Learn about Centmin Mod LEMP Stack today
Become a Member

what is SE-linux and why disable ?

Discussion in 'Install & Upgrades or Pre-Install Questions' started by Cr0w, Mar 17, 2015.

  1. Cr0w

    Cr0w Member

    165
    9
    18
    Mar 17, 2015
    Iran
    Ratings:
    +13
    Local Time:
    1:07 AM
    1.9.x
    5.5
    hey every one what is SE-linux ?
    why must be Disable on install ?
    can i enable it after install ?
     
  2. eva2000

    eva2000 Administrator Staff Member

    37,305
    8,152
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,548
    Local Time:
    7:37 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    SELinux is a complicated (for new users) way of further tightening security on your server to only allow apps and users to install, create or use files and directory paths. Too much confusion if Centmin Mod supported and enabled SELinux

    see

     
    Last edited: Mar 17, 2015
  3. Cr0w

    Cr0w Member

    165
    9
    18
    Mar 17, 2015
    Iran
    Ratings:
    +13
    Local Time:
    1:07 AM
    1.9.x
    5.5
    but after runing ./centmin.sh

    thats need to be turn off !
    can i turn it on ? not making problems by enabling it ?
     
  4. eva2000

    eva2000 Administrator Staff Member

    37,305
    8,152
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,548
    Local Time:
    7:37 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    turning SELinux on before or after Centmin Mod install will cause ALOT of problems as Centmin Mod doesn't install stuff in standard places so you will have all sorts of permissions issues you need to work out for SELinux - you'd be on your own sorting that stuff out as per above linked SELinux info.
     
  5. Cr0w

    Cr0w Member

    165
    9
    18
    Mar 17, 2015
    Iran
    Ratings:
    +13
    Local Time:
    1:07 AM
    1.9.x
    5.5
    can turning on for seconds and then turn it off ?
     
  6. eva2000

    eva2000 Administrator Staff Member

    37,305
    8,152
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,548
    Local Time:
    7:37 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    why would you want to though ? I haven't tested with SELinux for Centmin Mod so can't gurantee anything :)
     
  7. Cr0w

    Cr0w Member

    165
    9
    18
    Mar 17, 2015
    Iran
    Ratings:
    +13
    Local Time:
    1:07 AM
    1.9.x
    5.5
    cause i want to install pure-ftpd manually . thats have some selinux commands
     
  8. Endda

    Endda New Member

    3
    1
    3
    Oct 9, 2018
    Atlanta, Ga
    Ratings:
    +1
    Local Time:
    4:37 PM
    n/a
    n/a
    So where's the answer here? I've seen how much more secure Android has become since SELinux was introduced and there are a number of custom ROMs that get hacked together which require SELinux to be disabled.

    Yet that opens up a huge security hole. So what is the reason why SELinux needs to be disabled for Centmin Mod to work?

    You say "I haven't tested with SELinux for Centmin Mod so can't guarantee anything", but that's not an explanation. . .that's an excuse.

    You say "turning SELinux on before or after Centmin Mod install will cause ALOT of problems as Centmin Mod doesn't install stuff in standard places so you will have all sorts of permissions issues" which is exactly what those Android custom ROM developers are doing

    They don't want to put in the work to keep their firmware secure so what keeps Centmin Mod secure with SELinux disabled?

    You like to boast about how high your benchmark scores are compared to NGINX and Apache. . .but you're disabling an important security layer. That's like disabling encryption on Android and boasting about benchmark numbers compared to those who keep their data secure with encryption.

    I've been looking at NGINX and EasyEngine a lot lately and have been tempted by Centmin Mod many, many times but I just can't wrap my head around this gaping security hole with SELinux being disabled and you avoiding questions, telling the community they "will have all sorts of permissions issues" when you're not willing to put in th work.

    Yet you're willing to boast those benchmark numbers.

    So please, sir. Explain this issue to me
     
  9. eva2000

    eva2000 Administrator Staff Member

    37,305
    8,152
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,548
    Local Time:
    7:37 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    @Endda thanks for your comments.
    • Do you have experience using SELinux on CentOS ? If you do, your input would be great.
    • How many LEMP stack end users here and in general have SELinux experience ?
    • Can you provide examples of alternative free LEMP stack offerings (with no supplement paid plans) which both provide SELinux compatibility AND fully support their end users via ticket system/forums etc for every SELinux related issue they run into ?
    There are 2 parties to offering Centmin Mod LEMP stack - first the developer (me) and then the end user (you).

    If I was cater for SELinux enabled environment on my end, am I suppose to provide free support for every issue that arises when the end user installs software in non-standard places and they don't have a clue on how SELinux works ? So yes practicalities and reality is I am currently not willing to put in that extra work for free as it increases my workload and would slow development of other planned features centminmod/centminmod.

    It's the same reasoning why some of the other features I want to install are not installed by default as they also require an end user deeper understanding - such as
    • OSSEC and other intrusion detection systems
    • Auditd - available but not installed by default
    • Modsecurity for Nginx - prep work but not installed by default
    • System forced password rotation every 30 days and strong password setups
    • Forced non-RSA based SSH key only SSH logins (ECDSA/ED25519) no passwords by default
    If was to enable all these by default along with SELinux for the pursuit of security, the amount of extra free support I'd need to provide for end users who have no experience with these and their associated logging, warnings, error messages and gotcha's (i.e. what do to if they loose SSH private key and can't log into SSH and various web hosts methods in handling such) would be huge. My free time would be eaten up by these issues and Centmin Mod development will slow to a crawl. Yes it's an excuse, but still a valid one from my point of view and from my amount of free time I have to work with.

    I am just one man/developer so I have a limited amount of time I can dedicate to Centmin Mod for free. So yes I do have to decide what features I am willing to put in the work for. If you read centminmod.com site and this forum thoroughly, you'll see what ever Centmin Mod features I do offer I always put in the effort and work to support whatever/whenever end users have issues. Out of free LEMP stack alternatives, I can be proud to say my forum based support for end users has been one of the best and most thorough from what I have seen and from what other Centmin Mod users can attest to themselves.

    So yes I have to pick and choose what features I support and offer in Centmin Mod.

    By this same reasoning, I don't add inbound @domain.com pop3/imap support to Centmin Mod due the amount of extra support work when mail delivery could be caused by factors outside of Centmin Mod's mail offering/setup.

    Now if there are any SELinux on CentOS experts here who don't mind contributing their time to getting Centmin Mod working compatibility wise and help fending end user SELinux related issues, I welcome the help. Same goes for OSSEC and Modsecurity :)

    p.s. If it's related to Wordpress installs via Centmin Mod 123.09beta01's centmin.sh menu option 22 Wordpress installer - it has additional security to lock down the installs similar to SELinux without complications with whitelisting of wp plugins and autoprotect.sh automatic htaccess to nginx rule conversion see Differences between Wordpress regular install vs centmin.sh menu option 22 install. Wordpress is a special case which needs more focus on so yes I am willing to provide support for the Wordpress install setup via centmin.sh menu option 22.
     
  10. Endda

    Endda New Member

    3
    1
    3
    Oct 9, 2018
    Atlanta, Ga
    Ratings:
    +1
    Local Time:
    4:37 PM
    n/a
    n/a
    Don't worry, I get it. It's your project and it's your choice to work on what you want to work on and ignore what you want to ignore. As I said, I come from the Android enthusiast community (XDA) and know that many developers keep SELinux set in passive mode because it's difficult to deal with.

    Like I said though, it just seems strange that you're boasting about benchmarks in comparison to other platforms that have all of their security layers in place while yours does not.

    I do appreciate the effort you put into option 22. That is nice to have some extra things locked down for WordPress. I had just been lured by those benchmark numbers only to be deflated to find out about this SELinux stuff.

    Keep your passion going. I hope to see it grow with each passing year.
     
    • Like Like x 1
  11. eva2000

    eva2000 Administrator Staff Member

    37,305
    8,152
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,548
    Local Time:
    7:37 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Cheers.. maybe one day SELinux can be enabled/supported but without other folks contributing their time/support for end users for SELinux issues, it won't be soon. Also Centmin Mod performance doesn't come from the lack of SELinux - there's other reasons why Insight Guide - How to boost Centmin Mod LEMP stack performance and posted Centmin Mod benchmarks comparing other LEMP stacks don't even have all those performance boosting options enabled either on Centmin Mod side so there's more performance to be had :)
     
    • Like Like x 1
..