Setting up the SELinux environment by the example of a LAMP server

This is the third article in the series.

And today, she fell into the stream "Administration". Today, we will not write modules or configure RBAC , but take the path of least resistance and simply use the usual LAMP server with the help of a ready-made policy, including the necessary settings.

If anyone forgot, behind the LAMP abbreviation is L inux, A pache, M ysql, P HP, i.e. This is a big part of all VDS people buy for keeping their personal blogs. Hope this one helps all of them become a little safer :)

Assumptions

So, we assume that:

1. Distribution - CentOS 7 x64, user - root
2. SELinux is on, policy is loaded
3. SELinux mode - enforcing

Training

If LAMP is already installed and configured, you can skip it.
Install the standard software package for LAMP:
')
[root @ lamp ~] # yum install -y httpd mariadb-server php-fpm php-mysql

Minimally set up the software:



Run all the necessary services:

[root @ lamp ~] # systemctl enable httpd mariadb php-fpm
[root @ lamp ~] # systemctl start httpd mariadb php-fpm

Add some user, for example phpbb:

[root @ lamp ~] # useradd -Z user_u -m -g apache phpbb
[root @ lamp ~] # chmod 750 / home / phpbb

And create a simple test file with phpinfo ():

[phpbb @ lamp ~] $ mkdir www
[phpbb @ lamp ~] $ echo "<? php phpinfo ();?>"> www / info.php

Follow the link ...


... and get exactly what everyone gets :)

We understand with errors

Unlike other manuals, where the next step is to "turn off SELinux", we now find out why this happened and what can be done.

First, install the console utilities for managing SELinux policies:

[root @ lamp ~] # yum install -y policycoreutils-python policycoreutils-newrole policycoreutils-restorecond setools-console

And then we turn on the modules we need ( using the semodule command):

[root @ lamp ~] # semodule -e apache
[root @ lamp ~] # semodule -e mysql

Let's see what kind of problems apache encountered when opening this page?


That's right: the www folder (as well as the web and public_html folders) inside the user's home directory automatically gets the httpd_user_content_t type, as specified in the rules:


The cure is indicated in the output of audit2allow, setting variables is done with the setsebool (or semanage boolean ) command .

[root @ lamp httpd] # setsebool -P httpd_read_user_content = 1

We update the page and get:


Look logs:


Everything is clear: httpd cannot connect anywhere, httpd can only go where it should. This is logical: if the web server suddenly connects via ssh, then something strange is clearly happening.
Let's see where the web server can go?


In square brackets are variables that are responsible for the operation of this rule.
Total: add port 9009 to one of the types to which the connection is allowed, and then set the variable httpd_can_network_relay to 1.

The new port is added using the semanage port command :

[root @ lamp httpd] # semanage port -a -t http_cache_port_t -p tcp 9009
[root @ lamp httpd] # setsebool -P httpd_can_network_relay = 1

We update the page and see:

Something more complicated

Let's complicate the task now and put phpbb on this host.


Let's try to create a base for ourselves:

[phpbb @ lamp www] $ mysql -uroot
ERROR 2002 (HY000): Can't connect to MySQL server through socket '/var/lib/mysql/mysql.sock' (13)

We look for how to allow the user to connect to the database?


Ok, we include selinuxuser_mysql_connect_enabled and continue:

[root @ lamp httpd] # setsebool -P selinuxuser_mysql_connect_enabled = 1

Create a database and try to install phpbb:



Why is that? Because httpd cannot change user data. Let's find out what he can change?


Install php-xml , enable httpd_builtin_scripting and set the httpd_user_rw_content_t context to the specified files and folders ( using the chcon command):

[root @ lamp httpd] # setsebool -P httpd_builtin_scripting = 1
[phpbb @ lamp www] $ chmod 660 config.php
[phpbb @ lamp www] $ chcon -t httpd_user_rw_content_t cache / store / files / config.php images / avatars / upload /

We get:



Install phpBB further, delete install and get a working forum:



Change the context of the config back:

[phpbb @ lamp www] $ chcon -t httpd_user_content_t config.php
Enjoying a safe forum :)

Instead of an afterword

Without writing a single line of code, using only knowledge from the man-files and the standard SELinux default policy, you can set up a safe environment for standard services in 30 minutes. And this is not only about LAMP: the standard policy contains 403 ready-made modules. This is enough for most tasks that will ever face the administrator. Do not turn off SELinux, do not make Dan cry .