In the current configuration, SELinux allow write to whom?
Can you tell me in your opinion which directories of WordPress must have "httpd_sys_rw_content_t" label and which one "httpd_sys_r_content_t" label?
On Sun, Sep 20, 2020 at 3:01 AM, mailist<mailist@xxxxxxxxxxx> wrote:Hi Jason,
1. Well just turning on your computer can lead to it beeing hacked...
Just remember SELinux is a part of the kernel with some policies
defined. You are the one making the rules but by default everything is
denied. (fyi would recommend you going through this
https://people.redhat.com/duffy/selinux/selinux-coloring-book_A4-Stapled.pdf
it is really well explained).
well httpd_sys_r_content_r allow only read only access weither
httpd_sys_rw_content_t allows also write. What is dangerous is the write
one beeing defined everywhere (like in any systems). You can mix both,
on the files that wordpress should write:httpd_sys_rw_content_t and the
rest httpd_sys_r_content_t.
2. this command is setting a boolean to on that allows any programs
under the httpd context to communicate over the internet (yes SELinux
controls everything).
So as a resume, nothing is either white or black but rather a mix of the 2.
And btw if you are really preoccupied about security as a whole just
throw away wordpress (or run it as a static website (for example with gaby).
Vincent
On 9/19/20 11:56 PM, Jason Long wrote:
> Hello,
> I'm using CentOS 8 as a web server that hosting a WordPress website. I
> have two questions.
> 1- I defined SELinux for WordPress directory as below:
>
> # ls -lZ /var/www/
> drwxrwxr-x. 7 apache apache
> unconfined_u:object_r:httpd_sys_rw_content_t:s0 4096 Sep 19 23:37 wp
>
> I created an account for a remote developer that working on WordPress.
> On some websites, I saw that the OK permission for
> wp directory is "httpd_sys_r_content_t" and not "httpd_sys_rw_content_t"
> and someone recommended to back permission via below command:
>
> # restorecon -rv /var/www/wp
>
> Is it true? Is "httpd_sys_rw_content_t" a dangerous permission and can
> lead to hacking?
>
> 2- WordPress can't update and showed me "cURL Error (7): couldn't
> connect to host" error. I did below command to solve it:
>
> # setsebool -P httpd_can_network_connect on
>
> Can this command make Apache insecure and must I turn it to "off" ?
>
>
> Thank you.
>
> _______________________________________________
> selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
>
_______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx