Difference between revisions of "SELinux Notes"

From Simson Garfinkel
Jump to navigationJump to search
 
(7 intermediate revisions by the same user not shown)
Line 10: Line 10:
* https://www.lisenet.com/2016/advanced-apache-configuration-with-selinux-on-rhel-7/
* https://www.lisenet.com/2016/advanced-apache-configuration-with-selinux-on-rhel-7/


=Resolving SELinux Problems=


==Problem: apache can't access the files==
==Problem: apache can't access the files==
Line 21: Line 22:
If you can't run PHP, you may have the files in the wrong SELinux security context.  You can change the security  
If you can't run PHP, you may have the files in the wrong SELinux security context.  You can change the security  


# Use ls -lZ /var/www/html/xxx  to check the security context
# Check the security context:
    ls -lZ /var/www/html/
 
# You can give the web server read/write access to the files with:
# You can give the web server read/write access to the files with:
     chcon -R -t httpd_sys_rw_content_t /var/www/html/xxx
     chcon -R -t httpd_sys_rw_content_t /var/www/html/xxx


==Problem: CGI scripts won't run.==
==Problem: CGI scripts won't run.==
Line 53: Line 55:
     $ semanage fcontext -a -t httpd_sys_script_exec_t "/var/www/html/bin(/.*)?"
     $ semanage fcontext -a -t httpd_sys_script_exec_t "/var/www/html/bin(/.*)?"
     $ restorecon -R -v /var/www/html/bin
     $ restorecon -R -v /var/www/html/bin


References:
References:
* https://serverfault.com/questions/691501/apache-permission-denied-exec-of-var-www-html-cgi-test-first-pl-failed
* https://serverfault.com/questions/691501/apache-permission-denied-exec-of-var-www-html-cgi-test-first-pl-failed


== Disabling SELinux ==
==Problem: View selunux logs===
Don't do this. People will get angry.
 
    $ journalctl -xea


* https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Working_with_SELinux-Changing_SELinux_Modes.html#sect-Security-Enhanced_Linux-Enabling_and_Disabling_SELinux-Permissive_Mode
==Problem: Apache can't make outgoing network connections==
By default, Apache running on selinux cannot make outgoing network connections. This is controlled by SELinux boolean variables. Here are all of the ones that matter:
<pre>
$ sudo semanage boolean -l |grep net | grep http
httpd_can_network_relay        (off  ,  off)  Allow httpd to can network relay
httpd_can_network_connect_db  (on  ,  on)  Allow httpd to can network connect db
httpd_can_network_connect      (on  ,  on)  Allow httpd to can network connect
httpd_can_network_memcache    (off  ,  off)  Allow httpd to can network memcache
httpd_can_network_connect_cobbler (off  ,  off)  Allow httpd to can network connect cobbler
$
</pre>


* edit /etc/selinux/config and change SELINUX from 'enforcing' to 'permissive'
You can enable this and make it persistent across reboots with:
<pre>
$ sudo getsebool httpd_can_network_connect
httpd_can_network_connect --> off
$ sudo setsebool -P httpd_can_network_connect on
$ sudo getsebool httpd_can_network_connect
httpd_can_network_connect --> on
$
</pre>


==Problem: RHEL doesn't support PHP7.x==
==Problem: RHEL doesn't support PHP7.x==
Line 73: Line 91:
# Install httpd, httpd-devel and php
# Install httpd, httpd-devel and php
# Now download PHP7
# Now download PHP7
     ./configure --with-apxs2=/usr/bin/apxs --enable-mbstring -with-mysqli
     ./configure --with-apxs2=/usr/bin/apxs --enable-mbstring --with-mysqli --with-openssl
 
# And let httpd scripts make outbound TCP connections:
 
    # setsebool -P httpd_can_network_connect 1
 


For running mediawiki, also see:
For running mediawiki, also see:
* https://www.mediawiki.org/wiki/SELinux
* https://www.mediawiki.org/wiki/SELinux
*    https://serverfault.com/questions/322117/selinux-letting-apache-talk-to-mysql-on-centos
==Problem: MySQL/MariaDB doesn't work after data directory is moved==
See:
* https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-managing_confined_services-mariadb-configuration_examples
# Edit /etc/my.cnf and insert this:
<pre>
[mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
# Disabling symbolic-links is recommended to prevent assorted security risks
symbolic-links=0
# Settings user and group are ignored when systemd is used.
# If you need to run mysqld under a different user or group,
# customize your systemd unit file for mariadb according to the
# instructions in http://fedoraproject.org/wiki/Systemd
[mysqld_safe]
log-error=/var/log/mariadb/mariadb.log
pid-file=/var/run/mariadb/mariadb.pid
[mysqld]
datadir=/data2/mysql
#
# include all files from the config directory
#
!includedir /etc/my.cnf.d
</pre>
#  chcon -R -t mysqld_db_t /data2/mysql /var/lib/mysql
= Disabling SELinux =
Don't do this. People will get angry.
* https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Working_with_SELinux-Changing_SELinux_Modes.html#sect-Security-Enhanced_Linux-Enabling_and_Disabling_SELinux-Permissive_Mode
* edit /etc/selinux/config and change SELINUX from 'enforcing' to 'permissive'

Latest revision as of 07:46, 4 November 2020

SELinux is enabled by default on Centos 7 and on RHEL. It's a good thing to enable for internet-facing servers. It makes it far, far more complex to run a web server.


