FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 11-26-2010, 11:53 PM
Eero Volotinen
 
Default SELinux - way of the future or good idea but !!!

2010/11/27 Alison <penguin@alisoncc.com>:
> Hi,
>
> total newbie on CentOS. Just firing up an install of 5.5 on a development webserver. Installed Webmin, Awstats, PHPMyAdmin and Drupal successfully. Yet to work on Sendmail and Samba. SELinux in enforcing mode, reporting "SELinux preventing ifconfig (ifconfig_t) "read write" to /var/webminsessiondb.pag (var_t)".
>
> Googled the error message without real success in finding fix - bug reports showing. Question is whether worth pursuing as SELinux is the way of the future. Or is SELinux a good idea that never really made it's way into the sun. Thoughts please.

Just turn selinux off. setenforce "0" works without rebooting server,
but /etc/sysconfig/selinux is correct place to finalize setting..

--
Eero
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-26-2010, 11:56 PM
"John R. Dennison"
 
Default SELinux - way of the future or good idea but !!!

On Sat, Nov 27, 2010 at 10:58:00AM +1100, Alison wrote:
> Hi,
>
> total newbie on CentOS. Just firing up an install of 5.5 on a
> development webserver. Installed Webmin, Awstats, PHPMyAdmin and
> Drupal successfully. Yet to work on Sendmail and Samba. SELinux in
> enforcing mode, reporting "SELinux preventing ifconfig (ifconfig_t)
> "read write" to /var/webminsessiondb.pag (var_t)".

There is a reason that control panels are effectively
unsupported; you just hit on one of those reasons. Although I
must admit I don't fully grasp why webmin is referencing
ifconfig_t.

> Googled the error message without real success in finding fix - bug
> reports showing. Question is whether worth pursuing as SELinux is the
> way of the future. Or is SELinux a good idea that never really made
> it's way into the sun. Thoughts please.

There are only a small number of corner cases in which SElinux
is not appropriate; for all other cases it should be enabled.

It exists for a reason and is shipped fully enabled for a
reason. Being able to limit access based on contexts and roles
is an incredibly powerful tool which greatly improves the
security of your server and the integrity of your data.

Following is a list of very useful SElinux resources.

http://wiki.centos.org/HowTos/SELinux
http://wiki.centos.org/TipsAndTricks/SelinuxBooleans
http://docs.fedoraproject.org/selinux-user-guide/f10/en-US/
http://fedorasolved.org/security-solutions/selinux-module-building
http://centoshelp.org/security/selinux-common-commands-troubleshooting

Some quality time with these resources will allow you to correct
the SElinux exception you listed above and also give you a much
better understanding of SElinux as a whole.




John
--
The best argument against democracy is a five minute conversation
with the average voter.

-- Winston Churchill
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-26-2010, 11:57 PM
"John R. Dennison"
 
Default SELinux - way of the future or good idea but !!!

On Sat, Nov 27, 2010 at 02:53:30AM +0200, Eero Volotinen wrote:
>
> Just turn selinux off. setenforce "0" works without rebooting server,
> but /etc/sysconfig/selinux is correct place to finalize setting..

Oh please. This is perhaps the most idiotic advice I've seen on
this list in months.




John

--
Motivation is the art of getting people to do what you want them to do because
they want to do it.

-- Dwight D. Eisenhower (1890-1969), Thirty-fourth President of the USA
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-27-2010, 12:17 AM
Patrick Lists
 
Default SELinux - way of the future or good idea but !!!

On 11/27/2010 01:53 AM, Eero Volotinen wrote:
> 2010/11/27 Alison<penguin@alisoncc.com>:
>> Hi,
>>
>> total newbie on CentOS. Just firing up an install of 5.5 on a development webserver. Installed Webmin, Awstats, PHPMyAdmin and Drupal successfully. Yet to work on Sendmail and Samba. SELinux in enforcing mode, reporting "SELinux preventing ifconfig (ifconfig_t) "read write" to /var/webminsessiondb.pag (var_t)".
>>
>> Googled the error message without real success in finding fix - bug reports showing. Question is whether worth pursuing as SELinux is the way of the future. Or is SELinux a good idea that never really made it's way into the sun. Thoughts please.
>
> Just turn selinux off. setenforce "0" works without rebooting server,
> but /etc/sysconfig/selinux is correct place to finalize setting..

What's with people recommending to turn off SELinux?! That's just bad
advice and like recommending people keep their doors unlocked at all
times. Really, stop doing that. SELinux is there for a reason.

Afaik Webmin does not have a very good reputation when it comes to
security. With that in mind your advice makes Alison's box much more
vulnerable.

My advice to Alison is to remove Webmin and use the tools that come with
CentOS 5.5. Also make sure that phpMyAdmin can only be accessed from
your local LAN, use strong passwords, turn on a tight firewall and do
anything else that one should do to keep the bad guys from gaining
illegal access to your server.

The NSA has some nice guides how to keep your server secure. The guides
are on this page:
http://www.nsa.gov/ia/guidance/security_configuration_guides/operating_systems.shtml

Regards,
Patrick
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-27-2010, 12:29 AM
Eero Volotinen
 
Default SELinux - way of the future or good idea but !!!

>> Just turn selinux off. setenforce "0" works without rebooting server,
>> but /etc/sysconfig/selinux is correct place to finalize setting..
>
> What's with people recommending to turn off SELinux?! That's just bad
> advice and like recommending people keep their doors unlocked at all
> times. Really, stop doing that. SELinux is there for a reason.

