The default is that http is jailed under httpd_t domain
# ps -efZ | grep http
unconfined_u:system_r:httpd_t:s0 root 2913 1 0 11:30 ? 00:00:00 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 apache 2915 2913 0 11:30 ? 00:00:00 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 apache 2916 2913 0 11:30 ? 00:00:00 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 apache 2917 2913 0 11:30 ? 00:00:00 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 apache 2918 2913 0 11:30 ? 00:00:00 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 apache 2919 2913 0 11:30 ? 00:00:00 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 apache 2920 2913 0 11:30 ? 00:00:00 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 apache 2921 2913 0 11:30 ? 00:00:00 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 apache 2922 2913 0 11:30 ? 00:00:00 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 apache 2923 2913 0 11:30 ? 00:00:00 /usr/sbin/httpd
To disable SELinux on httpd we will change the /usr/sbin/httpd default target
# ls -lZ /usr/sbin/httpd
-rwxr-xr-x. root root system_u:object_r:httpd_exec_t:s0 /usr/sbin/httpd
# chcon -t unconfined_exec_t /usr/sbin/httpd
# service httpd restart
# ls -lZ /usr/sbin/httpd
-rwxr-xr-x. root root system_u:object_r:unconfined_exec_t:s0 /usr/sbin/httpd
# ps -efZ | grep http
unconfined_u:unconfined_r:unconfined_t:s0 root 3077 1 0 11:42 ? 00:00:00 /usr/sbin/httpd
unconfined_u:unconfined_r:unconfined_t:s0 apache 3079 3077 0 11:42 ? 00:00:00 /usr/sbin/httpd
unconfined_u:unconfined_r:unconfined_t:s0 apache 3080 3077 0 11:42 ? 00:00:00 /usr/sbin/httpd
unconfined_u:unconfined_r:unconfined_t:s0 apache 3081 3077 0 11:42 ? 00:00:00 /usr/sbin/httpd
unconfined_u:unconfined_r:unconfined_t:s0 apache 3082 3077 0 11:42 ? 00:00:00 /usr/sbin/httpd
unconfined_u:unconfined_r:unconfined_t:s0 apache 3083 3077 0 11:42 ? 00:00:00 /usr/sbin/httpd
unconfined_u:unconfined_r:unconfined_t:s0 apache 3084 3077 0 11:42 ? 00:00:00 /usr/sbin/httpd
unconfined_u:unconfined_r:unconfined_t:s0 apache 3085 3077 0 11:42 ? 00:00:00 /usr/sbin/httpd
unconfined_u:unconfined_r:unconfined_t:s0 apache 3086 3077 0 11:42 ? 00:00:00 /usr/sbin/httpd
unconfined_u:unconfined_r:unconfined_t:s0 apache 3087 3077 0 11:42 ? 00:00:00 /usr/sbin/httpd
To revert back to original target
# restorecon /usr/sbin/httpd
# ps -efZ | grep http
unconfined_u:system_r:httpd_t:s0 root 2913 1 0 11:30 ? 00:00:00 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 apache 2915 2913 0 11:30 ? 00:00:00 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 apache 2916 2913 0 11:30 ? 00:00:00 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 apache 2917 2913 0 11:30 ? 00:00:00 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 apache 2918 2913 0 11:30 ? 00:00:00 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 apache 2919 2913 0 11:30 ? 00:00:00 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 apache 2920 2913 0 11:30 ? 00:00:00 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 apache 2921 2913 0 11:30 ? 00:00:00 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 apache 2922 2913 0 11:30 ? 00:00:00 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 apache 2923 2913 0 11:30 ? 00:00:00 /usr/sbin/httpd
To disable SELinux on httpd we will change the /usr/sbin/httpd default target
# ls -lZ /usr/sbin/httpd
-rwxr-xr-x. root root system_u:object_r:httpd_exec_t:s0 /usr/sbin/httpd
# chcon -t unconfined_exec_t /usr/sbin/httpd
# service httpd restart
# ls -lZ /usr/sbin/httpd
-rwxr-xr-x. root root system_u:object_r:unconfined_exec_t:s0 /usr/sbin/httpd
# ps -efZ | grep http
unconfined_u:unconfined_r:unconfined_t:s0 root 3077 1 0 11:42 ? 00:00:00 /usr/sbin/httpd
unconfined_u:unconfined_r:unconfined_t:s0 apache 3079 3077 0 11:42 ? 00:00:00 /usr/sbin/httpd
unconfined_u:unconfined_r:unconfined_t:s0 apache 3080 3077 0 11:42 ? 00:00:00 /usr/sbin/httpd
unconfined_u:unconfined_r:unconfined_t:s0 apache 3081 3077 0 11:42 ? 00:00:00 /usr/sbin/httpd
unconfined_u:unconfined_r:unconfined_t:s0 apache 3082 3077 0 11:42 ? 00:00:00 /usr/sbin/httpd
unconfined_u:unconfined_r:unconfined_t:s0 apache 3083 3077 0 11:42 ? 00:00:00 /usr/sbin/httpd
unconfined_u:unconfined_r:unconfined_t:s0 apache 3084 3077 0 11:42 ? 00:00:00 /usr/sbin/httpd
unconfined_u:unconfined_r:unconfined_t:s0 apache 3085 3077 0 11:42 ? 00:00:00 /usr/sbin/httpd
unconfined_u:unconfined_r:unconfined_t:s0 apache 3086 3077 0 11:42 ? 00:00:00 /usr/sbin/httpd
unconfined_u:unconfined_r:unconfined_t:s0 apache 3087 3077 0 11:42 ? 00:00:00 /usr/sbin/httpd
To revert back to original target
# restorecon /usr/sbin/httpd
No comments:
Post a Comment