Ask Your Question
0

Fedora 29 local LAMP Selinux issues

asked 2019-02-16 13:09:10 -0600

mrmarcienl gravatar image

I setup many VPS etc so I can install LAMP on Fedora. Itś very easy and simple. I already did that earlier on 27 but now I have issues with Selinux.

I want the local LAMP (so no outside access) for developing websites. However, no mather what I try I have not full access rights. I need 'sudo' to write files inside VSCODE and when I f.e. install Joomla I can remove installation folder by Joomla, I need to do that with terminal. Also in Joomla I can't write configuration file.

If I completkly shutdown selinux I have no issues anymore.

Anybody have a real good working guide how to solve this?

Here my notes, with some of the things I have tried. Working on this for days now.

yum list installed | grep -i php

ALWAYS UPDATE FIRST !!!! sudo dnf update & sudo dnf upgrade -y reboot

set hostname hostnamectl set-hostname HOSTNAME

Install lamp + phpmyadmin su -

dnf install httpd mariadb mariadb-server php php-cli php-php-gettext php-mbstring php-mcrypt php-mysqlnd php-pear php-curl php-gd php-xml php-bcmath php-zip phpmyadmin

systemctl start httpd.service systemctl start mariadb.service

activate/install Mysql mysql_secure_installation

mysql -u root

follow form mysql> quit

VirtualHosts & hosts file

sudo nano /etc/hosts

add the domainnames (test1 test of test.dev test2.dev etc)

ADDING SITES (always in /var/www/SITENAME (eerste keer met

terminal)

sudo mkdir -p /var/www/site1

change permission

sudo chcon -R -t httpd_sys_content_t /var/www !!!!

sudo usermod -a -G apache xfce

sudo chown -R $USER:$USER /var/www/site1 sudo chmod -R 755 /var/www

semanage permissive -a httpd_t
!!!!!!!!!!!!!!!!

Making symlink ln -s /var/www /home/xfce/DevelopmentSites chcon -R

unconfined_u:object_r:httpd_sys_rw_content_t:s0 /home/xfce/DevelopmentSites sudo sed -i "s/User apache/User $USERNAME/g" /etc/httpd/conf/httpd.conf

semanage fcontext -a -t httpd_sys_rw_content_t

add sites virtualhost sudo nano /etc/httpd/conf/httpd.conf

at end of file add sites <virtualhost *:80=""> DocumentRoot

/var/www/site1 ServerName site1

Other Apache config directives, logs etc. </virtualhost>

COMMANDS

systemctl start httpd.service ## use restart after update systemctl enable httpd.service

systemctl start mariadb.service ## use restart after update systemctl enable mariadb.service

sudo systemctl reload httpd !!!!!

sudo chcon -R -t httpd_sys_content_t /var/www !!!!

https://fedoramagazine.org/troublesho...

https://blog.lysender.com/2015/07/cen... https://unix.stackexchange.com/questi... https://ask.fedoraproject.org/en/ques...

https://ask.fedoraproject.org/en/ques... https://askubuntu.com/questions/17823... https://ask.fedoraproject.org/en/ques...

edit retag flag offensive close merge delete

4 Answers

Sort by » oldest newest most voted
0

answered 2019-03-09 15:46:24 -0600

mrmarcienl gravatar image

I got the solution finally.

I found a good tutorial and tested it. Now I'm happy. Hope it's also secure enough.

Hopefully somone else can benefit from this.

I asume you installed this first:

dnf install httpd mariadb mariadb-server php php-cli php-php-gettext php-mbstring php-mcrypt php-mysqlnd php-pear php-curl php-gd php-xml php-bcmath php-zip phpmyadmin

After installing httpd mariadb php and phpmyadmin. Do the following

Allow virtual machines that use fusefs to install properly with SELinux (Don't know if this is really necessary? Can someone clarify?)

sudo setsebool -P virt_use_fusefs 1

Increasing the amount of inotify watchersREAD MORE: https://github.com/guard/listen/wiki/...

echo fs.inotify.max_user_watches=524288 | sudo tee -a /etc/sysctl.conf && sudo sysctl -p

Create folder where we will store and run our development sites

mkdir ~/Sites

Creating symbolic link from the Apache web directory to your sites folder

sudo ln -s ~/Sites /var/www/html

Tell SELinux that these files/directories are allowed to be modified by Apache

sudo chcon -R unconfined_u:object_r:httpd_sys_rw_content_t:s0 ~/Sites

Change the "User apache" string in the config file to "User (the username of the current user)". For a development machine, it's more convenient to run Apache as the current user to simplify permissions problems

sudo sed -i "s/User apache/User $USERNAME/g" /etc/httpd/conf/httpd.conf

Edit config file www.conf. Seems important to get everything working right.

