[Solved] SELinux Booleans and httpd_enable_homedirs

Support for security such as Firewalls and securing linux
Post Reply
Tronde
Posts: 18
Joined: 2016/01/16 12:30:10

[Solved] SELinux Booleans and httpd_enable_homedirs

Post by Tronde » 2016/11/28 20:33:50

Hello folks,

at first I'd like to mention that English is not my native language. Please bear with me if I make some little mistakes or struggle when trying to make my point. But now back to subject.

I've learned some basics about SELinux. I was told that the SELinux Boolean "httpd_enable_homedirs" would prevent access to Apache Userdirs even if the Apache is configured to run the Userdir-Module. So I setup an Apache with an enabled Userdir-Module, SELinux in Enforcing mode and the boolean httpd_enable_homedirs set to off. But whether the boolean is set on or off the access to the userdir is allowed. Could someone tell me what I did wrong or rather did not understand?

Here are my configuration:

Code: Select all

[root@centos ~]# cat /etc/centos-release
CentOS Linux release 7.2.1511 (Core) 
[root@centos ~]# getenforce
Enforcing
[root@centos ~]# getsebool httpd_enable_homedirs
httpd_enable_homedirs --> off
[root@centos ~]# grep -v '#' /etc/httpd/conf.d/userdir.conf
<IfModule mod_userdir.c>
    UserDir enabled

    UserDir public_html
</IfModule>

<Directory "/home/*/public_html">
    AllowOverride FileInfo AuthConfig Limit Indexes
    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
    Require method GET POST OPTIONS
</Directory>

[root@centos ~]# curl http://localhost/~tronde/index.html
<h1>Hello User</h1>
[root@centos ~]#
I thought the setting of the SELinux Boolean "httpd_enable_homedirs --> off" would prevent the access. But instead it is allowed. Could someone tell me what I did wrong or rather did not understand?

Best regards,
Tronde
Last edited by Tronde on 2016/11/29 18:54:04, edited 1 time in total.

Tronde
Posts: 18
Joined: 2016/01/16 12:30:10

Re: SELinux Booleans and httpd_enable_homedirs

Post by Tronde » 2016/11/28 20:59:13

Well, I set up the same configuration as in my first post on a RHEL 7 system. The configuration there works as expected an the access is restricted.

Here is the RHEL 7 configuration:

Code: Select all

Red Hat Enterprise Linux Server release 7.3 (Maipo)
[root@rhel-72-dev ~]# getenforce
Enforcing
[root@rhel-72-dev ~]# getsebool httpd_enable_homedirs
httpd_enable_homedirs --> off

[tronde@rhel-72-dev ~]$ sudo chmod 711 /home/tronde/
[sudo] password for tronde:
[tronde@rhel-72-dev ~]$ mkdir public_html
[tronde@rhel-72-dev ~]$ echo '<h1>Hallo Welt</h1>' > public_html/index.html
[tronde@rhel-72-dev ~]$ chmod 755 public_html
[tronde@rhel-72-dev ~]$ chmod 644 public_html/index.html
[tronde@rhel-72-dev ~]$ curl http://localhost/~tronde/index.html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /~tronde/index.html
on this server.</p>
</body></html>
[tronde@rhel-72-dev ~]$
But I have not figured out how to enable the booleans in CentOS as well, yet. Maybe someone could give me some advice on how to do this.

Regards,
Tronde

hunter86_bg
Posts: 1960
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: SELinux Booleans and httpd_enable_homedirs

Post by hunter86_bg » 2016/11/28 21:55:33

What is the selinux boolean status on the CentOS 7 machine:

Code: Select all

semanage boolean -l | egrep 'httpd_read_user_content|httpd_enable_homedirs'
Also what is the selinux context of the home directory and subdirectories ?

Tronde
Posts: 18
Joined: 2016/01/16 12:30:10

Re: SELinux Booleans and httpd_enable_homedirs

Post by Tronde » 2016/11/29 05:37:37

Here is the selinux boolean status on the CentOS 7 machine:

Code: Select all

[root@centos ~]# semanage boolean -l | egrep 'httpd_read_user_content|httpd_enable_homedirs'
httpd_enable_homedirs          (off  ,  off)  Allow httpd to enable homedirs
httpd_read_user_content        (off  ,  off)  Allow httpd to read user content
And here comes the context of the relevant directories on CentOS 7:

Code: Select all

drwx--x--x. tronde tronde unconfined_u:object_r:user_home_dir_t:s0 /home/tronde
drwxr-xr-x. tronde tronde unconfined_u:object_r:httpd_user_content_t:s0 /home/tronde/public_html/
-rw-rw-r--. tronde tronde unconfined_u:object_r:httpd_user_content_t:s0 index.html
On the RHEL 7 machine the output looks the same.

