SELinux — Making it a Little Easier for Web
A SELinux tutorial for your web site and web apps, the easy way — and why you shouldn’t disable SELinux.
--
If you’ve ever configured a server using a stock CentOS image, then you’ve likely run into SELinux. You might have run into this thing that seemed to block everything you were trying to do, thrown your hands up and decided to Google, “how to disable SELinux”. STOP. Don’t do that.
[You threw your hands up] and decided to Google, “how to disable SELinux”. STOP. Don’t do that.
What is SELinux, and why is it slowing me down?
The “SE” in SELinux stands for “Security-Enhanced” — and for good reason. I could probably write books about all the security aspects of a Linux system that can be managed by SELinux, but the important thing to know is that SELinux is like a watch-dog with nano-level focus on every part of your system in Linux. It prevents unauthorized changes to files and directories and also prevents various protocols like HTTP and SSH from being used by various services and applications unless you explicitly allow that action.
That said, it can seem like kind of a pain to get SELinux to play well with the things you’re trying to use in your CentOS system, and sometimes it seems like it’s just fighting you just to be a jerk.
…sometimes it seems like it’s just fighting you just to be a jerk.
The truth is, it’s just very, very good at doing what it was designed to do: watch every little file change and access attempt and making sure it’s legit. With a little coaxing we can make this work in our favor, and allow our app to run as expected, securely.
I assure you SELinux can be an easy-to-manage and vital part of security for your Linux system. It can be a strong force to contend with for hackers when it’s configured correctly.
It can be a strong force to contend with for hackers when it’s configured correctly.
In this tutorial, we will cover the basic SELinux configuration you will need for using HTTP/S applications like web sites and web apps, as well as how to address the nuances of SELinux when it doesn’t play well…