After I installed OLS I noticed it was running as unconfined_service_t label. This basically circumvents SELinux and allows all processes run by OLS to access entire system checked only by discretionary access control. So I decided to add some custom labels, and enable some booleans giving OLS similar access that nginx or appache would require, then I could just switch to Permissive mode and check for AVC's and fix them one at a time. Well... this was a complete disaster.
After adding several booleans that limit security of the server trying to dwindle this list of hundreds of AVC's down to manageable level, I eventuality gave up when I found things like this...
Why does web server process need write access to /etc/* and read access to shadow file!??!! It appears that OLS is calling usermod for some reason at startup. Maybe to get UID for suEXEC? Has anyone successfully setup litespeed to run in SELinux enviroment? or do banks just use Nginx?
After adding several booleans that limit security of the server trying to dwindle this list of hundreds of AVC's down to manageable level, I eventuality gave up when I found things like this...
type=AVC msg=audit(1591823365.262:12096): avc: denied { getattr } for pid=32757 comm="usermod" path="/etc/shadow" dev="vda1" ino=161331 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
type=AVC msg=audit(1591823365.262:12098): avc: denied { write } for pid=32757 comm="usermod" path="/etc/passwd.32757" dev="vda1" ino=155423 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
Why does web server process need write access to /etc/* and read access to shadow file!??!! It appears that OLS is calling usermod for some reason at startup. Maybe to get UID for suEXEC? Has anyone successfully setup litespeed to run in SELinux enviroment? or do banks just use Nginx?
Last edited: