SELinux and Laravel Framework
Rodrigo A.
20+ Years Learning New Ways of Attack and Defense | Protecting & Educating | Sharing My Journey & Opinions
A long time ago I used to disable SELinux, and that was maybe because I was too lazy to learn how it works. One day I faced a real challenge where there was a major requirement to use SELinux in strict mode. I had no other option, and no more excuses, the time to learn SELinux had arrived. Since then I stopped disabling SELinux.
SELinux is not as hard as you may think. Please watch the video below:
Overview
A Linux kernel integrating SELinux enforces mandatory access control policies that confine user programs and system servers, access to files and network resources. Limiting privilege to the minimum required to work reduces or eliminates the ability of these programs and daemons to cause harm if faulty or compromised (via buffer overflows or misconfigurations, for example). This confinement mechanism operates independently of the traditional Linux access control mechanisms. It has no concept of a "root" super-user, and does not share the well-known shortcomings of the traditional Linux security mechanisms.
SELinux Features include:
- Reduce the impact of vulnerabilities
- Restricting root privileges ( Linux Capabilities - $man capabilities)
- Clean separation of policy from enforcement
- Well-defined policy interfaces
- Support for applications querying the policy and enforcing access control (for example, crond running jobs in the correct context)
- Independence of specific policies and policy languages
- Independence of specific security-label formats and contents
- Individual labels and controls for kernel objects and services
- Support for policy changes
- Separate measures for protecting system integrity (domain-type) and data confidentiality (multilevel security)
- Flexible policy
- Controls over process initialization and inheritance and program execution
- Controls over file systems, directories, files, and open file descriptors
- Controls over sockets, messages, and network interfaces
- Controls over the use of "capabilities"
- Cached information on access-decisions via the Access Vector Cache (AVC)
Let's get it started:
Have you tried googling about SELinux before ? I think so and I can understand why people rather disable SELinux than learn how to implement it correctly.
The documentation available is not so easy to understand at you get started, but you will get used to it. Today I'll explain a common use case using Apache, php and Laravel framework. It is common to see people advising the use of rxw (777) permission on Laravel storage and boostrap folder, sometimes on the entire application as a workaround, instead of setting the correct permissions.
Enabling SELinux
To enable SELinux follow the below instructions,
- Open the file /etc/selinux/config
- Change option SELINUX from disabled to enforcing
- Create autorelabel file
touch /.autorelabel
4. Restart the machine
Laravel folder permission
chown -R apache.apache /var/www/html/laravel/
find /var/www/html/laravel/ -type f -exec chmod 640 {} \;
find /var/www/html/laravel/ -type d -exec chmod 750 {} \;
Laravel SELinux context
yum install policycoreutils-python -y
semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/html/laravel/storage(/.*)?"
semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/html/laravel/bootstrap/cache(/.*)?"
restorecon -Rv /var/www/html/
Laravel Database Connection
By default, the httpd_can_network_connect_db Boolean is off, preventing Apache HTTP Server scripts and modules from connecting to database servers. To enable Apache HTTP Server scripts and modules to connect to database servers, run the command below as the Linux root user.
#Persistent Changes
??semanage boolean -m httpd_can_network_connect_db --on
This little howto can help you out with some doubt about SELinux and Laravel.
Extra Sources:
Rodrigo, I didn't get it where you show `touch /.autorelabel `. What is that for? Where exactly do you set that file? Could you please explain more?