Here is the selinux boolean status on the RHEL 7 machine:

Code: Select all

[root@rhel-72-dev ~]# semanage boolean -l | egrep 'httpd_read_user_content|httpd_enable_homedirs'
httpd_enable_homedirs          (off  ,  off)  Allow httpd to enable homedirs
httpd_read_user_content        (off  ,  off)  Allow httpd to read user content
And the contextes on RHEL 7:

Code: Select all

drwx--x--x. tronde tronde unconfined_u:object_r:user_home_dir_t:s0 /home/tronde
drwxr-xr-x. tronde tronde unconfined_u:object_r:httpd_user_content_t:s0 /home/tronde/public_html/
-rw-rw-r--. tronde tronde unconfined_u:object_r:httpd_user_content_t:s0 index.html

hunter86_bg
Posts: 1960
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: SELinux Booleans and httpd_enable_homedirs

Post by hunter86_bg » 2016/11/29 14:08:00

Everything seems the same. What is the version of the selinux:

Code: Select all

rpm -qa | grep policy

User avatar
TrevorH
Forum Moderator
Posts: 27358
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: SELinux Booleans and httpd_enable_homedirs

Post by TrevorH » 2016/11/29 14:28:02

What does sestatus say? Also getsebool httpd_enable_homedirs
CentOS 6 will die in November 2020 - migrate sooner rather than later!
CentOS 5 has been EOL for nearly 3 years and should no longer be used for anything!
Full time Geek, part time moderator. Use the FAQ Luke

Tronde
Posts: 18
Joined: 2016/01/16 12:30:10

Re: SELinux Booleans and httpd_enable_homedirs

Post by Tronde » 2016/11/29 17:14:40

The versions of selinux are,

for CentOS:

Code: Select all

[root@centos ~]# rpm -qa | grep policy
selinux-policy-3.13.1-60.el7_2.9.noarch
selinux-policy-targeted-3.13.1-60.el7_2.9.noarch
policycoreutils-2.2.5-20.el7.x86_64
checkpolicy-2.1.12-6.el7.x86_64
policycoreutils-python-2.2.5-20.el7.x86_64
[root@centos ~]#
for RHEL:

Code: Select all

[root@rhel-72-dev ~]# rpm -qa | grep policy
selinux-policy-targeted-3.13.1-102.el7_3.4.noarch
selinux-policy-3.13.1-102.el7_3.4.noarch
policycoreutils-2.5-9.el7.x86_64
checkpolicy-2.5-4.el7.x86_64
policycoreutils-python-2.5-9.el7.x86_64
[root@rhel-72-dev ~]#
The output of sestatus for,

CentOS:

Code: Select all

[root@centos ~]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28
[root@centos ~]#
and RHEL:

Code: Select all

[root@rhel-72-dev ~]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28
[root@rhel-72-dev ~]#
You could find the current setting of the boolean httpd_enable_homedirs for CentOS in my first post and for RHEL in the second one.

Well, the version of the packages in CentOS are older than in RHEL 7. But could that be the reason why the booleans are not working anyway in CentOS? What is the estimated time until the newer package versions will be available in CentOS, too?

As for now I guess I have to live with the current behaviour until there are newer packages available for CentOS and try it again. Or do you have any further ideas?

Regards,
Tronde

User avatar
TrevorH
Forum Moderator
Posts: 27358
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: SELinux Booleans and httpd_enable_homedirs

Post by TrevorH » 2016/11/29 17:38:39

You could update to 7.3 using yum --enablerepo=cr update which should even the playing field a little.
CentOS 6 will die in November 2020 - migrate sooner rather than later!
CentOS 5 has been EOL for nearly 3 years and should no longer be used for anything!
Full time Geek, part time moderator. Use the FAQ Luke

Tronde
Posts: 18
Joined: 2016/01/16 12:30:10

[Solved] Re: SELinux Booleans and httpd_enable_homedirs

Post by Tronde » 2016/11/29 18:52:48

TrevorH wrote:You could update to 7.3 using yum --enablerepo=cr update which should even the playing field a little.
I've done as you suggested. Now, I have the same package versions on my CentOS machine as on the RHEL machine. Now the selinux boolean httpd_enable_homedirs works as expected.

Thanks a lot for your help!

Post Reply

Return to “CentOS 7 - Security Support”