NB: On this list, we don't top-post, we comment under what we're replying to, like I'll do below. Also, remove things that don't need to be quoted, we don't need messages that get ever-longer. bruce wrote: > I'm not looking at fedora/centos as a sysAdmin. I'm coming at the OS > as a means to get something done, and to move on to my next 99 > things. That said, rather than have selinux in permissive/off, I'm > willing to spend a bit of time to figure out/undertand some of the > nuances. In most cases, SELinux works properly, as it comes supplied. So go with the defaults, and do some fault-finding when something breaks. The fault-finding may find it's a problem with SELinux, and it may point out that what you were doing was wrong (or whoever wrote the program you used). > Here's my use case:: > > Test VM/web server > runs httpd/apache web process > runs php/py apps as webapps, under the /var/www/html/cat dir/tree > structure > > -has multiple test users > -treat the test users as "dev" users > dev users are able to ssh/scp files into their home dir > dev users able to copy/mv files from home dir to httpd dir > structure > might need to be able to rsync files from a dev users local env > into the test "www/var/html" dir/tree I'll point out I'm not familiar with web apps, so that anyone else who is won't wait for me to respond to those questions. Likewise with ssh file transfers, scp, and rsync. Most of my web work is within my LAN, where that isn't needed, and with a public webserver where they weren't supported. As I'd pointed out, moving files is a problem, so be sure to let any other users know, too. I was never much into moving files, myself, I'd make something, then copy it to where it was meant to be, leaving my own files to fiddle around with, without upsetting the ones being served. I'd copy improvements over, I'd revoke them by getting the served versions back again. But for simple things, I'd create them where they were going to be served from, and work on them directly. > I'm looking to be able to "set" up the test VM to have the dev, > as well as the web processes/apps to be able to run correctly > > for test dev user 'bob' > bob would have a "/home/bob" dir > bob could scp files from an outside box into the VM. The files > would reside in the /home/bob/foo dir > -bob could then copy/mv the files into the /var/www/html/cat > location > > would anything have to be done from a selinux perspective to permit > the above to happen? I'm not a scp using user, so I don't know. But you can easily test this for yourself. Try doing it, see if it works. I think you're at that stage. Set up your VM, let it do so using the defaults. Make some test flat HTML pages, see if they work. Make some PHP pages that have to generate content, see if they work. > I was initially thining that my issue was how to allow a "dev" user > get files they work on into the docRoot space for the test webApps. > I'm now thinking that the issue is really, how I allow the devs to > get the files into the docRoot space, as well as "restrict" the > ability for the dev to access other "stuff" on the VM.. > > I was thinking that using "groups" combined with selinux could > accomplish this. Using groups is the traditional way to collaborate, I don't see any good reason for doing it some other way. File permissions (user, group, other) handles how users can use their files. Well, it won't stop skullduggery by badly behaved people with enough knowledge to work around it, but it keeps things in order from people who do co-operate. SELinux is more about protecting your system from rogue programs and bad programming techniques, disallowing the webserver accessing files elsewhere that it shouldn't do so. > if I back up and take a higher level view, but a bit more > complex I think the "best" approach is to have a really basic > dev/test VM, as well as a "Prod" VM. That kind of thing is what I do. I have a test webserver that I do everything on in-house. Then I copy over any acceptable changes to the public server. And in my case, it's not virtual machines, but actual machines. > This method would still have to resolve the management of user > access, as well as process access. I'd still need to understand > selinux and how it "works". Look for some SELinux guides, then. But I haven't had to learn anything much about SELinux, in all the years I've been webserving, just basics. As before, don't move files. Copy them, or create them in-place. When things don't work for unobvious reasons (you have the right file permissions and ownership, but a file can't be read or written to), SELinux is probably the cause. So you check the logs. There's a "SELinux Troubleshooter" app that can look at logs and make suggestions for you. But, as always, you have to think about it. Sure, it advises you about how to grant permission to do what failed. But you have to work out should you be allowing it (are you trying to do the wrong thing, in the first place?). And when you get bogged down in trying to fix an actual SELinux problem, there is a mailing list for that. -- uname -rsvp Linux 3.10.0-1062.18.1.el7.x86_64 #1 SMP Tue Mar 17 23:49:17 UTC 2020 x86_64 Boilerplate: All unexpected mail to my mailbox is automatically deleted. I will only get to see the messages that are posted to the mailing list. _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx