[Discuss] apache problem

James Cassell blu at cyberpear.com
Wed Jan 9 15:26:32 EST 2019


On Wed, Jan 9, 2019, at 2:55 PM, Derek Martin wrote:
> On Wed, Jan 09, 2019 at 07:20:29PM +0000, Anderson, Charles R wrote:
[...]
> > There is already a rich set of access controls defined for the SELinux
> > targeted policy that most people use, and is the default
> > out-of-the-box config on Fedora and Red Hat.  So you get to benefit
> > from all that work with very little effort.
> 
> One aspect of defense in depth is to avoid running services using
> default configurations at well known ports (if possible for your
> application) and with data at well-established locations.  SANS, for
> one, preached this in their GSEC program.  If you do this, your
> default SELinux policies become useless, and you will have to
> re-craft them (at least partly) by hand.  Due to the complexity of it,
> if you do not have considerable experience, and rigorous testing of
> your policies, I expect you will most probably fail to do this
> correctly.  It took the major distros YEARS to get theirs right, and
> they have a lot more resources to spend on it than the average home
> user.
> 

Given those years that have been spent, the SELinux policies shipped by distros are now quite stable and tunable.  To run apache on a nonstandard port, you can tweak that part of the policy with something like:

# semanage port -a -t http_port_t -p tcp 81

The tools available today make SELinux very usable and for the most part, it stays out of the way.  The "targeted" policies shipped by some distros have locked-down rules for select daemons such as sshd and httpd, but users by default are logged in as "unconfined_t" which is a type that has access to everything.  Confining logged-on users with SELinux can be done, but I'm not aware of a distro that enables that by default, though the "targeted" policy does have pre-defined confined user roles available for use.

Generally, using the default paths and ports allows everything to work with SELinux out of the box for packages shipped by the distro, with a possible need of changing booleans.  Switching to nonstandard paths or ports can be done with the 'semanage' tools to tell the system which paths or ports you are using instead of the standard ones.


V/r,
James Cassell



More information about the Discuss mailing list