Difference between revisions of "SELinux Notes"

From Simson Garfinkel
Jump to navigation Jump to search
m
 
Line 10: Line 10:
 
* https://www.lisenet.com/2016/advanced-apache-configuration-with-selinux-on-rhel-7/
 
* https://www.lisenet.com/2016/advanced-apache-configuration-with-selinux-on-rhel-7/
  
 +
=Resolving SELinugx Problems=
  
 
==Problem: apache can't access the files==
 
==Problem: apache can't access the files==
Line 62: Line 63:
 
* https://serverfault.com/questions/691501/apache-permission-denied-exec-of-var-www-html-cgi-test-first-pl-failed
 
* https://serverfault.com/questions/691501/apache-permission-denied-exec-of-var-www-html-cgi-test-first-pl-failed
  
== Disabling SELinux ==
 
Don't do this. People will get angry.
 
 
* https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Working_with_SELinux-Changing_SELinux_Modes.html#sect-Security-Enhanced_Linux-Enabling_and_Disabling_SELinux-Permissive_Mode
 
 
* edit /etc/selinux/config and change SELINUX from 'enforcing' to 'permissive'
 
  
 
==Problem: RHEL doesn't support PHP7.x==
 
==Problem: RHEL doesn't support PHP7.x==
Line 85: Line 80:
 
* https://www.mediawiki.org/wiki/SELinux
 
* https://www.mediawiki.org/wiki/SELinux
 
*    https://serverfault.com/questions/322117/selinux-letting-apache-talk-to-mysql-on-centos
 
*    https://serverfault.com/questions/322117/selinux-letting-apache-talk-to-mysql-on-centos
 +
==Problem: MySQL/MariaDB doesn't work after data directory is moved==
 +
 +
See:
 +
* https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-managing_confined_services-mariadb-configuration_examples
 +
 +
# Edit /etc/my.cnf and insert this:
 +
<pre>
 +
[mysqld]
 +
datadir=/var/lib/mysql
 +
socket=/var/lib/mysql/mysql.sock
 +
# Disabling symbolic-links is recommended to prevent assorted security risks
 +
symbolic-links=0
 +
# Settings user and group are ignored when systemd is used.
 +
# If you need to run mysqld under a different user or group,
 +
# customize your systemd unit file for mariadb according to the
 +
# instructions in http://fedoraproject.org/wiki/Systemd
 +
 +
[mysqld_safe]
 +
log-error=/var/log/mariadb/mariadb.log
 +
pid-file=/var/run/mariadb/mariadb.pid
 +
 +
[mysqld]
 +
datadir=/data2/mysql
 +
#
 +
# include all files from the config directory
 +
#
 +
!includedir /etc/my.cnf.d
 +
 +
</pre>
 +
 +
#  chcon -R -t mysqld_db_t /data2/mysql /var/lib/mysql
 +
 +
 +
= Disabling SELinux =
 +
Don't do this. People will get angry.
 +
 +
* https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Working_with_SELinux-Changing_SELinux_Modes.html#sect-Security-Enhanced_Linux-Enabling_and_Disabling_SELinux-Permissive_Mode
 +
 +
* edit /etc/selinux/config and change SELINUX from 'enforcing' to 'permissive'

Latest revision as of 09:51, 28 October 2019

SELinux is enabled by default on Centos 7 and on RHEL. It's a good thing to enable for internet-facing servers. It makes it far, far more complex to run a web server.


References:

Resolving SELinugx Problems

Problem: apache can't access the files

   sudo /sbin/restorecon -R /var/www
   setsebool -P httpd_read_user_content 1

Running a web server:

If you can't run PHP, you may have the files in the wrong SELinux security context. You can change the security

  1. Check the security context:
   ls -lZ /var/www/html/
  1. You can give the web server read/write access to the files with:
   chcon -R -t httpd_sys_rw_content_t /var/www/html/xxx

Problem: CGI scripts won't run.

In order to be able to execute a CGI script under SELinux, the script must be in the httpd_sys_rw_content_t security context. There are two ways to set the security context:

  1. The context can be manually set on a per-file basis with the _chcon_ command
  2. The context can be derrived from a selinux policy. Policies provide regular expressions that match filenames and automatically assign contexts.

The RedHat SELinux installation appears to install rules for the cgi-bin directory, but it does not allow you to use the .cgi extension.

You can see the selinux policies that might possibly apply to cgi-bin with:

   $ semanage fcontext --list | grep cgi-bin

You can explicitly the script the SELinux context cgi-bin directory with:

   $ chcon -t httpd_sys_script_exec_t /var/www/cgi-bin/script.cgi

You can take it away with:

   $ chcon -t unlabeled_t /var/www/cgi-bin/script.cgi

Check the file's SELinux attributes with `ls -laZ`:

   $ ls -laZ /var/www/cgi-bin/script.cgi

Looks like we can add a policy with the semanage command. I tried this to make everything in the bin directory within html executable:

   $ semanage fcontext -a -t httpd_sys_script_exec_t "/var/www/html/bin(/.*)?"
   $ restorecon -R -v /var/www/html/bin

See the errors:

   $ journalctl -xe


References:


Problem: RHEL doesn't support PHP7.x

You want PHP7 to run mediawiki.

Solution:

  1. Install httpd, httpd-devel and php
  2. Now download PHP7
   ./configure --with-apxs2=/usr/bin/apxs --enable-mbstring --with-mysqli --with-openssl
  1. And let httpd scripts make outbound TCP connections:
   # setsebool -P httpd_can_network_connect 1


For running mediawiki, also see:

Problem: MySQL/MariaDB doesn't work after data directory is moved

See:

  1. Edit /etc/my.cnf and insert this:
[mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
# Disabling symbolic-links is recommended to prevent assorted security risks
symbolic-links=0
# Settings user and group are ignored when systemd is used.
# If you need to run mysqld under a different user or group,
# customize your systemd unit file for mariadb according to the
# instructions in http://fedoraproject.org/wiki/Systemd

[mysqld_safe]
log-error=/var/log/mariadb/mariadb.log
pid-file=/var/run/mariadb/mariadb.pid

[mysqld]
datadir=/data2/mysql
#
# include all files from the config directory
#
!includedir /etc/my.cnf.d

  1. chcon -R -t mysqld_db_t /data2/mysql /var/lib/mysql


Disabling SELinux

Don't do this. People will get angry.

  • edit /etc/selinux/config and change SELINUX from 'enforcing' to 'permissive'