selinux, httpd, and lighttpd

Miroslav Grepl mgrepl at redhat.com
Mon Jul 14 08:47:08 UTC 2014 

On 07/10/2014 08:17 PM, Gene Czarcinski wrote:
> Generally I am a "belt and suspenders" type of guy with respect to 
> security so for a webserver (apache(httpd), lighttpd, or nginx) I want 
> to run the server chrooted AS WELL AS have SELinux enforcing in 
> effect. I have been running SELinux enabled and enforcing from the 
> beginning so it is not a question of using SELinux.
>
> Well, I am not doing to well and really cannot get things to work.  
> Without chroot but with SELinux enforcing, I can get lighttpd to serve 
> static files and CPI created info (specifically to support git clone 
> and gitweb).  With chroot and SELInux enforcing I can get static files 
> served but *not* CGI stuff ...
>     I get lots of "CGI failed: Permission denied cgi-bin/git-http-backend"
What AVC msgs are you getting?

Re-test and run

# ausearch -m avc -ts recent
> A bunch of years ago when I was using the bind package for dns, there 
> was a change in Fedora/RHEL to de-emphasize use of chroot and instead 
> depend on SELinux to protect things.  This change was not so much 
> advertised and just done.
>
> I am wondering if something similar has happened for the webserver.  
> There is some (very limited) doc for apache (httpd) and a lot of rules 
> in selinux-policy-targetted for "httpd" and these rules seem to apply 
> to both httpd (apache) and lighttpd.  If I am reading the tea leaves 
> correctly SELinux seems to be providing a lot of protection.
>
> So, do I need chroot???  Is just using SELinux a "good enough" 
> solution?  I am not looking for a perfect solution but one which "good 
> engineering practice" says should be "good enough."  I hope it is but 
> would sure like some "experts" to agree as well as maybe pointing to 
> some substantiating documentation.
>
> Side comment:  If SELinux is attempting to provide the same 
> functionality to both httpd and lighttpd, it would be nice if the 
> documentation at least mentioned lighttpd.
>
> Gene
>
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20140714/7a3becab/attachment.html>

More information about the selinux mailing list