OS centos 7.6.1810
Kernel 3.10.0-957.5.1.el7.x86_64
httpd packages :
Code: Select all
[root@centos7 audit]# rpm -qa | grep http
httpd-tools-2.4.6-90.el7.centos.x86_64
httpd-2.4.6-90.el7.centos.x86_64
[root@centos7 audit]#
Code: Select all
[root@centos7 audit]# rpm -qa | grep selinux
libselinux-utils-2.5-14.1.el7.x86_64
selinux-policy-minimum-3.13.1-229.el7_6.9.noarch
libselinux-python-2.5-14.1.el7.x86_64
libselinux-2.5-14.1.el7.x86_64
selinux-policy-3.13.1-229.el7_6.9.noarch
selinux-policy-targeted-3.13.1-229.el7_6.9.noarch
container-selinux-2.74-1.el7.noarch
selinux-policy-mls-3.13.1-229.el7_6.9.noarch
[root@centos7 audit]#
What i did was to create "/var/www/html/test_file" , and changed its context type to "samba_share_t"
Code: Select all
[root@centos7 audit]# ls -alZ /var/www/html/test_file
-rw-r--r--. root root unconfined_u:object_r:samba_share_t:s0 /var/www/html/test_file
[root@centos7 audit]#
Selinux is enabled and Enforcing , now by the tutorial , any attempt at fetching the test file should end in deny access .
But that is not the case :
Code: Select all
[root@centos7 audit]# curl http://localhost/test_file
zzz
[root@centos7 audit]#
Code: Select all
type=AVC msg=audit(1580918034.472:175): avc: denied { read } for pid=3422 comm="httpd" name="test_file" dev="dm-0" ino=52498405 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file permissive=1
type=AVC msg=audit(1580918034.472:175): avc: denied { open } for pid=3422 comm="httpd" path="/var/www/html/test_file" dev="dm-0" ino=52498405 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file permissive=1
Code: Select all
[root@centos7 audit]# getenforce
Enforcing
[root@centos7 audit]#
Code: Select all
[root@centos7 audit]# getsebool -a | grep http
httpd_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_check_spam --> off
httpd_can_connect_ftp --> off
httpd_can_connect_ldap --> off
httpd_can_connect_mythtv --> off
httpd_can_connect_zabbix --> off
httpd_can_network_connect --> off
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> off
httpd_can_network_memcache --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> off
httpd_dbus_avahi --> off
httpd_dbus_sssd --> off
httpd_dontaudit_search_dirs --> off
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> off
httpd_execmem --> off
httpd_graceful_shutdown --> on
httpd_manage_ipa --> off
httpd_mod_auth_ntlm_winbind --> off
httpd_mod_auth_pam --> off
httpd_read_user_content --> off
httpd_run_ipa --> off
httpd_run_preupgrade --> off
httpd_run_stickshift --> off
httpd_serve_cobbler_files --> off
httpd_setrlimit --> off
httpd_ssi_exec --> off
httpd_sys_script_anon_write --> off
httpd_tmp_exec --> off
httpd_tty_comm --> off
httpd_unified --> off
httpd_use_cifs --> off
httpd_use_fusefs --> off
httpd_use_gpg --> off
httpd_use_nfs --> off
httpd_use_openstack --> off
httpd_use_sasl --> off
httpd_verify_dns --> off
named_tcp_bind_http_port --> off
prosody_bind_http_port --> off
[root@centos7 audit]#
I mean i just googled "selinux permissive=1" and that should mean i am running in "permissive" mode , NOT that is a lie , i have even tested on my ftp server , i have set "setsebool ftpd_full_access 0" and received error when trying to login to my ftp server .
Code: Select all
type=AVC msg=audit(1580918424.428:195): avc: denied { search } for pid=15790 comm="vsftpd" name="pub" dev="dm-0" ino=1381223 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:ftpd_exec_t:s0 tclass=dir permissive=0
type=SYSCALL msg=audit(1580918424.428:195): arch=c000003e syscall=80 success=no exit=-13 a0=55dfdff2a7f0 a1=0 a2=17 a3=7f9acc0702e0 items=0 ppid=15783 pid=15790 auid=4294967295 uid=0 gid=0 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4294967295 comm="vsftpd" exe="/usr/sbin/vsftpd" subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)