Usually it causes more problems. If you have unlimited resources to tune it up,
then it possibly helps on the way.

> My advice to Alison is to remove Webmin and use the tools that come with
> CentOS 5.5. Also make sure that phpMyAdmin can only be accessed from
> your local LAN, use strong passwords, turn on a tight firewall and do

.. and disable password authentication on sshd server.

> anything else that one should do to keep the bad guys from gaining
> illegal access to your server.
>
> The NSA has some nice guides how to keep your server secure. The guides
> are on this page:
> http://www.nsa.gov/ia/guidance/security_configuration_guides/operating_systems.shtml

http://www.zlinuxtoday.com/z/wp-content/uploads/2010/06/CIS_RHEL_5.0-5.1_Benchmark_v.1.1.2.pdf

--
Eero
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-27-2010, 01:01 AM
"John R. Dennison"
 
Default SELinux - way of the future or good idea but !!!

On Sat, Nov 27, 2010 at 03:29:49AM +0200, Eero Volotinen wrote:
>
> Usually it causes more problems. If you have unlimited resources to tune it up,
> then it possibly helps on the way.

Only if you don't bother to take the time to read any of the
resources I previously provided or any of the other SElinux
resources available on the 'net.

SElinux is not brain surgery; spend some time with the
documentation and you'll be surprised at how easily it all comes
together after a while.

Telling people to disable it is not only foolish but completely
irresponsible; doubly so in a medium that exists to support
users.

If the best avenue was to disable it do you honestly think that
upstream would enable it by default?

This is 2010 - people are expected to actually make an effort at
learning the systems they so casually throw up on the 'net and
to take responsibility for those systems. Every time a box gets
compromised it can pose a risk to the rest of us; please be
mature and responsible enough to make it as difficult as
possible to permit such a compromise in the first place.




John
--
Live a good life. If there are gods and they are just, they will not care
how devout you have been, but will welcome you based on the virtues you
have lived by. If there are gods, but unjust, then you should not want to
worship them. If there are no gods, then you will be gone, but will have
lived a noble life that will live on in the memories of your loved ones.

-- Marcus Aurelius (121-180), philosopher and writer
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-27-2010, 02:55 AM
Les Mikesell
 
Default SELinux - way of the future or good idea but !!!

On 11/26/10 8:01 PM, John R. Dennison wrote:
>
>
> If the best avenue was to disable it do you honestly think that
> upstream would enable it by default?

They are, after all, selling service. What distro enables it that doesn't have
a service for pay model (besides Centos, which just inherits it)?

--
Les Mikesell
lesmikesell@gmail.com
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-27-2010, 05:33 AM
Alison
 
Default SELinux - way of the future or good idea but !!!

Thanks for all the input. Particularly John and Patricks URL's for reading material. Starting with the stuff here http://www.nsa.gov/ia/guidance/security_configuration_guides/operating_systems.shtml Which is really good.

I can get 1.5Mb/s upload using Annex M, but have previously purchased hosting as I have had little experience in "battle hardening" a server. Feeling much more confident now that I have reading material to guide me in keeping the bad guys out.

Alison




At 01:01 PM 27/11/2010, you wrote:
>On Sat, Nov 27, 2010 at 03:29:49AM +0200, Eero Volotinen wrote:
>>
>> Usually it causes more problems. If you have unlimited resources to tune it up,
>> then it possibly helps on the way.
>
> Only if you don't bother to take the time to read any of the
> resources I previously provided or any of the other SElinux
> resources available on the 'net.
>
> SElinux is not brain surgery; spend some time with the
> documentation and you'll be surprised at how easily it all comes
> together after a while.
>
> Telling people to disable it is not only foolish but completely
> irresponsible; doubly so in a medium that exists to support
> users.
>
> If the best avenue was to disable it do you honestly think that
> upstream would enable it by default?
>
> This is 2010 - people are expected to actually make an effort at
> learning the systems they so casually throw up on the 'net and
> to take responsibility for those systems. Every time a box gets
> compromised it can pose a risk to the rest of us; please be
> mature and responsible enough to make it as difficult as
> possible to permit such a compromise in the first place.
>
>
>
>
> John
>--
>Live a good life. If there are gods and they are just, they will not care
>how devout you have been, but will welcome you based on the virtues you
>have lived by. If there are gods, but unjust, then you should not want to
>worship them. If there are no gods, then you will be gone, but will have
>lived a noble life that will live on in the memories of your loved ones.
>
>-- Marcus Aurelius (121-180), philosopher and writer
>
>
>_______________________________________________
>CentOS mailing list
>CentOS@centos.org
>http://lists.centos.org/mailman/listinfo/centos

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-27-2010, 05:48 AM
Ned Slider
 
Default SELinux - way of the future or good idea but !!!

On 27/11/10 06:33, Alison wrote:
>
> Thanks for all the input. Particularly John and Patricks URL's for reading material. Starting with the stuff here http://www.nsa.gov/ia/guidance/security_configuration_guides/operating_systems.shtml Which is really good.
>

There is also a guide to SELinux on the CentOS Wiki:

http://wiki.centos.org/HowTos/SELinux

Hope that helps.

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-27-2010, 04:43 PM
Nicolas Ross
 
Default SELinux - way of the future or good idea but !!!

> Thanks for all the input. Particularly John and Patricks URL's for reading material. Starting with the stuff here http://www.nsa.gov/ia/guidance/security_configuration_guides/operating_systems.shtml Which is really good.

Verry interesting collection. The document for rhel5 is verry well written. I disagree on certain aspects, but I will certainly learn from it.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 09:54 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org