SELinux - what's the difference between permissive and default?

[doulos]

I have set up multiple servers in the past but always disabled selinux. I am trying to learn how to manage selinux but am wondering what is the difference between disabled and permissive?

The reason I ask is I thought I would set up up an web server using virtual hosts (home/userdir) with selinux disabled and then enable selinux to try to learn how make it work. I have tried this twice and both times the server would not restart httpd after setting selinux to enforceing and applying the rules to allow httpd/vhosts (assuming I did it right).

Would setting up the httpd/vhosts and getting everything working with selinux set to permissive be the same as doing it with selinux disabled?

Secondarily, is it safe to use the following?

Code: Select all

sudo setsebool -P httpd_enable_homedirs true
sudo setsebool -P httpd_unified 1

[TrevorH]

Disabled means not active at all
Permissive means it's there and does everything that it's designed to do except block the access. It logs all denials.
Enforcing, same as permissive but blocks access that is not allowed.

You shouldn't use httpd_unified as that effectively disables selinux for httpd thus defeating the entire point of the exercise

Useful resources for SELinux: http://wiki.centos.org/HowTos/SELinux | http://wiki.centos.org/TipsAndTricks/SelinuxBooleans | http://docs.fedoraproject.org/en-US/Fed ... ced_Linux/ | http://www.youtube.com/watch?v=bQqX3RWn0Yw | http://opensource.com/business/13/11/se ... licy-guide | http://freecomputerbooks.com/The-SELinu ... tions.html

[doulos]

Disabled means not active at all
Permissive means it's there and does everything that it's designed to do except block the access. It logs all denials.
Enforcing, same as permissive but blocks access that is not allowed.

I knew that much, but thanks for the reminder.

You shouldn't use httpd_unified as that effectively disables selinux for httpd thus defeating the entire point of the exercise

Exactly what I needed to know, thanks.

Useful resources for SELinux: http://wiki.centos.org/HowTos/SELinux | http://wiki.centos.org/TipsAndTricks/SelinuxBooleans | http://docs.fedoraproject.org/en-US/Fed ... ced_Linux/ | http://www.youtube.com/watch?v=bQqX3RWn0Yw | http://opensource.com/business/13/11/se ... licy-guide | http://freecomputerbooks.com/The-SELinu ... tions.html

I am just learning to use SELinux, so thanks. I found numerous articles by using google tying to take shortcuts to actually learn how to use SELinux - most of which either didn't work, or assumed I know more than I do. I'll try your suggested links.

Thanks, TrevorH.

[TrevorH]

Start with the first one, the link to our wiki. It's the only one I've ever needed.

[hunter86_bg]

Also, there is a great tool to debug SELINUX called 'sealert' from the package 'setroubleshoot-server'.
Keep in mind that the recommendations provided by sealert are not always the best.
Basic stuff:
SELINUX context is derived by rules which define context of files and directories based on their location.
Same is valid for applications. Once an application like httpd tries to access a user's home directory, SELINUX will prevent that for security reasons.
Also, imagine if your apache is compromised and tries to listen on a non-default port - SELINUX will prevent that.Of course, SELINUX cannot prevent your apache to access your database and bruteforce a pass, as it is not a behaviour analysis tool.

SELINUX has extensive manages (for almost everything):
Just install

Code: Select all

yum install -y selinux-policy-devel && mandb

Source: Certdepot.net

[doulos]

I am so happy I can't stand it. I finally succeeded in figuring out why httpd wouldn't work with vhosts (/home/user) with selinux enabled. I was doing everything right with regard to selinux - but, I was trying to point my access and error logs to /home/user/logs. When I switched it to /var/log/httpd/doulos - it magically worked. I can now have my web server use SELinux.

Thanks for all your help.