Re: selinux, httpd, and lighttpd

Miroslav Grepl <mgrepl@xxxxxxxxxx> · Mon, 14 Jul 2014 10:47:08 +0200



    On 07/10/2014 08:17 PM, Gene Czarcinski
      wrote:

    
      Generally I am a "belt and suspenders" type of guy with respect to
      security so for a webserver (apache(httpd), lighttpd, or nginx) I
      want to run the server chrooted AS WELL AS have SELinux enforcing
      in effect. I have been running SELinux enabled and enforcing from
      the beginning so it is not a question of using SELinux.

      
      Well, I am not doing to well and really cannot get things to
      work.  Without chroot but with SELinux enforcing, I can get
      lighttpd to serve static files and CPI created info (specifically
      to support git clone and gitweb).  With chroot and SELInux
      enforcing I can get static files served but not CGI stuff
      ...

          I get lots of "CGI failed: Permission denied
      cgi-bin/git-http-backend"

    
    What AVC msgs are you getting? 

    
    Re-test and run

    
    # ausearch -m avc -ts recent

     A
      bunch of years ago when I was using the bind package for dns,
      there was a change in Fedora/RHEL to de-emphasize use of chroot
      and instead depend on SELinux to protect things.  This change was
      not so much advertised and just done.

      
      I am wondering if something similar has happened for the
      webserver.  There is some (very limited) doc for apache (httpd)
      and a lot of rules in selinux-policy-targetted for "httpd" and
      these rules seem to apply to both httpd (apache) and lighttpd.  If
      I am reading the tea leaves correctly SELinux seems to be
      providing a lot of protection.

      
      So, do I need chroot???  Is just using SELinux a "good enough"
      solution?  I am not looking for a perfect solution but one which
      "good engineering practice" says should be "good enough."  I hope
      it is but would sure like some "experts" to agree as well as maybe
      pointing to some substantiating documentation.

      
      Side comment:  If SELinux is attempting to provide the same
      functionality to both httpd and lighttpd, it would be nice if the
      documentation at least mentioned lighttpd.

      
      Gene

      
      --
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
    
    
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux