Re: selinux issues -- for test system/httpd user access

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



NB: On this list, we don't top-post, we comment under what we're
replying to, like I'll do below.  Also, remove things that don't need
to be quoted, we don't need messages that get ever-longer.

bruce wrote:
> I'm not looking at fedora/centos as a sysAdmin. I'm coming at the OS
> as a means to get something done, and to move on to my next 99
> things. That said, rather than have selinux in permissive/off, I'm
> willing to spend a bit of time to figure out/undertand some of the
> nuances.

In most cases, SELinux works properly, as it comes supplied.  So go
with the defaults, and do some fault-finding when something breaks. 
The fault-finding may find it's a problem with SELinux, and it may
point out that what you were doing was wrong (or whoever wrote the
program you used).

> Here's my use case::
> 
> Test VM/web server
> runs httpd/apache web process
> runs php/py apps as webapps, under the /var/www/html/cat dir/tree
> structure
>
> -has multiple test users
> -treat the test users as "dev" users
> dev users are able to ssh/scp files into their home dir
> dev users able to copy/mv files from home dir to httpd dir 
>  structure
> might need to be able to rsync files from a dev users local env 
>  into the test "www/var/html" dir/tree

I'll point out I'm not familiar with web apps, so that anyone else who
is won't wait for me to respond to those questions.  Likewise with ssh
file transfers, scp, and rsync.  Most of my web work is within my LAN,
where that isn't needed, and with a public webserver where they weren't
supported.

As I'd pointed out, moving files is a problem, so be sure to let any
other users know, too.  I was never much into moving files, myself, I'd
make something, then copy it to where it was meant to be, leaving my
own files to fiddle around with, without upsetting the ones being
served.  I'd copy improvements over, I'd revoke them by getting the
served versions back again.  But for simple things, I'd create them
where they were going to be served from, and work on them directly.

> I'm looking to be able to "set" up the test VM to have the dev, 
>  as well as the web processes/apps to be able to run correctly
> 
> for test dev user 'bob'
> bob would have a "/home/bob" dir
> bob could scp files from an outside box into the VM. The files 
>  would reside in the /home/bob/foo dir
>  -bob could then copy/mv the files into the /var/www/html/cat
> location
> 
> would anything have to be done from a selinux perspective to permit
> the above to happen?

I'm not a scp using user, so I don't know.  But you can easily test
this for yourself.  Try doing it, see if it works.

I think you're at that stage.  Set up your VM, let it do so using the
defaults.  Make some test flat HTML pages, see if they work.  Make some
PHP pages that have to generate content, see if they work.


> I was initially thining that my issue was how to allow a "dev" user
> get files they work on into the docRoot space for the test webApps.
> I'm now thinking that the issue is really, how I allow the devs to
> get the files into the docRoot space, as well as "restrict" the
> ability for the dev to access other "stuff" on the VM..
> 
> I was thinking that using "groups" combined with selinux could
> accomplish this.

Using groups is the traditional way to collaborate, I don't see any
good reason for doing it some other way.

File permissions (user, group, other) handles how users can use their
files.  Well, it won't stop skullduggery by badly behaved people with
enough knowledge to work around it, but it keeps things in order from
people who do co-operate.

SELinux is more about protecting your system from rogue programs and
bad programming techniques, disallowing the webserver accessing files
elsewhere that it shouldn't do so.

> if I back up and take a higher level view, but a bit more
> complex I think the "best" approach is to have a really basic
> dev/test VM, as well as a "Prod" VM.

That kind of thing is what I do.  I have a test webserver that I do
everything on in-house.  Then I copy over any acceptable changes to the
public server.  And in my case, it's not virtual machines, but actual
machines.

> This method would still have to resolve the management of user
> access, as well as process access. I'd still need to understand
> selinux and how it "works".

Look for some SELinux guides, then.  But I haven't had to learn
anything much about SELinux, in all the years I've been webserving,
just basics.

As before, don't move files.  Copy them, or create them in-place.

When things don't work for unobvious reasons (you have the right file
permissions and ownership, but a file can't be read or written to),
SELinux is probably the cause.  So you check the logs.

There's a "SELinux Troubleshooter" app that can look at logs and make
suggestions for you.  But, as always, you have to think about it. 
Sure, it advises you about how to grant permission to do what failed. 
But you have to work out should you be allowing it (are you trying to
do the wrong thing, in the first place?).

And when you get bogged down in trying to fix an actual SELinux
problem, there is a mailing list for that.
 
-- 
 
uname -rsvp
Linux 3.10.0-1062.18.1.el7.x86_64 #1 SMP Tue Mar 17 23:49:17 UTC 2020 x86_64
 
Boilerplate:  All unexpected mail to my mailbox is automatically deleted.
I will only get to see the messages that are posted to the mailing list.
 
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx



[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux