On Sun, Jun 21, 2020 at 03:08:16PM -0800, Justina Colmena ~biz wrote: > > > On June 21, 2020 12:17:07 PM AKDT, Alain D D Williams <addw@xxxxxxxxxxxx> wrote: > >On Sun, Jun 21, 2020 at 08:06:40PM +0000, Jason Long wrote: > >> Hello,I want to install Apache, MySQL and PHP on CentOS 8, but I > >don't like to disable SELinux. I know that SELinux maybe cause some > >problems > > Yes. SELinux is supposed to cause problems for unauthorized intrusion, unnecessary privilege elevation, etc. > > At the same time, there's something a little bit too formulaic, "corporate" perhaps, about the question as posted. It's a LAMP stack. The SELinux policies really need to "just work" out of the box for the end user // installer // webmaster without any additional configuration. They will if you have 'nice' web applications that just serve up stuff from under the document root. Real applications are not like that; they might look at files somewhere else, they might modifiy files, they might (often) connect to a database. These are all reasonable things for a web application to do; however they are things that you might not need ... but might be things that a compromised PHP script might try to do to steal all of your gold. So: these things are switched off by default. You enable just what you need. Yes: security does get in the way - that is good, it is what should happen. You need to think and learn how to tweak it to your needs. Unfortunately your employer will never thank you for it and complain about the time that you take. You do this correctly and (hopefully) you keep your gold - this is what s/he expects and thinks is easy. However if thieves break in you will be blamed for not taking the time to do a good job. > The CentOS distribution maintainers, developers, and software packagers, > https://ius.io/ etc. need to make it work somehow. There are far too many convenient excuses why the security enhancements of SELinux are not working out of the box in this day and age of botnets, spyware, Bitcoin miners, Unsolicited Commercial Email, etc. > > My current website // email is to the best of my knowledge hosted on OpenVZ paravirtualization at a commercial hosting provider, and OpenVZ does not appear to be compatible with SELinux, although I have not researched the precise technicalities. -- Alain Williams Linux/GNU Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer. +44 (0) 787 668 0256 https://www.phcomp.co.uk/ Parliament Hill Computers Ltd. Registration Information: https://www.phcomp.co.uk/Contact.html #include <std_disclaimer.h> _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
