Re: selinux issues -- for test system/httpd user access

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, 2020-04-14 at 14:01 -0400, bruce wrote:
> I've already got the VM, test users, httpd, etc.. And things run with
> selinux disabled.
> 
> Now it's time to take the jump, and engage selinux!

Actually, that's going to be your biggest problem.  If you've set up
and run things with it off, you're going to have to relabel your files
because SELinux wouldn't have been labelling them while it was off.

The simplest way to do that is to relabel the entire filesystem, rather
than try and figure out what needs fixing.

Generally speaking, things just work with SELinux engaged.  I haven't
disabled it in years, not even for tests.  Where you come a cropper is
when you want to do things outside of the norm, or you use software
that wants to do so.  Since your concern is with web serving, I'll
point out that attitude is/was common with web-blogging that uses a
database style of webserving.  While I seem to recall seeing that you'd
spoken of flat file webserving (where SELinux isn't a problem), I see
you mentioning PHP, which is typically used for fancier webserving.

You may want to research PHP and SELinux, as a combined topic.

In years gone past, it was not uncommon advise to switch off firewalls,
and other protective processes, from the *authors* of software, not
just users fumbling around in the dark.  Simply because they didn't
understand security, wanted to do things that were unsafe, and didn't
want to change their mindset.

Try to avoid that, try to learn how to correctly program and use PHP so
that it's not required.  Don't let web things run as root, or have
world-writable permissions.  Don't put website database files where
they can be directly accessed without using your PHP interfaces.
 
-- 
 
uname -rsvp
Linux 3.10.0-1062.18.1.el7.x86_64 #1 SMP Tue Mar 17 23:49:17 UTC 2020 x86_64
 
Boilerplate:  All unexpected mail to my mailbox is automatically deleted.
I will only get to see the messages that are posted to the mailing list.
 
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux