Do not disable Selinux: Tips and tricks!

[LinqLOL]

It makes me sad when I see people on the internet advice to disable SElinux completely. Selinux is pretty cool and I find it one of the hidden gems that Plesk is working pretty well with Selinux! Having SElinux enabled can be a real selling point for you. Below I will give some tips and tricks to use SElinux with minimal efforts. We are using the fcgi version of PHP only, so most problems will be related in the combination of fcgi and SElinux. Oh and I presume your using RHEL/Centos 6 version.

Please post here your tricks too!

Tips/Tricks:

• Do not use audit2allow blindly! Doing it wrong makes it possible that you start allow "malicious" actions!
• Be sure by default that httpd_can_network_connect is disabled and then use one of the solutions below to relax stuff a little bit: setsebool httpd_can_network_connect off
• Using NRPE (Nagios) and SELinux can be hard sometimes, only disable SELinux for NRPE: /usr/sbin/semanage permissive -a nrpe_t
• Changing the SSH port from 22 to another port (eg. 222)?!? You also have to update SELinux: semanage port -a -t ssh_port_t -p tcp 222

Problems:


Customer cannot remove files created by webapplication with ftp

Cause:

Files created by webapplication (for example plugin installations) are getting a file context which proftpd is not allowed to remove.

Solution:

setsebool -P allow_ftpd_full_access=1

Sessions cannot be written in /tmp directory under website root

Cause:

Bug in Plesk is causing that the /tmp directorie in the root of the website has user_home_t content instead of tmp_t

Solution:

Fix on http://forum.parallels.com/showthread.php?263774-BUG-Wrong-selinux-contect-WEBSPACEROOT-tmp . Should be fixed in Plesk 11.5!

Connecting to external database host fails

Cause:

Selinux (httpd_sys_script_t) by default only accepts mysql connections from (php) to local mysql ports

Solution:

setsebool httpd_can_network_connect_db on

Trying to connect to another website (e.g an API) within a php script fails
Cause:

Selinux (httpd_sys_script_t) by default only allows outgoing to local http ports

Solution:

1. This solution is an more advanced solution. By proceeding you should have at least a little SE(Linux) knowledge!
2. Create AND goto following directory: /usr/share/selinux/allow_php_cgi_webports
3. Create a selinux policy file allow_php_cgi_webports.te:
   

   ################################################################################
   # This semodule will make it possible for php scripts
   # to connect to remote websites (usefull for API calls and payment providers
   ################################################################################
   
   module allow_php_cgi_webports 1.0;
   
   require {
           type httpd_sys_script_t;
           type http_port_t;
           type ftp_port_t;
           class tcp_socket name_connect;
   }
   
   #============= httpd_sys_script_t ==============
   #!!!! This avc is allowed in the current policy
   
   allow httpd_sys_script_t ftp_port_t:tcp_socket name_connect;
   #!!!! This avc is allowed in the current policy
   
   allow httpd_sys_script_t http_port_t:tcp_socket name_connect;

4. Compile the policy: make -f /usr/share/selinux/devel/Makefile
5. Intall the above compiled module: semodule -i allow_php_cgi_webports.pp
6. To find out which ports are allowed to connect to (and you can edit this!): semanage port -l | grep http_port_t