Showing posts with label unconfined. Show all posts
Showing posts with label unconfined. Show all posts

Saturday, 18 February 2012

Disable Currenty Protected Targeted Daemon With SELinux

The default is that http is jailed under httpd_t domain

# ps -efZ | grep http

unconfined_u:system_r:httpd_t:s0 root         2913  1         0 11:30 ?        00:00:00 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 apache   2915  2913  0 11:30 ?        00:00:00 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 apache   2916  2913  0 11:30 ?        00:00:00 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 apache   2917  2913  0 11:30 ?        00:00:00 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 apache   2918  2913  0 11:30 ?        00:00:00 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 apache   2919  2913  0 11:30 ?        00:00:00 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 apache   2920  2913  0 11:30 ?        00:00:00 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 apache   2921  2913  0 11:30 ?        00:00:00 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 apache   2922  2913  0 11:30 ?        00:00:00 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 apache   2923  2913  0 11:30 ?        00:00:00 /usr/sbin/httpd

To disable SELinux on httpd we will change the /usr/sbin/httpd default target

# ls -lZ /usr/sbin/httpd
-rwxr-xr-x. root root system_u:object_r:httpd_exec_t:s0 /usr/sbin/httpd

# chcon -t unconfined_exec_t /usr/sbin/httpd
# service httpd restart
# ls -lZ /usr/sbin/httpd
-rwxr-xr-x. root root system_u:object_r:unconfined_exec_t:s0 /usr/sbin/httpd
# ps -efZ | grep http

unconfined_u:unconfined_r:unconfined_t:s0 root      3077  1        0 11:42 ?  00:00:00 /usr/sbin/httpd
unconfined_u:unconfined_r:unconfined_t:s0 apache 3079 3077  0 11:42 ?  00:00:00 /usr/sbin/httpd
unconfined_u:unconfined_r:unconfined_t:s0 apache 3080 3077  0 11:42 ?  00:00:00 /usr/sbin/httpd
unconfined_u:unconfined_r:unconfined_t:s0 apache 3081 3077  0 11:42 ?  00:00:00 /usr/sbin/httpd
unconfined_u:unconfined_r:unconfined_t:s0 apache 3082 3077  0 11:42 ?  00:00:00 /usr/sbin/httpd
unconfined_u:unconfined_r:unconfined_t:s0 apache 3083 3077  0 11:42 ?  00:00:00 /usr/sbin/httpd
unconfined_u:unconfined_r:unconfined_t:s0 apache 3084 3077  0 11:42 ?  00:00:00 /usr/sbin/httpd
unconfined_u:unconfined_r:unconfined_t:s0 apache 3085 3077  0 11:42 ?  00:00:00 /usr/sbin/httpd
unconfined_u:unconfined_r:unconfined_t:s0 apache 3086 3077  0 11:42 ?  00:00:00 /usr/sbin/httpd
unconfined_u:unconfined_r:unconfined_t:s0 apache 3087 3077  0 11:42 ?  00:00:00 /usr/sbin/httpd

To revert back to original target

# restorecon /usr/sbin/httpd
Posted by at No comments:
Labels: , ,
Subscribe to: Posts (Atom)