wok icon indicating copy to clipboard operation
wok copied to clipboard

Published 20 hours ago verified publisher icon kimchi-project

Not right to set httpd_t in permissive mode for wok

Open stemid opened this issue 8 years ago • 4 comments

In the troubleshooting docs you recommend setting the whole httpd_t context into permissive just to help wok use port 8000 in nginx. This essentially disables selinux protection for nginx, apache2 and other web servers using this context.

You can instead use a pre-defined port, or yourself define a new port into the http_port_t context.

I propose that you instead change the httpd port for wok in /etc/wok/wok.conf from 8000 to 9000, which is by default covered by http_port_t context on CentOS 7 and Fedora 25.

$ sudo semanage port -l|grep http_port
http_port_t                    tcp      80, 81, 443, 488, 8008, 8009, 8443, 9000

This will make nginx listen on 9000 instead and work without issues since 9000 is allowed for its context.

If 9000 is already taken on your system you can define a brand new port as http_port_t with this command.

$ sudo semanage port -a -t http_port_t -p tcp 9002

This way you're not disabling selinux protection for an entire context of services just to use one port.

stemid avatar Feb 06 '17 10:02 stemid

Hi @stemid

Thanks for reporting this! I'd say to properly update the documentation to only disable selinux for a given port instead of changing the default Wok port to 9000 (which may confuse existing users).

alinefm avatar Feb 06 '17 16:02 alinefm

Yes I agree that changing the listen port in the default config is too big a change.

I was only proposing to update the SElinux docs with additional pointers on how to make a more secure and specific SElinux config. And the easiest tip there is to change the listen port in wok.conf since it requires no SElinux configuration from the user.

To set a specific port context in permissive is also too broad because it affects all other ports in that context. And you can't "move" port 8000 from its current policy to http_port_t easily.

Port 8000 is simply a poor choice in relation to Wokd and http contexts. So to work around that choice I think the best option is to offer alternative configuration pointers for users who are invested in SElinux.

Perhaps a community maintained wiki-page about SElinux for Wokd would be better? To avoid bothering the devs and making PRs for these matters.

stemid avatar Feb 07 '17 09:02 stemid

@stemid Yeap! We can turn the content of https://github.com/kimchi-project/wok/blob/master/docs/troubleshooting.md + those advices you suggested into a new wiki page. Can you do that? Otherwise, I do. =)

alinefm avatar Mar 02 '17 16:03 alinefm

Done.

stemid avatar Mar 02 '17 16:03 stemid