  • change user to current user: user =$USERNAME (was apache) add current user to listen.acl_users:
  • listen.acl_users = apache,nginx,$USERNAME

    sudo nano /etc/php-fpm.d/www.conf
    

Configure mariadb

sudo systemctl start mariadb.service
sudo mysql_secure_installation

#

NOW EVERYTHING MUST BE WORKING

#

Add your virtualhostfiles and make the necessary changes to your /etc/hosts file. Enjoy!

If you need connection for your CMS f.e. than allow apache/httpd to connect:

Allow Apache/httpd to connect

sudo setsebool -P httpd_can_network_connect 1

Thanks to the only (good) tutorial I found!

edit flag offensive delete link more
0

answered 2019-03-07 01:23:08 -0600

remi gravatar image

updated 2019-03-07 05:32:43 -0600

Giving apache ownership or write access to full document root tree is a terrible idea.

Lot of vulnerability exploits take benefit of this lack of security.

Apache ONLY need read access to scripts (e.g. PHP)

It may need write access to a few set of directories (temp, upload, cache...) Only these directories should be writable, and usually put outside the web tree.

P.S. I'm aware than some web applications need write access to the full tree for their "auto-update" feature, this is a terrible feature, lowering whole security of the server (e.g. owncloud, nextcloud, wordpress...)

edit flag offensive delete link more

Comments

This is a LAMP setup on a PC for local development, so not accesiable from outside. So I'm not that concerned. But still I have issues with Selinux ;(

mrmarcienl gravatar imagemrmarcienl ( 2019-03-07 11:03:27 -0600 )edit

Very bad argument. You MUST take care of security, even on development env, which will make things much more easy for production.

remi gravatar imageremi ( 2019-03-08 05:08:33 -0600 )edit

So do you have any suggestion how to set this up so I can start working on my sites? It really drives me crazy. Any help would be highly appreciated.

mrmarcienl gravatar imagemrmarcienl ( 2019-03-08 16:22:42 -0600 )edit
0

answered 2019-03-06 17:20:51 -0600

mrmarcienl gravatar image

I thought there would be more expertice here to help.

Anyway I think I got it covered except for the selinux issues. Please advice if I'm on the right track (LAMP for local development websites, so sites are not accesable from outside):

install Apache, mariadb, php and phpmyadmin

dnf install httpd mariadb mariadb-server php php-cli php-php-gettext php-mbstring php-mcrypt php-mysqlnd php-pear php-curl php-gd php-xml php-bcmath php-zip phpmyadmin

start apache & dbase

systemctl start httpd.service systemctl start mariadb.service

Setup database access

mysql_secure_installation

add user to group Apache

usermod -a -G apache $USERNAME

make apache owner and set write access

sudo chown -R apache:apache /var/www

sudo chmod -R 775 /var/www

Make future folders/files the right permissions and make them owned by Apache

sudo chgrp -R apache /var/www

sudo chmod -R g+s /var/www

in httpd.conf change:

Relax access to content within /var/www.

ALLOWOVERRIDE ALL instead of AllowOverride none

<directory "="" var="" www"=""> AllowOverride All <<< -- Change this line # Allow open access: Require all granted </directory>

So everything works now but I still have writing issues. If I do:

sudo setenforce 0

Everything works fine. I can work on files with visual studio code, and I can install extensions within CMS and change config files

HELP:

What should I do with Selinux? I'm working on this for 2 days now, tested in VM's and real PC's but I can't get the right answer. Seems I can't find anything correct about it. The right answer would be highly appreciated.

edit flag offensive delete link more
0

answered 2019-02-17 13:05:55 -0600

mrmarcienl gravatar image

I searched more and more and got some progress. Would love to hear if this is the best solution (at least it works):

 sudo chown apache:apache -R /var/www
# cd to /var/www !!!
sudo find . -type f -exec chmod 0644 {} \;
sudo find . -type d -exec chmod 0755 {} \;
sudo chcon -t httpd_sys_content_t /var/www -R

#Make future folders/files the right permissions and make them owned by Apache
sudo chgrp apache /var/www
sudo chmod g+s /var/www
edit flag offensive delete link more

Question Tools

1 follower

Stats

Asked: 2019-02-16 13:09:10 -0600

Seen: 204 times

Last updated: Mar 09 '19