Generally I am a "belt and suspenders" type of guy with respect to security so for a webserver (apache(httpd), lighttpd, or nginx) I want to run the server chrooted AS WELL AS have SELinux enforcing in effect. I have been running SELinux enabled and enforcing from the beginning so it is not a question of using SELinux.
Well, I am not doing to well and really cannot get things to work. Without chroot but with SELinux enforcing, I can get lighttpd to serve static files and CPI created info (specifically to support git clone and gitweb). With chroot and SELInux enforcing I can get static files served but *not* CGI stuff ... I get lots of "CGI failed: Permission denied cgi-bin/git-http-backend"
A bunch of years ago when I was using the bind package for dns, there was a change in Fedora/RHEL to de-emphasize use of chroot and instead depend on SELinux to protect things. This change was not so much advertised and just done.
I am wondering if something similar has happened for the webserver. There is some (very limited) doc for apache (httpd) and a lot of rules in selinux-policy-targetted for "httpd" and these rules seem to apply to both httpd (apache) and lighttpd. If I am reading the tea leaves correctly SELinux seems to be providing a lot of protection.
So, do I need chroot??? Is just using SELinux a "good enough" solution? I am not looking for a perfect solution but one which "good engineering practice" says should be "good enough." I hope it is but would sure like some "experts" to agree as well as maybe pointing to some substantiating documentation.
Side comment: If SELinux is attempting to provide the same functionality to both httpd and lighttpd, it would be nice if the documentation at least mentioned lighttpd.
Gene
On 07/10/2014 08:17 PM, Gene Czarcinski wrote:
Generally I am a "belt and suspenders" type of guy with respect to security so for a webserver (apache(httpd), lighttpd, or nginx) I want to run the server chrooted AS WELL AS have SELinux enforcing in effect. I have been running SELinux enabled and enforcing from the beginning so it is not a question of using SELinux.
Well, I am not doing to well and really cannot get things to work. Without chroot but with SELinux enforcing, I can get lighttpd to serve static files and CPI created info (specifically to support git clone and gitweb). With chroot and SELInux enforcing I can get static files served but *not* CGI stuff ... I get lots of "CGI failed: Permission denied cgi-bin/git-http-backend"
What AVC msgs are you getting?
Re-test and run
# ausearch -m avc -ts recent
A bunch of years ago when I was using the bind package for dns, there was a change in Fedora/RHEL to de-emphasize use of chroot and instead depend on SELinux to protect things. This change was not so much advertised and just done.
I am wondering if something similar has happened for the webserver. There is some (very limited) doc for apache (httpd) and a lot of rules in selinux-policy-targetted for "httpd" and these rules seem to apply to both httpd (apache) and lighttpd. If I am reading the tea leaves correctly SELinux seems to be providing a lot of protection.
So, do I need chroot??? Is just using SELinux a "good enough" solution? I am not looking for a perfect solution but one which "good engineering practice" says should be "good enough." I hope it is but would sure like some "experts" to agree as well as maybe pointing to some substantiating documentation.
Side comment: If SELinux is attempting to provide the same functionality to both httpd and lighttpd, it would be nice if the documentation at least mentioned lighttpd.
Gene
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
selinux@lists.fedoraproject.org