On Fri, Jun 22, 2012 at 1:28 PM, Bob Hoffman <bob@bobhoffman.com> wrote:
>>
> It seems that to run the webservers selinux wants me to allow a ton of
> privledges to apache, the ftp user, and a bunch of
> other things...seems like that defeats the purpose. And a script
> injection will have all those privledges.
No, selinux doesn't give 'extra' privileges to anything. It adds
extra restrictions based on the context of the processes and the
files/directories besides the ones based on uid/gid.
> I wish I had to time and knowledge to implement it...and add it to my
> handbook, but on a webserver that
> is doing mail ins, mail outs, httpd, mysql, php, self made scripts,
> fail2ban, and host of other programs
> it seems like it requires an experienced hand at it. Or a book.
Yes, it has taken years to get just the standard distributed packages
configured correctly - and that's probably with expert advice
available to the packagers... You can't just drop it in on top of
stuff that has evolved organically for years.
--
Les Mikesell
lesmikesell@gmail.com
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
06-22-2012, 06:58 PM
Nikolaos Milas
reinventing the wheel? page checker
On 22/6/2012 9:28 μμ, Bob Hoffman wrote:
> it seems like it requires an experienced hand at it. Or a book.
Some googling took me to:
http://www.freetechbooks.com/the-selinux-notebook-the-foundations-t785.html
It seems interesting and comprehensive from a quick browsing. And it's
public domain too.
Yet, I agree that SElinux is a pain. There are other measures to keep
things under control. Unless you know what you are doing with it,
selinux is going to produce trouble and only trouble.
That's my experience.
(I don't know if I'll ever find the significant time needed to invest in
knowing selinux well enough to use it in production.)
Nick
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
06-22-2012, 08:38 PM
reinventing the wheel? page checker
Bob Hoffman wrote:
> On 6/22/2012 9:50 AM, m.roth@5-cent.us wrote:
>> Bob Hoffman wrote:
>>> On 6/21/2012 12:44 PM, Keith Roberts wrote:
>>>> On Thu, 21 Jun 2012, Bob Hoffman wrote:
>>>>> From: Bob Hoffman<bob@bobhoffman.com>
>>>>>
<snip>
>> Another thing to consider (and I really, really don't enjoy suggesting
>> it), is selinux. Turn it on to at least permissive, and it'll bitch and
>> moan if something's changed. Turn it to enforcing, and *nothing* will be
>> allowed to be changed. It is, however, a royal pain to configure, esp.
>> when you want to be able to allow a directory for users to put pics.
>>
> Would love to use SElinux. I searched high and low for any kind of
> manual and there was none.
Look for RHEL's 5 or 6; there's professional documentation.
Not that anything's that wonderful.
There's also the selinux list.
<snip>
> One thing I learned...SElinux in permissive mode only gives a warning
> once for an issue...and never again. Makes it hard
> to play with it that way, would prefer a constant error variable to keep
> them coming.
Not true. It will issue an AVC every time something tries to happen. Big
things to know:
a) ll -Z shows you the selinux context
b) chcon [-R] -[urt] <whatever> <file or directory>
c) getsebool and setsebool
mark
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
06-23-2012, 10:16 AM
Daniel J Walsh
reinventing the wheel? page checker
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 06/22/2012 04:38 PM, m.roth@5-cent.us wrote:
> Bob Hoffman wrote:
>> On 6/22/2012 9:50 AM, m.roth@5-cent.us wrote:
>>> Bob Hoffman wrote:
>>>> On 6/21/2012 12:44 PM, Keith Roberts wrote:
>>>>> On Thu, 21 Jun 2012, Bob Hoffman wrote:
>>>>>> From: Bob Hoffman<bob@bobhoffman.com>
>>>>>>
> <snip>
>>> Another thing to consider (and I really, really don't enjoy suggesting
>>> it), is selinux. Turn it on to at least permissive, and it'll bitch
>>> and moan if something's changed. Turn it to enforcing, and *nothing*
>>> will be allowed to be changed. It is, however, a royal pain to
>>> configure, esp. when you want to be able to allow a directory for users
>>> to put pics.
>>>
>> Would love to use SElinux. I searched high and low for any kind of manual
>> and there was none.
>
> Look for RHEL's 5 or 6; there's professional documentation.
>
> Not that anything's that wonderful.
>
> There's also the selinux list. <snip>
>> One thing I learned...SElinux in permissive mode only gives a warning
>> once for an issue...and never again. Makes it hard to play with it that
>> way, would prefer a constant error variable to keep them coming.
>
> Not true. It will issue an AVC every time something tries to happen. Big
> things to know: a) ll -Z shows you the selinux context b) chcon [-R] -[urt]
> <whatever> <file or directory> c) getsebool and setsebool
>
> mark
>
> _______________________________________________ CentOS mailing list
> CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
>
If you are having problems with SELinux just send an email to me or mention it
on the list. There is also pretty good help available on #freenode.
Permissive AVC's are only reported once. You can read this blog for more info.
On Fri, June 22, 2012 16:38, m.roth@5-cent.us wrote:
>
> Not true. It will issue an AVC every time something tries to happen.
> Big things to know:
> a) ll -Z shows you the selinux context
> b) chcon [-R] -[urt] <whatever> <file or directory>
> c) getsebool and setsebool
>
> mark
If you are working with SELinux issues then the following are most
helpful to have installed:
reinventing the wheel? page checker
