1

Some of the few times I've had to deal with SELinux were when I setup a local webserver on a Fedora box. Problems occurred when a web application tried to write files to the file system.

I'm used to setting up Posix file permissions properly, so one of the first steps I always perform is chown apache:apache -R /var/www/. Subsequently, I only use the apache user to interact with the webroot or the web applications.

However, on Fedora, SELinux prevents writing to files. I followed the SELinux troubleshooter's advice to disable this protection, but it got me wondering.

Why would SELinux prevent file write access for a process (apache) when that process is already running as its own user, and regular old file permissions can thus be setup easily, specific for Apache? And are there any other use cases that make (more) sense for this kind of file access prevention?

aross
  • 131
  • 8
  • Have you read the [Rationale section](https://wiki.gentoo.org/wiki/Project:SELinux/Development_policy#Rationale) in Gentoo wiki for SELinux? – Purefan Mar 07 '17 at 16:19
  • @Purefan, I have read about SELinux in general terms, but I can't make sense of this file access restriction, knowing a sysadmin could just do `chmod -R -w /var/www/html/` – aross Mar 07 '17 at 16:27

3 Answers3

2

TL;DR

Set access levels for individual web applications.

Did read

After reading this page, I think I've got a good idea of the rationale. In SELinux, each file has a security context. You can view the current security context with ls -Z <path>, and set a new security context with chcon.

All web apps will be run as the apache user, so under normal circumstances, each web app will have the same permissions. With security contexts, you can confine the access of individual apps/script. By default, scripts have read-only access.

This is actually quite useful for security. Let's say you have an application you trust, which requires write access. You would explicitly give that script the httpd_unconfined_script_exec_t context. Now let's say you have an insecure application that is prone to exploits. You would leave the security context of the script(s) belonging to that application at the default, which prevents writing files.

Preventing file writes would prevent a whole range of attacks which exploit some vulnerability to write a script to disk, which can subsequently be executed over http by the attacker.

aross
  • 131
  • 8
1

I think part of the answer relates to something you mention:

I'm used to setting up Posix file permissions properly, so one of the first steps I always perform is chown apache:apache -R /var/www/. Subsequently, I only use the apache user to interact with the webroot or the web applications.

Why do you do this?

Most likely to help protect your system from a rogue process, or compromise.

seLinux is another layer/mechanism to help achieve the same.

A sensible (and best practice) approach to security is to layer your defenses, and more generally, to try and use several means of protecting your system. If they overlap, great: the more different ways of protecting the same thing, the more an attacker needs to work to achieve their goals.

The basic idea with seLinux preventing writes (or reads) is that, as with POSIX, you need to explicitly grant the access to a programme which it will require.

/var/www will in a large number of cases legitimately be read-only: static sites would be one obvious case. In your case, you don't mention ever chmod'ing /var/www, so that quite likely, it would be 750 (or 700), and owned by apache.

In that case, seLinux is, at very least, making you think about whether that chmod, and level of access, is in fact needed: unless you do in fact need to write files, it probably isn't, and it seems reasonable to say seLinux is in fact helping avoid functionality/access being available that isn't needed.

You are focusing on the POSIX-like qualities, but seLinux also allows you to prevent apache from initiating outbound connections, for example, and can constrain the outbound connections that are allows to a small number of ports. Personally, I sometimes find it useful to view seLinux's capabilities as being akin to an enforcing auditd daemon - you are looking at behaviour, and can be much more specific about acceptable behaviour, than POSIX makes possible (in part because POSIX is not so much about protection, and more about compatibility and providing a basic, stable set of features).

I might pay to read what Wikipedia has to say about both POSIX and SELinux - and also to consider the fact POSIX provides Discretionary Access Control, where seLinux provides Mandatory Access Control.

The DAC/MAC differences are to a point key to answering your question: MAC is generally a system-wide policy that is centrally controlled (typically with an eye to ensuring a system 'functions correctly'), where DAC allows local decisions to be made - there is an obvious tension between these approaches, and seLinux is there to ensure the global policy is applied even in the face of local decisions that might undermine it.

iwaseatenbyagrue
  • 3,631
  • 1
  • 12
  • 24
0

I can't make sense of this file access restriction, knowing a sysadmin could just do chmod -R -w /var/www/html/

I think the threat here isn't the user trying to access his own files, but the program being exploited.

Imagine Firefox falling victim to a memory corruption attack that enables the attacker to run arbitrary code : if SELinux restricts Firefox's access to the only files it needs to work, it can't do harm elsewhere, like your personal files and the rest of the system.

Also, you talk about a sysadmin, which makes me think that you should define more precisely what you think SELinux defends the system against. The sysadmin has root access by definition and nothing can therefore prevent him from doing anything. SELinux mitigates rogue users and program exploits, but it can't do miracles.

Hey
  • 1,905
  • 1
  • 16
  • 23
  • You can protect against the `apache` process being exploited by removing the write access of directories with the command I gave (or do chown to be more thorough). So why the need for SELinux to being with... – aross Mar 08 '17 at 08:51
  • With classic ACLs, you can only remove these rights to the user launching the program. SELinux does much more, and in this case, it enables us to restrict a specific program to the specific set of resources it uses without affecting the rest of the system. – Hey Mar 08 '17 at 16:54
  • Yes, but as I said `that process is already running as its own user`. The `apache` user is used for nothing other than Apache itself. – aross Mar 09 '17 at 08:54
  • It still can prevent the program from subverting other files it shouldn't access. SELinux can't guess whether or not you want it to protect the rest of the user's home. The idea is to isolate each program as much as possible by default, and that's what SELinux does : that way, apache can only access to the minimum set of files it needs to work. – Hey Mar 09 '17 at 18:09
  • `It still can prevent the program from subverting other files it shouldn't access.` What files, since by default there are no files or folders owned by `apache`? You would reach the exact same goal by having `/var/www/html` read-only (accessible for `apache` user). – aross Mar 10 '17 at 09:07
  • I don't know what specific files are accessible to `apache` by default, and that's not the point. The goal is to isolate each program *as much as possible* and not arbitrarily decide that some program will not have access to anything harmful because it's that way by default and users will not change the default. If I choose for some reason to launch `apache` with another user that does other things, these will be accessible to the `apache` program if it gets pwned. In that case, having an apparmor profile for apache can be useful. – Hey Mar 10 '17 at 18:30
  • I don't find `user error` a compelling reason in this case. Actually, I have found better reasons. And I now understand the use-case. And I would deploy it in live environments, knowing what I know now (just not local test environments). – aross Mar 13 '17 at 09:27
  • It may be user error for you ; I consider it more as default configuration that can be changed. Also, apache could run on *another* user account for some reason and still not need access to other, important data. – Hey Mar 15 '17 at 13:25
  • Well, if you change the user that runs the apache service, then you're changing configuration, which gives you the responsibilities of a sysadmin. By that I mean that you're then responsible for a proper setup. So if you fail to setup secure file permissions, that's user error. Really in the case of apache the only compelling reason is revoking write access from a webapp that you don't trust, without having to revoke write access from the Apache user altogether (which might make *other* webapps, that you *do* trust, unusable). – aross Mar 15 '17 at 13:37
  • Of course the user becomes responsible, but why force them to isolate apache themselves when you can create a SELinux config that isolates it properly in every case by default ? I don't see how this can be anything else than a win for security, even if only in non-default cases. Also, it costs nothing beyond the initial configuration. – Hey Mar 16 '17 at 08:10