Run Apache in Chroot or use SELinux

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • mfaisalwarraich
    New Member
    • Oct 2007
    • 194
    #1

    Run Apache in Chroot or use SELinux

    Hi everyone,

    I am not an expert in linux but i saw that some people run apache in a chroot jailed environment so that im ever website compromised the attacker will only have access to its jailed environment.

    On the other hand, SELinux is also designed for the same type of job if im not wrong. We need to change the directory's context.

    So im a bit confused here that what should i use SELinux or Chroot for apache.

    I am using CentOS 6 / RHEL 6 for this purpose.

    Please guide me.

    Thanking you.
    Tags: None
    • sicarie
      Recognized Expert Specialist
      • Nov 2006
      • 4677
      #2
      Chroot is the 'old school' method for validating and protecting your system from attack. It may require you to re-create or re-configure access to the directories as well as manually maintain those items that have been upgraded automatically by the system, though that depends on how you originally configured it.

      SELinux is the a newer and less supported option that controls the interactions between processes, though this is done through policy. SELinux is fully supported on RHEL/CentOS, so you don't need to worry about that, however you would need to have a very good policy in place to ensure it behaves correctly.

      If you do not want/need to change the way chroot behaves, and if you bind mount directories it may be easier than SELinux. However, if you are confident in your ability to create (and keep updated) the policy rules, then SELinux may allow more flexibility to your system.

        Comment

        • mfaisalwarraich
          New Member
          • Oct 2007
          • 194
          #3
          thanks sicarie for your explanation its really helpful. But i have gone through documentation.

          What i have figured out is that if im running a website it means it can't be protected whatsoever either its a SELinux or Chroot environment. In both cases website may be compromised and attacker may have access to website folders.

          So in such case only backups can secure me which i need to make a proper plan to make them in place. However, Chroot/SELinux would obviously secure that backup so that attacker wont get access to it.

          I have googled about Chroot for apache but i have not found any good material as yet. If you have any guide about configuring an apache server in Chroot environment please link me.

          Thank you again.

          Regards

            Comment

            • sicarie
              Recognized Expert Specialist
              • Nov 2006
              • 4677
              #4
              Yes, security is the process of reviewing, monitoring, and updating the site and resources behind it to ensure risks are known and properly mitigated, monitored, or accepted. I would highly recommend taking whatever you're using (be it a bulletin board system, an apache server, or your on php code) and Google searching 'secure apache' or 'secure php' so that you can address the common issues and keep your site from being 'low hanging fruit.'

              I would recommend searching 'rhel configure chroot' or setup instead of configure and seeing what comes up. Most of the docs should be similar, and reading two or three of them should get you going.

                Comment

                Previous template Next
                Working...