Cloud Insidr

Cybersecurity in the Age of the Machine

  • Subscribe!
  • Privacy Policy
  • Legal
  • Contact Us

Join us on Twitter: @CloudInsidr

  • news & alerts
    • events
    • industry analysis
    • industry gossip
    • people
  • cloud, edge & co.
    • AWS
    • administration & orchestration
      • web servers in the cloud
      • mail servers
      • databases
  • cybersec & warfare
    • encryption
  • blockchain
Home cybersecurity and cyber warfare SELinux Correcting SELinux security contexts: how to adjust SELinux labels on your file system
Correcting SELinux security contexts: how to adjust SELinux labels on your file system

Filipe Martins 2020-12-06 5 Comments

Correcting SELinux security contexts: how to adjust SELinux labels on your file system

In an administrator’s quest to get stuff done, SELinux tends to get in the way. It is being perceived as a nuisance rather than a feature and this happens mostly for only one reason: setting correct SELinux labels requires the ability to figure out the appropriate SELinux security contexts. Here is how to do it.

In its default configuration, SELinux already has a firm idea on what security contexts to apply when restoring security labels on your system. The simplest way to poke around the SELinux configuration involves using grep.

Restore the default SELinux labels

The command restorecon restores the security context to the system’s default based on the default SELinux labels for each location.

Find out the default SELinux labels for NGINX

To find out the default SELinux labels for various elements of an NGINX installation, use this command:

[root@host]$ grep nginx /etc/selinux/targeted/contexts/files/file_contexts
grep SELinux labels
Showing all SELinux labels (click to enlarge)

The output of this command shows default SELinux labels for NGINX installation directories:

/etc/nginx(/.*)? system_u:object_r:httpd_config_t:s0
/var/run/nginx.* system_u:object_r:httpd_var_run_t:s0
/var/lib/nginx(/.*)? system_u:object_r:httpd_var_lib_t:s0
/var/log/nginx(/.*)? system_u:object_r:httpd_log_t:s0
/var/opt/rh/rh-nginx18/log(/.*)? system_u:object_r:httpd_log_t:s0
/etc/opt/rh/rh-nginx18/nginx(/.*)? system_u:object_r:httpd_config_t:s0
/usr/lib/systemd/system/nginx.* -- system_u:object_r:httpd_unit_file_t:s0
/var/opt/rh/rh-nginx18/lib/nginx(/.*)? system_u:object_r:httpd_var_lib_t:s0
/var/opt/rh/rh-nginx18/run/nginx(/.*)? system_u:object_r:httpd_var_run_t:s0
/usr/sbin/nginx -- system_u:object_r:httpd_exec_t:s0

The default web directory (/etc/nginx/html), by default, is unconfined:

[root@ip-10-0-0-63 fedora]# ls -laZ /etc/nginx/html/
total 16
drwxr-xr-x. 2 root root unconfined_u:object_r:etc_t:s0 4096 Jun 13 00:48 .
drwxr-xr-x. 7 root root unconfined_u:object_r:etc_t:s0 4096 Jun 18 12:28 ..
-rw-r--r--. 1 root root unconfined_u:object_r:etc_t:s0 537 Jun 13 00:48 50x.html
-rw-r--r--. 1 root root unconfined_u:object_r:etc_t:s0 612 Jun 13 00:48 index.html

Find out the default SELinux labels for a CMS such as WordPress

To find out the default SELinux security contexts for WordPress, use this command:

[root@host]$ grep wordpress /etc/selinux/targeted/contexts/files/file_contexts

/usr/share/wordpress/.*\.php -- system_u:object_r:httpd_sys_script_exec_t:s0
/usr/share/wordpress/wp-includes/.*\.php -- system_u:object_r:httpd_sys_script_exec_t:s0
/usr/share/wordpress-mu/wp-content(/.*)? system_u:object_r:httpd_sys_rw_content_t:s0
/usr/share/wordpress/wp-content/uploads(/.*)? system_u:object_r:httpd_sys_rw_content_t:s0
/usr/share/wordpress/wp-content/upgrade(/.*)? system_u:object_r:httpd_sys_rw_content_t:s0
/usr/share/wordpress-mu/wp-config\.php -- system_u:object_r:httpd_sys_script_exec_t:s0
Listing current SELinux security contexts for WordPress
Listing current SELinux security contexts for WordPress

The output may reveal some very useful information, for example (on CentOS 7):

/usr/share/wordpress-mu/wp-config\.php -- system_u:object_r:httpd_sys_script_exec_t:s0

The above line indicates that the main configuration file of WordPress named wp-config.php should receive the SELinux security context label:

system_u:object_r:httpd_sys_script_exec_t:s0

This SELinux label will only be applied, however, if the file is located in /usr/share/wordpress-mu/, which is almost certainly not the case on your system.

Adjust SELinux security contexts

Before implementing permanent changes, it is advisable to try adjusting SELinux security labels on the affected directory tree and its contents temporarily. By doing so you can verify that your assumptions work and if not, restore the defaults (with restorecon) easily.

List current SELinux security contexts on files and directories

Listing current SELinux security contexts involves the command:

ls -laZ

The resulting output for an installation of WordPress in the web server document directory www.website1.tld may look something like this:

drwxr-x---. owner1  nginx unconfined_u:object_r:httpd_sys_content_t:s0 www.website1.tld

Adjust the SELinux security contexts without changing defaults

To (temporarily) adjust the SELinux security contexts for WordPress so that it can run:

chcon -vR system_u:object_r:httpd_sys_content_t:s0 www.website1.tld

For all .php scripts inside the WordPress installation directory and its subdirectories:

chcon -R -v system_u:object_r:httpd_sys_script_exec_t:s0 */*/*/*.php

WordPress will run with these settings, but it will fail to write updates, install themes, and plugins. (It almost makes you wonder why these settings are the defaults.)

In order to allow NGINX to write to the WordPress installation, adjust the security context on the entire WordPress installation and its subdirectories using this command:

chcon -R -v system_u:object_r:httpd_sys_rw_content_t:s0 www.website1.tld/

Save new default SELinux contexts

Make the desired changes permanent:

semanage fcontext -a -t httpd_sys_rw_content_t -s system_u "/var/www/www.website1.tld(/.*)?"

Verify that your local contexts are correct:

cat /etc/selinux/targeted/contexts/files/file_contexts.local

You can add or remove default SELinux contexts as you see fit. To remove a context that is faulty or no longer needed:

semanage fcontext -d "/var/www/www.domainname.tld(/.*)?"

Restore SELinux default labels

Finally, to restore SELinux labels from the defaults, run:

restorecon -RFv /var/www/

on the webserver document directory (adjust the path as needed).

Filed Under: SELinux, Uncategorized Tagged With: cyber security, SELinux

Comments

  1. minecraft says

    2019-04-15 at 12:45 pm

    Hello there! This is kind of off topic but I need some
    guidance from an established blog. Is it hard to set up your
    own blog? I’m not very techincal but I can figure things out pretty
    quick. I’m thinking about making my own but I’m not sure where to begin. Do you have any points or suggestions?
    Cheers

    Reply
    • Cloud Insidr says

      2019-04-15 at 3:23 pm

      I’d suggest the Genesis framework:

      https://www.studiopress.com/features/

      and a StudioPress Theme:

      https://my.studiopress.com/themes/?_ga=2.1743922.2061169991.1555366843-804282402.1555366843&_gac=1.40488854.1555366844.EAIaIQobChMIu6j3_pDT4QIVBUCGCh39Ags2EAAYASAAEgJLQPD_BwE

      Reply
  2. Libby says

    2016-07-06 at 10:13 pm

    Hi, I desire to subscribe for this blog to get newest updates, therefore where can i do it please help.

    Reply
    • Cloud Insidr says

      2016-07-06 at 10:32 pm

      > Hi, I desire to subscribe for this blog to get
      > newest updates, therefore where can i do it please help.

      In order to subscribe to our Newsletter please look at the right-hand side top corner. It says: “SUBSCRIBE TO OUR NEWSLETTER”. Type in your name & email address and you are good to go!

      I hope this helps! :-)

      Reply

Trackbacks

  1. How to set up the LEMP stack: Linux, NGINX, MariaDB or MySQL, PHP says:
    2018-07-03 at 11:29 pm

    […] contexts are correctly set on the web server document directory (continue reading for more, and see this post for some tips on […]

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Join Cloud Insidrs!

Symantec Code Signing (200x200)

Tag Cloud

automation AWS Azure Azure Active Directory Azure Arc Azure Lighthouse Azure Resource Manager certbot certificate clickjacking cron CSRF cyber security DD-WRT DNS over HTTPS DoH domain firmware Gemalto HPKP HSTS IAM letsencrypt log logs MFA MITM Netgear network router SELinux time stamp tip Whois WiFi x509 XSS
Secure Site with EV (160x600)

Pearson Education (InformIT)

Pearson Education (Peachpit)

Thawte Code Signing (200x200)

  • Content purchasing and syndication