first encounters with SELINUX, with some suggestions

Colin Walters walters at redhat.com
Tue Nov 16 17:38:46 UTC 2004 

On Tue, 2004-11-16 at 10:51 +0000, Joe Orton wrote:

> I dogfood it on all my test boxes.  But the reality is that if you use a
> slightly non-default configuration for httpd 

I wouldn't quite say that.  I've been running a website with multiple
custom virtual hosts and admins, suEXEC, and other fun stuff with the
SELinux policy for about 1.5 years, and I've only had to write a bit of
custom policy.  Mostly things like allowing rsyncd to read from the
website, etc.

> or enable any of the
> "interesting" modules, 

Well, it depends on the particular modules.  mod_rewrite for example can
require no policy if you're just using regexps, but you can also
configure it to talk to an external daemon for URL rewriting...

> or use any interesting PHP webapps, 

The major problem with PHP is that it runs in-process, so we can't
separate "stuff PHP webapp wants to do" from "compromised httpd".  For
example, most webapps will want write access to your web content, but
you definitely don't want that for static file serving.

When we get the Apache guide out, I think it would be useful to include
in it configuration/policy tweaks people needed to get particular PHP
applications to run.

> etc, then you
> are going to have to either write a shed-load of SELinux policy specific
> to your configuration, 

I've been thinking recently about how to make this easier.

> or you're going to disable the httpd target in
> s-c-securitylevel.  That's just a fact of SELinux as far as I can tell.
> 
> The conclusion I draw from this is, as I've said before, that it's not
> correct to have httpd covered by the SELinux policy *by default*.

I'm not sure; we've seen lots of issues, sure, but that's not
surprising.  There are a *lot* of people doing a lot of different things
with Apache.  The current policy works very well for static file serving
and "typical" CGI scripts.  I don't have a good sense for how many
people are using Apache just for this kind of thing versus complex PHP
apps.  But just like we ship Apache with the "UserDir" option disabled,
directory indexing disabled, I think it makes sense to ship with Apache
locked down tightly by SELinux per default, and have people open things
up as they need it.

More information about the devel mailing list