On 2/2/21 5:32 pm, Jeremy Ardley wrote:
On 2/2/21 4:55 pm, Richard Hector wrote:SELinux is quite hard to get right, but when it's done properly it's very hard to exploit. Basically if it's not explicitly permitted it's forbidden.What you are doing sounds pretty O.K. Though I personally also use SELinux for web facing services.Thanks.I haven't looked in to SELinux. I looked at AppArmor, but it appears that it won't work as expected in an LXC container, which is where I run this. Would SELinux work there? SELinux, from what I can see, seems more complex to learn than AppArmor.SELinux has the advantage that it by default enforces rules that you should probably already have in place. So for example it will automatically stop writes to web content by the web server. You have to explicitly allow the web server to make modifications to specific files or directories. SELinux makes you think about what is important to you and what you think should be alterable on your website.Getting back to my staging scenario, you start with default SELinux rules completely restricting web server write access to content. You'd have another set of SELinux rules that allow some other process to make changes to the content. You may even have a set of SELinux rules allowing the web server to write to an upload directory - but likely not read from it.
Further to this, web servers can interact not only with disk content, but databases, content back-ends (e.g. php-fpm) and even with hardware and communication devices. SELinux blocks all this until such time as you do the analysis and decide that particular interactions should be allowed.
It's a pain to get right, but compared to the pain of your server being exploited, not so much.
-- Jeremy
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature