Re: SELinux configuration for web server.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sun, Jun 21, 2020 at 03:08:16PM -0800, Justina Colmena ~biz wrote:
> 
> 
> On June 21, 2020 12:17:07 PM AKDT, Alain D D Williams <addw@xxxxxxxxxxxx> wrote:
> >On Sun, Jun 21, 2020 at 08:06:40PM +0000, Jason Long wrote:
> >> Hello,I want to install Apache, MySQL and PHP on CentOS 8, but I
> >don't like to disable SELinux. I know that SELinux maybe cause some
> >problems
> 
> Yes. SELinux is supposed to cause problems for unauthorized intrusion, unnecessary privilege elevation, etc.
> 
> At the same time, there's something a little bit too formulaic, "corporate" perhaps, about the question as posted. It's a LAMP stack. The SELinux policies really need to "just work" out of the box for the end user // installer // webmaster without any additional configuration.

They will if you have 'nice' web applications that just serve up stuff from
under the document root. Real applications are not like that; they might look at
files somewhere else, they might modifiy files, they might (often) connect to a
database.

These are all reasonable things for a web application to do; however they are
things that you might not need ... but might be things that a compromised PHP
script might try to do to steal all of your gold.

So: these things are switched off by default. You enable just what you need.

Yes: security does get in the way - that is good, it is what should happen. You
need to think and learn how to tweak it to your needs.

Unfortunately your employer will never thank you for it and complain about the
time that you take. You do this correctly and (hopefully) you keep your gold -
this is what s/he expects and thinks is easy. However if thieves break in you
will be blamed for not taking the time to do a good job.

> The CentOS distribution maintainers, developers, and software packagers, 
> https://ius.io/ etc. need to make it work somehow. There are far too many convenient excuses why the security enhancements of SELinux are not working out of the box in this day and age of botnets, spyware, Bitcoin miners, Unsolicited Commercial Email, etc.
> 
> My current website // email is to the best of my knowledge hosted on OpenVZ paravirtualization at a commercial hosting provider, and OpenVZ does not appear to be compatible with SELinux, although I have not researched the precise technicalities.


-- 
Alain Williams
Linux/GNU Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer.
+44 (0) 787 668 0256  https://www.phcomp.co.uk/
Parliament Hill Computers Ltd. Registration Information: https://www.phcomp.co.uk/Contact.html
#include <std_disclaimer.h>
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx




[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux