Hey list!
1st, thanks to all the help I've gotten over time from the list. Stay safe everyone!!
I'm finally jumping into deploying selinux on a test system.
My use case: To create a test local VM To fire up httpd/mysql on the VM To create a couple of test users on the VM Create a test static website under /var/www/html/cat using index.html aa.php
I've already got the VM, test users, httpd, etc.. And things run with selinux disabled.
Now it's time to take the jump, and engage selinux!
My selinux needs: to setup selinux attributes/security to allow apache/httpd to run correctly to allow the httpd to handle/process the index.html to allow the httpd to handle/process the aa.php
also, say I create test user 'bob' 'bob' will have a dir /home/bob
I want 'bob' to be able to create/edit files, and to be able to copy files, to read/write/delete files into the /var/www/html/cat dir structure
I've looked through numerous docs/sites and see a bunch of stuff. But I really don't want to screw this up, given that I realize that messing this up can be painful to try to figure out what I did wrong.
So: I'm trying to figure out what I need to do for selinux for the user 'bob' I'm trying to figure out what I need to do for selinux for the apache/httpd process Trying to understand what I need to do to allow user 'bob' access to change the /var/www/html/cat dirs..
Thoughts/Comments are more than welcome
ps: Once I get the basic above things working, I'll be expanding to handle mysql processes, as well as allowing external dev/test servers to update the 'prod' system.
On 4/14/20 11:01 AM, bruce wrote:
My use case: To create a test local VM To fire up httpd/mysql on the VM To create a couple of test users on the VM Create a test static website under /var/www/html/cat using index.html aa.php
I've already got the VM, test users, httpd, etc.. And things run with selinux disabled.
Why and how would you install Fedora with selinux disabled? That's going to cause you trouble later. Do you mean not enabled or just not enforcing. Either way, it should not be necessary.
My selinux needs: to setup selinux attributes/security to allow apache/httpd to run correctly to allow the httpd to handle/process the index.html to allow the httpd to handle/process the aa.php
You rarely have to "setup" selinux. The default policies are designed to just work under normal configurations.
also, say I create test user 'bob' 'bob' will have a dir /home/bob
I want 'bob' to be able to create/edit files, and to be able to copy files, to read/write/delete files into the /var/www/html/cat dir structure
If it's only bob that's doing the editing, then change the owner of those files to him.
So: I'm trying to figure out what I need to do for selinux for the user 'bob'
Nothing.
I'm trying to figure out what I need to do for selinux for the apache/httpd process
Nothing.
Trying to understand what I need to do to allow user 'bob' access to change the /var/www/html/cat dirs..
That's just file permissions, not selinux. You're making this way more complicated than it needs to be. Unless you're doing something unusual, you're unlikely to even notice selinux. (Although you will have to flip some booleans if you're going to access a database from the web server.)
Hi Samuel,
Thanks for the reply. What you provided doesn't seem to mesh with other sites I've seen. Take a look at these sites and if you feel up to it, get back to me with comments!!!
https://www.digitalocean.com/community/tutorials/an-introduction-to-selinux-...
https://www.lisenet.com/2016/advanced-apache-configuration-with-selinux-on-r...
thanks
On Tue, Apr 14, 2020 at 2:45 PM Samuel Sieb samuel@sieb.net wrote:
On 4/14/20 11:01 AM, bruce wrote:
My use case: To create a test local VM To fire up httpd/mysql on the VM To create a couple of test users on the VM Create a test static website under /var/www/html/cat using index.html aa.php
I've already got the VM, test users, httpd, etc.. And things run with selinux disabled.
Why and how would you install Fedora with selinux disabled? That's going to cause you trouble later. Do you mean not enabled or just not enforcing. Either way, it should not be necessary.
My selinux needs: to setup selinux attributes/security to allow apache/httpd to run correctly to allow the httpd to handle/process the index.html to allow the httpd to handle/process the aa.php
You rarely have to "setup" selinux. The default policies are designed to just work under normal configurations.
also, say I create test user 'bob' 'bob' will have a dir /home/bob
I want 'bob' to be able to create/edit files, and to be able to copy files, to read/write/delete files into the /var/www/html/cat dir structure
If it's only bob that's doing the editing, then change the owner of those files to him.
So: I'm trying to figure out what I need to do for selinux for the user 'bob'
Nothing.
I'm trying to figure out what I need to do for selinux for the apache/httpd process
Nothing.
Trying to understand what I need to do to allow user 'bob' access to change the /var/www/html/cat dirs..
That's just file permissions, not selinux. You're making this way more complicated than it needs to be. Unless you're doing something unusual, you're unlikely to even notice selinux. (Although you will have to flip some booleans if you're going to access a database from the web server.) _______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
On 4/14/20 2:01 PM, bruce wrote:
Hi Samuel,
Thanks for the reply. What you provided doesn't seem to mesh with other sites I've seen. Take a look at these sites and if you feel up to it, get back to me with comments!!!
https://www.digitalocean.com/community/tutorials/an-introduction-to-selinux-...
https://www.lisenet.com/2016/advanced-apache-configuration-with-selinux-on-r...
Those are somewhat old pages, but also they're about rhel 7 and centos 7. Fedora has had selinux installed and enabled by default for a long time. The useful parts of that page are the booleans and possibly the file contexts, but only if you plan on putting files outside of the standard directories.
Ok. thanks.
Bu tI still would like to have the cmds to learn from, as opposed to just "depending" on the OS, and not really knowing how this stuff kind of works.
So, any pointers/help would be cool!
thanks
On Tue, Apr 14, 2020 at 5:35 PM Samuel Sieb samuel@sieb.net wrote:
On 4/14/20 2:01 PM, bruce wrote:
Hi Samuel,
Thanks for the reply. What you provided doesn't seem to mesh with other sites I've seen. Take a look at these sites and if you feel up to it, get back to me with comments!!!
https://www.digitalocean.com/community/tutorials/an-introduction-to-selinux-...
https://www.lisenet.com/2016/advanced-apache-configuration-with-selinux-on-r...
Those are somewhat old pages, but also they're about rhel 7 and centos 7. Fedora has had selinux installed and enabled by default for a long time. The useful parts of that page are the booleans and possibly the file contexts, but only if you plan on putting files outside of the standard directories. _______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
On 4/14/20 2:39 PM, bruce wrote:
Bu tI still would like to have the cmds to learn from, as opposed to just "depending" on the OS, and not really knowing how this stuff kind of works.
So, any pointers/help would be cool!
I don't know what you're asking for. You don't need to install any packages, but the other commands listed there are still valid. You mentioned databases, so you're likely to need to switch a boolean or two. And you can read about how to set the file contexts, but you probably won't need to do anything with it.
Again...
I don't know what the cmds are as well as the sequence I need to run them in the correct order. This is what I'm looking to get me hands around
On Tue, Apr 14, 2020 at 5:47 PM Samuel Sieb samuel@sieb.net wrote:
On 4/14/20 2:39 PM, bruce wrote:
Bu tI still would like to have the cmds to learn from, as opposed to just "depending" on the OS, and not really knowing how this stuff kind of works.
So, any pointers/help would be cool!
I don't know what you're asking for. You don't need to install any packages, but the other commands listed there are still valid. You mentioned databases, so you're likely to need to switch a boolean or two. And you can read about how to set the file contexts, but you probably won't need to do anything with it. _______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
On 4/14/20 3:08 PM, bruce wrote:
I don't know what the cmds are as well as the sequence I need to run them in the correct order. This is what I'm looking to get me hands around
You already posted links to useful pages for that.
https://www.digitalocean.com/community/tutorials/an-introduction-to-selinux-... That appears to be a good introduction to the concepts and how things work.
https://www.lisenet.com/2016/advanced-apache-configuration-with-selinux-on-r... That's a good explanation of possible commands you might have to run in the context of a web server. There is not really a correct order other than if one command needs the output from another one.
All I can say at this time..
Thanks... I guess...
ps. If/When I figure this all out, I'll post the cmds/order of running the selinux cmds to accomplish my goal of being able to ensure the httpd process can manage the files, as well as having users being able to read/write/delete the files...
but thanks...
On Tue, Apr 14, 2020 at 6:38 PM Samuel Sieb samuel@sieb.net wrote:
On 4/14/20 3:08 PM, bruce wrote:
I don't know what the cmds are as well as the sequence I need to run them in the correct order. This is what I'm looking to get me hands
around
You already posted links to useful pages for that.
https://www.digitalocean.com/community/tutorials/an-introduction-to-selinux-... That appears to be a good introduction to the concepts and how things work.
https://www.lisenet.com/2016/advanced-apache-configuration-with-selinux-on-r... That's a good explanation of possible commands you might have to run in the context of a web server. There is not really a correct order other than if one command needs the output from another one. _______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
On 4/14/20 5:26 PM, bruce wrote:
All I can say at this time..
Thanks... I guess...
ps. If/When I figure this all out, I'll post the cmds/order of running the selinux cmds to accomplish my goal of being able to ensure the httpd process can manage the files, as well as having users being able to read/write/delete the files...
See, I still don't understand what you want. I told you that you won't have to deal with selinux except to maybe switch a boolean. But you want to know anyway. So I point you back to the links you have that explain in great detail how it works and what the commands are. But that's not what you want?
For your case, at this point all you will need to do is run: chown -R bob /var/www/html/cat and turn on the web server.
On Tue, 2020-04-14 at 14:01 -0400, bruce wrote:
My use case: To create a test local VM To fire up httpd/mysql on the VM To create a couple of test users on the VM Create a test static website under /var/www/html/cat using index.html aa.php
Unless your virtual machine adds its own security problems, then you shouldn't really have to do anything with SELinux to get it working. By default, appropriate SELinux contexts will be applied to files written to or copied to /var/www/html (including all sub-directories). However, do NOT write files elsewhere, then move them into location.
Set up your installation with the default choices, don't mess around with them.
Start off with a clean slate, then create your cat sub-directory, and chown the "cat" directory to bob, make sure the owner file permissions are readable, writeable, and executable (for directories). Make sure that the world-readable permissions are readable and executable, but not writeable. Generally speaking, the group permissions don't matter for webserving. And, in most cases, the default permissions applied to file and directories will be the ones you need, anyway. And, as bob writes files inside the cat directory, they'll get the required ownership and permissions by default, too.
e.g. drwx---r-x (directories) -rw----r-x (files)
Allow port 80 through your firewall. And port 443, if you're doing HTTPS.
On Tue, 2020-04-14 at 14:01 -0400, bruce wrote:
I've already got the VM, test users, httpd, etc.. And things run with selinux disabled.
Now it's time to take the jump, and engage selinux!
Actually, that's going to be your biggest problem. If you've set up and run things with it off, you're going to have to relabel your files because SELinux wouldn't have been labelling them while it was off.
The simplest way to do that is to relabel the entire filesystem, rather than try and figure out what needs fixing.
Generally speaking, things just work with SELinux engaged. I haven't disabled it in years, not even for tests. Where you come a cropper is when you want to do things outside of the norm, or you use software that wants to do so. Since your concern is with web serving, I'll point out that attitude is/was common with web-blogging that uses a database style of webserving. While I seem to recall seeing that you'd spoken of flat file webserving (where SELinux isn't a problem), I see you mentioning PHP, which is typically used for fancier webserving.
You may want to research PHP and SELinux, as a combined topic.
In years gone past, it was not uncommon advise to switch off firewalls, and other protective processes, from the *authors* of software, not just users fumbling around in the dark. Simply because they didn't understand security, wanted to do things that were unsafe, and didn't want to change their mindset.
Try to avoid that, try to learn how to correctly program and use PHP so that it's not required. Don't let web things run as root, or have world-writable permissions. Don't put website database files where they can be directly accessed without using your PHP interfaces.
Hey Tim!!
Thanks so much for the replies. This is exactly what I was hoping to find.Someone willing to kind of add to my lack of knowledge.
Your comments about copying files .vs moving files was/is gold. That's the kind of thing that wouldn't have crossed my mind to even think about.
I'm not looking at fedora/centos as a sysAdmin. I'm coming at the OS as a means to get something done, and to move on to my next 99 things. That said, rather than have selinux in permissive/off, I'm willing to spend a bit of time to figure out/undertand some of the nuances.
Here's my use case::
Test VM/web server runs httpd/apache web process runs php/py apps as webapps, under the /var/www/html/cat dir/tree structure
-has multiple test users -treat the test users as "dev" users dev users are able to ssh/scp files into their home dir dev users able to copy/mv files from home dir to httpd dir structure might need to be able to rsync files from a dev users local env into the test "www/var/html" dir/tree
I'm looking to be able to "set" up the test VM to have the dev, as well as the web processes/apps to be able to run correctly
for test dev user 'bob' bob would have a "/home/bob" dir bob could scp files from an outside box into the VM. The files would reside in the /home/bob/foo dir -bob could then copy/mv the files into the /var/www/html/cat location
would anything have to be done from a selinux perspective to permit the above to happen?
My use case has potential devs copying code into the test VM to then run the webapps via httpd/apache
I was initially thining that my issue was how to allow a "dev" user get files they work on into the docRoot space for the test webApps. I'm now thinking that the issue is really, how I allow the devs to get the files into the docRoot space, as well as "restrict" the ability for the dev to access other "stuff" on the VM..
I was thinking that using "groups" combined with selinux could accomplish this.
Thoughts/Comments
ps: Tim, if I back up and take a higher level view, but a bit more complex I think the "best" approach is to have a really basic dev/test VM, as well as a "Prod" VM.
the "dev/test" VM environment might consist of
test apache/httpd test mysql test dev tools php/py/etc test backup/verson control processes test dev/users
The idea being that the "dev" would access the VM, work on the code, test the code, etc and be able to get the code ready for the "Prod" VM.
Once the test/dev code is ready to be released, the code could somehow be "pushed" over to the "Prod" VM.
This method would still have to resolve the management of user access, as well as process access. I'd still need to understand selinux and how it "works".
On Wed, Apr 15, 2020 at 4:25 AM Tim via users users@lists.fedoraproject.org wrote:
On Tue, 2020-04-14 at 14:01 -0400, bruce wrote:
I've already got the VM, test users, httpd, etc.. And things run with selinux disabled.
Now it's time to take the jump, and engage selinux!
Actually, that's going to be your biggest problem. If you've set up and run things with it off, you're going to have to relabel your files because SELinux wouldn't have been labelling them while it was off.
The simplest way to do that is to relabel the entire filesystem, rather than try and figure out what needs fixing.
Generally speaking, things just work with SELinux engaged. I haven't disabled it in years, not even for tests. Where you come a cropper is when you want to do things outside of the norm, or you use software that wants to do so. Since your concern is with web serving, I'll point out that attitude is/was common with web-blogging that uses a database style of webserving. While I seem to recall seeing that you'd spoken of flat file webserving (where SELinux isn't a problem), I see you mentioning PHP, which is typically used for fancier webserving.
You may want to research PHP and SELinux, as a combined topic.
In years gone past, it was not uncommon advise to switch off firewalls, and other protective processes, from the *authors* of software, not just users fumbling around in the dark. Simply because they didn't understand security, wanted to do things that were unsafe, and didn't want to change their mindset.
Try to avoid that, try to learn how to correctly program and use PHP so that it's not required. Don't let web things run as root, or have world-writable permissions. Don't put website database files where they can be directly accessed without using your PHP interfaces.
--
uname -rsvp Linux 3.10.0-1062.18.1.el7.x86_64 #1 SMP Tue Mar 17 23:49:17 UTC 2020 x86_64
Boilerplate: All unexpected mail to my mailbox is automatically deleted. I will only get to see the messages that are posted to the mailing list.
users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
NB: On this list, we don't top-post, we comment under what we're replying to, like I'll do below. Also, remove things that don't need to be quoted, we don't need messages that get ever-longer.
bruce wrote:
I'm not looking at fedora/centos as a sysAdmin. I'm coming at the OS as a means to get something done, and to move on to my next 99 things. That said, rather than have selinux in permissive/off, I'm willing to spend a bit of time to figure out/undertand some of the nuances.
In most cases, SELinux works properly, as it comes supplied. So go with the defaults, and do some fault-finding when something breaks. The fault-finding may find it's a problem with SELinux, and it may point out that what you were doing was wrong (or whoever wrote the program you used).
Here's my use case::
Test VM/web server runs httpd/apache web process runs php/py apps as webapps, under the /var/www/html/cat dir/tree structure
-has multiple test users -treat the test users as "dev" users dev users are able to ssh/scp files into their home dir dev users able to copy/mv files from home dir to httpd dir structure might need to be able to rsync files from a dev users local env into the test "www/var/html" dir/tree
I'll point out I'm not familiar with web apps, so that anyone else who is won't wait for me to respond to those questions. Likewise with ssh file transfers, scp, and rsync. Most of my web work is within my LAN, where that isn't needed, and with a public webserver where they weren't supported.
As I'd pointed out, moving files is a problem, so be sure to let any other users know, too. I was never much into moving files, myself, I'd make something, then copy it to where it was meant to be, leaving my own files to fiddle around with, without upsetting the ones being served. I'd copy improvements over, I'd revoke them by getting the served versions back again. But for simple things, I'd create them where they were going to be served from, and work on them directly.
I'm looking to be able to "set" up the test VM to have the dev, as well as the web processes/apps to be able to run correctly
for test dev user 'bob' bob would have a "/home/bob" dir bob could scp files from an outside box into the VM. The files would reside in the /home/bob/foo dir -bob could then copy/mv the files into the /var/www/html/cat location
would anything have to be done from a selinux perspective to permit the above to happen?
I'm not a scp using user, so I don't know. But you can easily test this for yourself. Try doing it, see if it works.
I think you're at that stage. Set up your VM, let it do so using the defaults. Make some test flat HTML pages, see if they work. Make some PHP pages that have to generate content, see if they work.
I was initially thining that my issue was how to allow a "dev" user get files they work on into the docRoot space for the test webApps. I'm now thinking that the issue is really, how I allow the devs to get the files into the docRoot space, as well as "restrict" the ability for the dev to access other "stuff" on the VM..
I was thinking that using "groups" combined with selinux could accomplish this.
Using groups is the traditional way to collaborate, I don't see any good reason for doing it some other way.
File permissions (user, group, other) handles how users can use their files. Well, it won't stop skullduggery by badly behaved people with enough knowledge to work around it, but it keeps things in order from people who do co-operate.
SELinux is more about protecting your system from rogue programs and bad programming techniques, disallowing the webserver accessing files elsewhere that it shouldn't do so.
if I back up and take a higher level view, but a bit more complex I think the "best" approach is to have a really basic dev/test VM, as well as a "Prod" VM.
That kind of thing is what I do. I have a test webserver that I do everything on in-house. Then I copy over any acceptable changes to the public server. And in my case, it's not virtual machines, but actual machines.
This method would still have to resolve the management of user access, as well as process access. I'd still need to understand selinux and how it "works".
Look for some SELinux guides, then. But I haven't had to learn anything much about SELinux, in all the years I've been webserving, just basics.
As before, don't move files. Copy them, or create them in-place.
When things don't work for unobvious reasons (you have the right file permissions and ownership, but a file can't be read or written to), SELinux is probably the cause. So you check the logs.
There's a "SELinux Troubleshooter" app that can look at logs and make suggestions for you. But, as always, you have to think about it. Sure, it advises you about how to grant permission to do what failed. But you have to work out should you be allowing it (are you trying to do the wrong thing, in the first place?).
And when you get bogged down in trying to fix an actual SELinux problem, there is a mailing list for that.
-
bruce -
Samuel Sieb -
Tim