On Sun, Jun 21, 2020 at 03:08:16PM -0800, Justina Colmena ~biz wrote:
On June 21, 2020 12:17:07 PM AKDT, Alain D D Williams <addw(a)phcomp.co.uk> wrote:
>On Sun, Jun 21, 2020 at 08:06:40PM +0000, Jason Long wrote:
>> Hello,I want to install Apache, MySQL and PHP on CentOS 8, but I
>don't like to disable SELinux. I know that SELinux maybe cause some
>problems
Yes. SELinux is supposed to cause problems for unauthorized intrusion, unnecessary
privilege elevation, etc.
At the same time, there's something a little bit too formulaic, "corporate"
perhaps, about the question as posted. It's a LAMP stack. The SELinux policies really
need to "just work" out of the box for the end user // installer // webmaster
without any additional configuration.
They will if you have 'nice' web applications that just serve up stuff from
under the document root. Real applications are not like that; they might look at
files somewhere else, they might modifiy files, they might (often) connect to a
database.
These are all reasonable things for a web application to do; however they are
things that you might not need ... but might be things that a compromised PHP
script might try to do to steal all of your gold.
So: these things are switched off by default. You enable just what you need.
Yes: security does get in the way - that is good, it is what should happen. You
need to think and learn how to tweak it to your needs.
Unfortunately your employer will never thank you for it and complain about the
time that you take. You do this correctly and (hopefully) you keep your gold -
this is what s/he expects and thinks is easy. However if thieves break in you
will be blamed for not taking the time to do a good job.
The CentOS distribution maintainers, developers, and software
packagers,
https://ius.io/ etc. need to make it work somehow. There are far too many convenient
excuses why the security enhancements of SELinux are not working out of the box in this
day and age of botnets, spyware, Bitcoin miners, Unsolicited Commercial Email, etc.
My current website // email is to the best of my knowledge hosted on OpenVZ
paravirtualization at a commercial hosting provider, and OpenVZ does not appear to be
compatible with SELinux, although I have not researched the precise technicalities.
--
Alain Williams
Linux/GNU Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer.
+44 (0) 787 668 0256
https://www.phcomp.co.uk/
Parliament Hill Computers Ltd. Registration Information:
https://www.phcomp.co.uk/Contact.html
#include <std_disclaimer.h>