Ask Your Question
1

How to get SELinux to prevent Apache/HTTPD from reading specific files

asked 2014-11-13 01:52:20 -0500

Sterling Fitzgerald gravatar image

What am I missing with SELinux? I thought it was supposed to be another layer of security but I built a web page vulnerable to command injection and it can basically traverse most of my file system.

I thought SELinux was suppose to block httpd from even reading arbitrary files. I'm specifically worried about an attacker reading the /etc/passwd file. I know Dan Walsh mentioned that ( http://danwalsh.livejournal.com/56760.html?thread=335032 ).

Other than the regular Discretionary Access Controls, is there a way to block this through SELinux? Would I have to build my own policy? SELinux is in Enforcing mode.

edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted
1

answered 2014-11-13 10:05:52 -0500

Sterling Fitzgerald gravatar image

Result of sestatus is:
SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28

Result of ps -efZ|grep httpd:
system_u:system_r:httpd_t:s0 root 1107 1 0 01:42 ? 00:00:01 /usr/sbin/httpd -DFOREGROUND system_u:system_r:httpd_t:s0 apache 2383 1107 0 03:08 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND system_u:system_r:httpd_t:s0 apache 2384 1107 0 03:08 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND system_u:system_r:httpd_t:s0 apache 2385 1107 0 03:08 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND system_u:system_r:httpd_t:s0 apache 2386 1107 0 03:08 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND system_u:system_r:httpd_t:s0 apache 2387 1107 0 03:08 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND system_u:system_r:httpd_t:s0 apache 2411 1107 0 03:12 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 adminis+ 2467 2426 0 03:34 pts/0 00:00:00 grep --color=auto httpd

Result of ls -laZ /etc/passwd:
-rw-r--r--. root root system_u:object_r:passwd_file_t:s0 /etc/passwd

Result of semanage boolean -l | grep httpd

httpd_can_network_relay (off , off) Allow httpd to can network relay httpd_can_connect_mythtv (off , off) Allow httpd to can connect mythtv httpd_can_network_connect_db (off , off) Allow httpd to can network connect db httpd_use_gpg (off , off) Allow httpd to use gpg httpd_dbus_sssd (off , off) Allow httpd to dbus sssd httpd_enable_cgi (on , on) Allow httpd to enable cgi httpd_verify_dns (off , off) Allow httpd to verify dns httpd_dontaudit_search_dirs (off , off) Allow httpd to dontaudit search dirs httpd_anon_write (off , off) Allow httpd to anon write httpd_use_cifs (off , off) Allow httpd to use cifs httpd_enable_homedirs (off , off) Allow httpd to enable homedirs httpd_unified (off , off) Allow httpd to unified httpd_mod_auth_pam (off , off) Allow httpd to mod auth pam httpd_run_stickshift (off , off) Allow httpd to run stickshift httpd_use_fusefs (off , off) Allow httpd to use fusefs httpd_can_connect_ldap (off , off) Allow httpd to can connect ldap httpd_can_network_connect (off , off) Allow httpd to can network connect httpd_mod_auth_ntlm_winbind (off , off) Allow httpd to mod auth ntlm winbind httpd_use_sasl (off , off) Allow httpd to use sasl httpd_tty_comm (off , off) Allow httpd to tty comm httpd_sys_script_anon_write (off , off) Allow httpd to sys script anon write httpd_graceful_shutdown (on , on) Allow httpd to graceful shutdown httpd_can_connect_ftp (off , off) Allow httpd to can connect ftp httpd_read_user_content (off , off) Allow httpd to read user content httpd_use_nfs (off , off) Allow httpd to use nfs httpd_can_connect_zabbix (off , off) Allow httpd to can connect zabbix httpd_tmp_exec (off , off) Allow httpd to tmp exec httpd_manage_ipa (off , off) Allow httpd to manage ipa httpd_can_sendmail (off , off) Allow httpd to can sendmail httpd_builtin_scripting (on , on) Allow httpd to builtin scripting httpd_dbus_avahi (off , off) Allow httpd to dbus avahi httpd_can_check_spam (off , off) Allow httpd to can check spam httpd_can_network_memcache (off , off) Allow httpd to can network memcache httpd_can_network_connect_cobbler (off , off) Allow httpd to can network connect cobbler ... (more)

edit flag offensive delete link more
0

answered 2014-11-13 02:46:08 -0500

jorti gravatar image

It should block those accesses. Give us the output of:

sestatus
ps -efZ|grep httpd
ls -laZ /etc/passwd
semanage boolean -l | grep httpd

Have you modified the policy, adding some module or something like that?

edit flag offensive delete link more

Comments

I haven't modified the policies or added a module. I'm just using type enforcement and made changes to booleans.

Sterling Fitzgerald gravatar imageSterling Fitzgerald ( 2014-11-13 10:03:42 -0500 )edit

Question Tools

1 follower

Stats

Asked: 2014-11-13 01:52:20 -0500

Seen: 753 times

Last updated: Nov 13 '14