Difference between revisions of "SELinux Notes"

From Simson Garfinkel
Jump to navigationJump to search
m
(2 intermediate revisions by the same user not shown)
Line 10: Line 10:
* https://www.lisenet.com/2016/advanced-apache-configuration-with-selinux-on-rhel-7/
* https://www.lisenet.com/2016/advanced-apache-configuration-with-selinux-on-rhel-7/


=Resolving SELinugx Problems=


==Problem: apache can't access the files==
==Problem: apache can't access the files==
Line 21: Line 22:
If you can't run PHP, you may have the files in the wrong SELinux security context.  You can change the security  
If you can't run PHP, you may have the files in the wrong SELinux security context.  You can change the security  


# Use ls -lZ /var/www/html/xxx  to check the security context
# Check the security context:
    ls -lZ /var/www/html/
 
# You can give the web server read/write access to the files with:
# You can give the web server read/write access to the files with:
     chcon -R -t httpd_sys_rw_content_t /var/www/html/xxx
     chcon -R -t httpd_sys_rw_content_t /var/www/html/xxx


==Problem: CGI scripts won't run.==
==Problem: CGI scripts won't run.==
Line 54: Line 56:
     $ restorecon -R -v /var/www/html/bin
     $ restorecon -R -v /var/www/html/bin


 
See the errors:
    $ journalctl -xe




Line 60: Line 63:
* https://serverfault.com/questions/691501/apache-permission-denied-exec-of-var-www-html-cgi-test-first-pl-failed
* https://serverfault.com/questions/691501/apache-permission-denied-exec-of-var-www-html-cgi-test-first-pl-failed


== Disabling SELinux ==
Don't do this. People will get angry.
* https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Working_with_SELinux-Changing_SELinux_Modes.html#sect-Security-Enhanced_Linux-Enabling_and_Disabling_SELinux-Permissive_Mode
* edit /etc/selinux/config and change SELINUX from 'enforcing' to 'permissive'


==Problem: RHEL doesn't support PHP7.x==
==Problem: RHEL doesn't support PHP7.x==
Line 83: Line 80:
* https://www.mediawiki.org/wiki/SELinux
* https://www.mediawiki.org/wiki/SELinux
*    https://serverfault.com/questions/322117/selinux-letting-apache-talk-to-mysql-on-centos
*    https://serverfault.com/questions/322117/selinux-letting-apache-talk-to-mysql-on-centos
==Problem: MySQL/MariaDB doesn't work after data directory is moved==
See:
* https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-managing_confined_services-mariadb-configuration_examples
# Edit /etc/my.cnf and insert this:
<pre>
[mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
# Disabling symbolic-links is recommended to prevent assorted security risks
symbolic-links=0
# Settings user and group are ignored when systemd is used.
# If you need to run mysqld under a different user or group,
# customize your systemd unit file for mariadb according to the
# instructions in http://fedoraproject.org/wiki/Systemd
[mysqld_safe]
log-error=/var/log/mariadb/mariadb.log
pid-file=/var/run/mariadb/mariadb.pid
[mysqld]
datadir=/data2/mysql
#
# include all files from the config directory
#
!includedir /etc/my.cnf.d
</pre>
#  chcon -R -t mysqld_db_t /data2/mysql /var/lib/mysql
= Disabling SELinux =
Don't do this. People will get angry.
* https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Working_with_SELinux-Changing_SELinux_Modes.html#sect-Security-Enhanced_Linux-Enabling_and_Disabling_SELinux-Permissive_Mode
* edit /etc/selinux/config and change SELINUX from 'enforcing' to 'permissive'

Revision as of 10:51, 28 October 2019

SELinux is enabled by default on Centos 7 and on RHEL. It's a good thing to enable for internet-facing servers. It makes it far, far more complex to run a web server.


References:

Resolving SELinugx Problems

Problem: apache can't access the files

   sudo /sbin/restorecon -R /var/www
   setsebool -P httpd_read_user_content 1

Running a web server:

If you can't run PHP, you may have the files in the wrong SELinux security context. You can change the security

  1. Check the security context:
   ls -lZ /var/www/html/
  1. You can give the web server read/write access to the files with:
   chcon -R -t httpd_sys_rw_content_t /var/www/html/xxx

Problem: CGI scripts won't run.

In order to be able to execute a CGI script under SELinux, the script must be in the httpd_sys_rw_content_t security context. There are two ways to set the security context:

  1. The context can be manually set on a per-file basis with the _chcon_ command
  2. The context can be derrived from a selinux policy. Policies provide regular expressions that match filenames and automatically assign contexts.

The RedHat SELinux installation appears to install rules for the cgi-bin directory, but it does not allow you to use the .cgi extension.

You can see the selinux policies that might possibly apply to cgi-bin with:

   $ semanage fcontext --list | grep cgi-bin

You can explicitly the script the SELinux context cgi-bin directory with:

   $ chcon -t httpd_sys_script_exec_t /var/www/cgi-bin/script.cgi

You can take it away with:

   $ chcon -t unlabeled_t /var/www/cgi-bin/script.cgi

Check the file's SELinux attributes with `ls -laZ`:

   $ ls -laZ /var/www/cgi-bin/script.cgi

Looks like we can add a policy with the semanage command. I tried this to make everything in the bin directory within html executable:

   $ semanage fcontext -a -t httpd_sys_script_exec_t "/var/www/html/bin(/.*)?"
   $ restorecon -R -v /var/www/html/bin

See the errors:

   $ journalctl -xe


References:


Problem: RHEL doesn't support PHP7.x

You want PHP7 to run mediawiki.

Solution:

  1. Install httpd, httpd-devel and php
  2. Now download PHP7
   ./configure --with-apxs2=/usr/bin/apxs --enable-mbstring --with-mysqli --with-openssl
  1. And let httpd scripts make outbound TCP connections:
   # setsebool -P httpd_can_network_connect 1


For running mediawiki, also see:

Problem: MySQL/MariaDB doesn't work after data directory is moved

See:

  1. Edit /etc/my.cnf and insert this:
[mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
# Disabling symbolic-links is recommended to prevent assorted security risks
symbolic-links=0
# Settings user and group are ignored when systemd is used.
# If you need to run mysqld under a different user or group,
# customize your systemd unit file for mariadb according to the
# instructions in http://fedoraproject.org/wiki/Systemd

[mysqld_safe]
log-error=/var/log/mariadb/mariadb.log
pid-file=/var/run/mariadb/mariadb.pid

[mysqld]
datadir=/data2/mysql
#
# include all files from the config directory
#
!includedir /etc/my.cnf.d

  1. chcon -R -t mysqld_db_t /data2/mysql /var/lib/mysql


Disabling SELinux

Don't do this. People will get angry.

  • edit /etc/selinux/config and change SELINUX from 'enforcing' to 'permissive'