Vely logo Empower C
install     tutorials     examples     documentation     license     about

11.0.11 released on Jul 25, 2022

Vely SELinux



DESCRIPTION:


If you do not use SELinux, you can ignore this.

If you do use SELinux, read this. SELinux is MAC (Mandatory Access Control), which means anything that isn't allowed is prohibited. This is as opposed to DAC, Discretionary Access Control, where everything is allowed except what's prohibited. MAC generally works on top of DAC, and they are expected to work in a complementary fashion. Vely deploys both methods for enhanced security.

Vely comes with a SELinux policy out-of-the-box, which covers its general functioning. However, you can write any code with Vely, and if you are using SELinux, you may run afoul of its other policies, which may not be conducive to your code. In that case, use temporarily a permissive mode (via setenforce), and then audit2allow to get a clue on what is the issue and then take action to allow actions requested.

Note that OpenSUSE package does not come with SELinux policy as of this release, because OpenSUSE at this time does not come with a default base policy and SELinux installation.


General


Vely policy files (.te, .fc files, .if file is empty) can be found here:
ls $(vv --qry=lib_path)/selinux/*.{te,fc}

As a part of installing Vely, the following SELinux types will be installed:

Vely policy:

Vely policy allows normal functioning of Vely features only, but does not introduce any unnecessary privileges to the rest of the system.
Note: Vely installation does not distribute .pp (compile) policy files, because it is not currently part of distro repos (which may change in the future). Due to changes in SELinux and difference in versions installed across derived distros, Vely will compile source .te and .fc files during the installation, ensuring the best possibility of successful SELinux policy setup.

Unix domain sockets


Using Unix domain sockets for Vely FCGI processes to communicate with a web server (see vv) is the default method and no further action is needed.

Unix TCP sockets


Using TCP sockets for Vely FCGI processes to communicate with a web server (see vv) requires you to label such ports as vvport_t, for example if you plan to use port 2109:
sudo semanage port -a -t vvport_t -p tcp  2109

Then, you can use this port with Vely, for example, using Mariadb passwordless database, Apache web server, in debug/tracing mode, starting 2 FCGI processes, using crypto and curl libraries and binding to port 2109:
vv -qtu --db="mariadb:db" --webserver=apache --pwdless --debug --trace --worker=2 --lib "crypto curl" --fcgiport=2109

When you no longer need a port, for example if you are switching to another port (for instance 2209), remove the old one and add the new one:
sudo semanage port -d -t vvport_t -p tcp  2109
sudo semanage port -a -t vvport_t -p tcp  2209


Changing or adding directories


If you are adding directories to be used by Vely program, or changing a directory, for example using a different storage instead of /var/lib/vv (see how_vely_works), you need to label files in new directories:
sudo semanage fcontext -a -t vvfile_t "/your/new/dir(/.*)?"
sudo restorecon -R /your/new/dir

To remove context from such directories (if you are not using them anymore), use:
sudo semanage fcontext -d -t vvfile_t "/your/new/dir(/.*)?"
sudo restorecon -R /your/new/dir


SEE ALSO:


General ( quality_control   vely_removal   rename_files   vely   why_Vely   vf   vv   how_vely_works   vely_architecture   vely_SELinux   deploying_application  )  SEE ALL (documentation)



Copyright (c) 2022 DaSoftver LLC. Vely is a trademark of Dasoftver LLC. The software and information herein are provided "AS IS" and without any warranties or guarantees of any kind. This web page is licensed under CC-BY-SA-4.0.