On 2/02/21 10:42 pm, Jeremy Ardley wrote:
On 2/2/21 5:32 pm, Jeremy Ardley wrote:
On 2/2/21 4:55 pm, Richard Hector wrote:
What you are doing sounds pretty O.K. Though I personally also use
SELinux for web facing services.
Thanks.
I haven't looked in to SELinux. I looked at AppArmor, but it appears
that it won't work as expected in an LXC container, which is where I
run this. Would SELinux work there? SELinux, from what I can see,
seems more complex to learn than AppArmor.
SELinux is quite hard to get right, but when it's done properly it's
very hard to exploit. Basically if it's not explicitly permitted it's
forbidden.
SELinux has the advantage that it by default enforces rules that you
should probably already have in place. So for example it will
automatically stop writes to web content by the web server. You have
to explicitly allow the web server to make modifications to specific
files or directories. SELinux makes you think about what is important
to you and what you think should be alterable on your website.
Getting back to my staging scenario, you start with default SELinux
rules completely restricting web server write access to content. You'd
have another set of SELinux rules that allow some other process to
make changes to the content. You may even have a set of SELinux rules
allowing the web server to write to an upload directory - but likely
not read from it.
Further to this, web servers can interact not only with disk content,
but databases, content back-ends (e.g. php-fpm) and even with hardware
and communication devices. SELinux blocks all this until such time as
you do the analysis and decide that particular interactions should be
allowed.
It's a pain to get right, but compared to the pain of your server being
exploited, not so much.
You've reminded me that of course nginx (in my case) as well as php-fpm
needs read access to a bunch of stuff (not php ... unless it's a site
that publishes php scripts ...), but no write to anything. So I'll need
to revise my model for that, at least :-(
Though I guess that can be covered by 'other' permissions (with nginx
config to prevent serving php and other files that it shouldn't).
I think I'm leaving SELinux in the 'too hard' basket for the time being;
it looks like it would need changes to a bunch of other stuff as well
(eg postfix ...)
Thanks,
Richard