References:

Resolving SELinux Problems

Problem: apache can't access the files

   sudo /sbin/restorecon -R /var/www
   setsebool -P httpd_read_user_content 1

Running a web server:

If you can't run PHP, you may have the files in the wrong SELinux security context. You can change the security

  1. Check the security context:
   ls -lZ /var/www/html/
  1. You can give the web server read/write access to the files with:
   chcon -R -t httpd_sys_rw_content_t /var/www/html/xxx

Problem: CGI scripts won't run.

In order to be able to execute a CGI script under SELinux, the script must be in the httpd_sys_rw_content_t security context. There are two ways to set the security context:

  1. The context can be manually set on a per-file basis with the _chcon_ command
  2. The context can be derrived from a selinux policy. Policies provide regular expressions that match filenames and automatically assign contexts.

The RedHat SELinux installation appears to install rules for the cgi-bin directory, but it does not allow you to use the .cgi extension.

You can see the selinux policies that might possibly apply to cgi-bin with:

   $ semanage fcontext --list | grep cgi-bin

You can explicitly the script the SELinux context cgi-bin directory with:

   $ chcon -t httpd_sys_script_exec_t /var/www/cgi-bin/script.cgi

You can take it away with:

   $ chcon -t unlabeled_t /var/www/cgi-bin/script.cgi

Check the file's SELinux attributes with `ls -laZ`:

   $ ls -laZ /var/www/cgi-bin/script.cgi

Looks like we can add a policy with the semanage command. I tried this to make everything in the bin directory within html executable:

   $ semanage fcontext -a -t httpd_sys_script_exec_t "/var/www/html/bin(/.*)?"
   $ restorecon -R -v /var/www/html/bin

References:

Problem: View selunux logs=

   $ journalctl -xea

Problem: Apache can't make outgoing network connections

By default, Apache running on selinux cannot make outgoing network connections. This is controlled by SELinux boolean variables. Here are all of the ones that matter:

$ sudo semanage boolean -l |grep net | grep http
httpd_can_network_relay        (off  ,  off)  Allow httpd to can network relay
httpd_can_network_connect_db   (on   ,   on)  Allow httpd to can network connect db
httpd_can_network_connect      (on   ,   on)  Allow httpd to can network connect
httpd_can_network_memcache     (off  ,  off)  Allow httpd to can network memcache
httpd_can_network_connect_cobbler (off  ,  off)  Allow httpd to can network connect cobbler
$

You can enable this and make it persistent across reboots with:

$ sudo getsebool httpd_can_network_connect
httpd_can_network_connect --> off
$ sudo setsebool -P httpd_can_network_connect on
$ sudo getsebool httpd_can_network_connect
httpd_can_network_connect --> on
$

Problem: RHEL doesn't support PHP7.x

You want PHP7 to run mediawiki.

Solution:

  1. Install httpd, httpd-devel and php
  2. Now download PHP7
   ./configure --with-apxs2=/usr/bin/apxs --enable-mbstring --with-mysqli --with-openssl
  1. And let httpd scripts make outbound TCP connections:
   # setsebool -P httpd_can_network_connect 1


For running mediawiki, also see:

Problem: MySQL/MariaDB doesn't work after data directory is moved

See:

  1. Edit /etc/my.cnf and insert this:
[mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
# Disabling symbolic-links is recommended to prevent assorted security risks
symbolic-links=0
# Settings user and group are ignored when systemd is used.
# If you need to run mysqld under a different user or group,
# customize your systemd unit file for mariadb according to the
# instructions in http://fedoraproject.org/wiki/Systemd

[mysqld_safe]
log-error=/var/log/mariadb/mariadb.log
pid-file=/var/run/mariadb/mariadb.pid

[mysqld]
datadir=/data2/mysql
#
# include all files from the config directory
#
!includedir /etc/my.cnf.d

  1. chcon -R -t mysqld_db_t /data2/mysql /var/lib/mysql

Disabling SELinux

Don't do this. People will get angry.

  • edit /etc/selinux/config and change SELINUX from 'enforcing' to 'permissive'