I want to setup my Fedora 29 Server to use SELinux to secure my server.
The services I need to use are: SABnzbd, Sonarr, Jellyfin, Plex, Docker, Cockpit.
I have not really found anything on using SABnzbd, Sonarr, Jellyfin or Plex with SELinux other than that I apparently need to disable SELinux. Surely there is a way to use them with SELinux.
You might have to write your own SELinux policy modules (which would be cool) for these. I havenāt found anything aside from disabling SELinux. You could be the first !
Donāt forget thereās also the sesandbox feature, just a thought.
Custom modules might get erased over time when an update is installed, so when you have a working module, save the .pp somewhere if you need to reapply it/them in the future.
I have the same problem with SELinux and Docker which I need to get both working. Disabling SELinux also works, but an own rule would be preferable but I have no experience in that regard.
But if we throw our brain powers together we should be able to tacke this
The cockpit add-on is awesome. Also it doesnāt hurt to set things to permissive so that events are logged, before going full-bore into enforcing. I believe if you have the policy core audit utils package installed, events get logged to /var/log/messages (in rhel7/centos7), and if I remember correctly, the logging is actually pretty good. āls -zā is also going to become your friend
Exactly. I believe this is also the same info that gets sent to the logs as selinux audit events in /var/log/messages the messages will actually give you what you need to build the contexts, including help urlās etc.
Ok finally got some time on my handsā¦
So what are you wanting to setup exactly? The docker service itself runs in its own type domain and so does cockpit; container_runtime_t & cockpit_ws_t.
Cool.
But this part confuses me:
Do you want to run them as independent services or what do you need Docker for?
All of those can be run in Docker containers, and Docker isolates the subprocesses using type enforcement and/or MCS ranges, so SELinux already have you covered, no?
This happens when I fire up an example Debian instance and do a ps
So there you see that the docker process is running in the ācontainer_runtime_tā domain, and the subprocessā type-enforcement type is ācontainer_tā with a random MCS range from 367 to 803.
I see.
Well one idea is, since thereās no custom profiles for those services that we know of, to make use of RBAC and confine the user whoās running them.
usermod -Z user_u āusernameā
Log out and back in
Thatās just another layer limiting user actions.
Iām not sure if youāre allowed to run webapps in a user_u domain (there are others, iirc webadm and such), but that domain has no way to escalate privileges at least.
Also, you could kick things up a notch and polyinstantiate tmp dirs.
Anywho gotta look back into the type domains when Iāve got more time, currently in the middle of a move, Iāll get back at ya next week, or possibly on Sunday.
Edit: Oh and a side note, disabling selinux is horrible advice. You should turn it into permissive instead. And not globally either, you can run single processes in permissive mode.
Selinux isnāt hard at all once you understand how it functions, some people just donāt rtfm.