Hello,I want to install Apache, MySQL and PHP on CentOS 8, but I don't like to disable SELinux. I know that SELinux maybe cause some problems and I want to configure it to protect my system. Which SELinux configuration and commands I must run?I'm thankful if anyone share the experiences. Thank you
Sent from Yahoo Mail on Android
On Sun, Jun 21, 2020 at 08:06:40PM +0000, Jason Long wrote:
Hello,I want to install Apache, MySQL and PHP on CentOS 8, but I don't like to disable SELinux. I know that SELinux maybe cause some problems and I want to configure it to protect my system. Which SELinux configuration and commands I must run?I'm thankful if anyone share the experiences.
I have just done this.
What I did was to set the server up and run it and watch it fail - ie not be able to do something because of a permissions failure. Look at /var/log/messages and look for a line containing 'SELinux is preventing'
The line will have several #012 - replace these by newlines
That will give you a message that tells you what is wrong and suggestions of how to fix the problem (you decide first if it is a problem and not something that should be prevented!)
Sometimes the suggestion does not fix it, try another. This is the bit that I do not like the most; it is not always obvious which of the fixes you should adopt; then, maybe later, how to back out a fix that did not work or that you decided was the wrong one.
I suggest keeping a log of these messages and what you did in response to it.
Good luck.
Watch this vid: https://m.youtube.com/watch?v=_WOKRaM-HI4
On Sun, Jun 21, 2020, 16:17 Alain D D Williams addw@phcomp.co.uk wrote:
On Sun, Jun 21, 2020 at 08:06:40PM +0000, Jason Long wrote:
Hello,I want to install Apache, MySQL and PHP on CentOS 8, but I don't
like to disable SELinux. I know that SELinux maybe cause some problems and I want to configure it to protect my system. Which SELinux configuration and commands I must run?I'm thankful if anyone share the experiences.
I have just done this.
What I did was to set the server up and run it and watch it fail - ie not be able to do something because of a permissions failure. Look at /var/log/messages and look for a line containing 'SELinux is preventing'
The line will have several #012 - replace these by newlines
That will give you a message that tells you what is wrong and suggestions of how to fix the problem (you decide first if it is a problem and not something that should be prevented!)
Sometimes the suggestion does not fix it, try another. This is the bit that I do not like the most; it is not always obvious which of the fixes you should adopt; then, maybe later, how to back out a fix that did not work or that you decided was the wrong one.
I suggest keeping a log of these messages and what you did in response to it.
Good luck.
-- Alain Williams Linux/GNU Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer. +44 (0) 787 668 0256 https://www.phcomp.co.uk/ Parliament Hill Computers Ltd. Registration Information: https://www.phcomp.co.uk/Contact.html #include <std_disclaimer.h> _______________________________________________ selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.or...
On Sun, Jun 21, 2020 at 06:21:31PM -0400, Jethro Cao wrote:
Watch this vid: https://m.youtube.com/watch?v=_WOKRaM-HI4
Errrrm - why ?
A few words saying why might tell me that spending some time there is worth it.
On June 21, 2020 12:17:07 PM AKDT, Alain D D Williams addw@phcomp.co.uk wrote:
On Sun, Jun 21, 2020 at 08:06:40PM +0000, Jason Long wrote:
Hello,I want to install Apache, MySQL and PHP on CentOS 8, but I
don't like to disable SELinux. I know that SELinux maybe cause some problems
Yes. SELinux is supposed to cause problems for unauthorized intrusion, unnecessary privilege elevation, etc.
At the same time, there's something a little bit too formulaic, "corporate" perhaps, about the question as posted. It's a LAMP stack. The SELinux policies really need to "just work" out of the box for the end user // installer // webmaster without any additional configuration.
The CentOS distribution maintainers, developers, and software packagers, https://ius.io/ etc. need to make it work somehow. There are far too many convenient excuses why the security enhancements of SELinux are not working out of the box in this day and age of botnets, spyware, Bitcoin miners, Unsolicited Commercial Email, etc.
My current website // email is to the best of my knowledge hosted on OpenVZ paravirtualization at a commercial hosting provider, and OpenVZ does not appear to be compatible with SELinux, although I have not researched the precise technicalities.
On Sun, Jun 21, 2020 at 03:08:16PM -0800, Justina Colmena ~biz wrote:
On June 21, 2020 12:17:07 PM AKDT, Alain D D Williams addw@phcomp.co.uk wrote:
On Sun, Jun 21, 2020 at 08:06:40PM +0000, Jason Long wrote:
Hello,I want to install Apache, MySQL and PHP on CentOS 8, but I
don't like to disable SELinux. I know that SELinux maybe cause some problems
Yes. SELinux is supposed to cause problems for unauthorized intrusion, unnecessary privilege elevation, etc.
At the same time, there's something a little bit too formulaic, "corporate" perhaps, about the question as posted. It's a LAMP stack. The SELinux policies really need to "just work" out of the box for the end user // installer // webmaster without any additional configuration.
They will if you have 'nice' web applications that just serve up stuff from under the document root. Real applications are not like that; they might look at files somewhere else, they might modifiy files, they might (often) connect to a database.
These are all reasonable things for a web application to do; however they are things that you might not need ... but might be things that a compromised PHP script might try to do to steal all of your gold.
So: these things are switched off by default. You enable just what you need.
Yes: security does get in the way - that is good, it is what should happen. You need to think and learn how to tweak it to your needs.
Unfortunately your employer will never thank you for it and complain about the time that you take. You do this correctly and (hopefully) you keep your gold - this is what s/he expects and thinks is easy. However if thieves break in you will be blamed for not taking the time to do a good job.
The CentOS distribution maintainers, developers, and software packagers, https://ius.io/ etc. need to make it work somehow. There are far too many convenient excuses why the security enhancements of SELinux are not working out of the box in this day and age of botnets, spyware, Bitcoin miners, Unsolicited Commercial Email, etc.
My current website // email is to the best of my knowledge hosted on OpenVZ paravirtualization at a commercial hosting provider, and OpenVZ does not appear to be compatible with SELinux, although I have not researched the precise technicalities.
selinux@lists.fedoraproject.org
-
Alain D D Williams -
Jason Long -
Jethro Cao -
Justina Colmena ~biz