$ls -Z /usr/sbin/httpd-rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/sbin/httpd - As root, start the
httpdprocess and confirm, that it started successfully:~]#systemctl start httpd.service~]#systemctl status httpd.servicehttpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled) Active: active (running) since Thu 2013-08-15 11:17:01 CEST; 5s ago - Enter the following command to view
httpdrunning in theunconfined_service_tdomain:~]$ps -eZ | grep httpdsystem_u:system_r:unconfined_service_t:s0 11884 ? 00:00:00 httpd system_u:system_r:unconfined_service_t:s0 11885 ? 00:00:00 httpd system_u:system_r:unconfined_service_t:s0 11886 ? 00:00:00 httpd system_u:system_r:unconfined_service_t:s0 11887 ? 00:00:00 httpd system_u:system_r:unconfined_service_t:s0 11888 ? 00:00:00 httpd system_u:system_r:unconfined_service_t:s0 11889 ? 00:00:00 httpd - Change into a directory where your Linux user has write access to, and enter the following command. Unless there are changes to the default configuration, this command succeeds:
~]$wget http://localhost/testfile--2009-05-07 01:41:10-- http://localhost/testfile Resolving localhost... 127.0.0.1 Connecting to localhost|127.0.0.1|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 0 [text/plain] Saving to: `testfile' [ <=> ]--.-K/s in 0s 2009-05-07 01:41:10 (0.00 B/s) - `testfile' saved [0/0]Although thehttpdprocess does not have access to files labeled with thesamba_share_ttype,httpdis running in the unconfinedunconfined_service_tdomain, and falls back to using DAC rules, and as such, thewgetcommand succeeds. Hadhttpdbeen running in the confinedhttpd_tdomain, thewgetcommand would have failed. - The
restoreconutility restores the default SELinux context for files. As root, enter the following command to restore the default SELinux context for/usr/sbin/httpd:~]#restorecon -v /usr/sbin/httpdrestorecon reset /usr/sbin/httpd context system_u:object_r:unconfined_exec_t:s0->system_u:object_r:httpd_exec_t:s0Confirm that/usr/sbin/httpdis labeled with thehttpd_exec_ttype:~]$ls -Z /usr/sbin/httpd-rwxr-xr-x root root system_u:object_r:httpd_exec_t:s0 /usr/sbin/httpd - As root, enter the following command to restart
httpd. After restarting, confirm thathttpdis running in the confinedhttpd_tdomain:~]#systemctl restart httpd.service~]$ps -eZ | grep httpdsystem_u:system_r:httpd_t:s0 8883 ? 00:00:00 httpd system_u:system_r:httpd_t:s0 8884 ? 00:00:00 httpd system_u:system_r:httpd_t:s0 8885 ? 00:00:00 httpd system_u:system_r:httpd_t:s0 8886 ? 00:00:00 httpd system_u:system_r:httpd_t:s0 8887 ? 00:00:00 httpd system_u:system_r:httpd_t:s0 8888 ? 00:00:00 httpd system_u:system_r:httpd_t:s0 8889 ? 00:00:00 httpd - As root, remove
testfile:~]#rm -i /var/www/html/testfilerm: remove regular empty file `/var/www/html/testfile'? y - If you do not require
httpdto be running, as root, enter the following command to stophttpd:~]#systemctl stop httpd.service
The examples in these sections demonstrate how data can be protected from a compromised confined-process (protected by SELinux), as well as how data is more accessible to an attacker from a compromised unconfined-process (not protected by SELinux).
