oucil's questions

Dovecot's ACL plugin instructions indicate that for global acl's, we're supposed to create an acl file in /etc/dovecot/. and to include the access control list items in it. So I've created /etc/dovecot/global-acls and included...

inbox.Archive owner lrwstipeka
inbox.Drafts owner lrwstipeka
inbox.Sent owner lrwstipeka
inbox.Junk owner lrwstipeka
inbox.Trash owner lrwstipeka

... which is supposed to prevent users from deleting these system folders.

This file is then loaded from the /etc/dovecot/conf.d/90-acl.conf plugin...

protocol imap {
  mail_plugins = $mail_plugins acl imap_acl
}

plugin {
  acl = vfile:/etc/dovecot/global-acls:cache_secs=300
}

plugin {
  acl_shared_dict = file:/path/to/mailbox/root/shared-mailboxes
}

The problem I'm having is that I'm getting the following errors in my syslog now showing that there's a permission issue with that file (or possibly with stat(), I'm not sure).

Error: acl vfile: stat(/etc/dovecot/global-acls) failed: Permission denied
Fatal: acl: backend vfile init failed with data: /etc/dovecot/global-acls:cache_secs=300

drw-rw----.   3 vmail dovecot  4096 Jan 26 13:37 .
drwxr-xr-x. 126 root  root    12288 Jan 26 16:52 ..
drw-rw----.   2 vmail dovecot  4096 Jan 25 15:46 conf.d
-rw-rw----.   1 vmail dovecot   535 Jan 26 20:17 dovecot.conf
-rw-rw----.   1 vmail dovecot   257 Jan 26 13:35 global-acls

As you can see, the permissions are set the same as the other files in /etc/dovecot. I've searched for hours for related errors, but I'm at a loss.

Any suggestions?

First, I'm aware of the SSL Library Error: error:0A000126:SSL routines::unexpected eof while reading error stemming from OpenSSL 3 reintroducing a feature to prevent truncation attacks.

The question I have is why I'm seeing this error when I'm making a curl call via PHP from the very same server that's reporting the error?

I'm running Rocky Linux 9.1, PHP 8.0.27, and have OpenSSL 3.0.1 (latest versions available). I can't upgrade to PHP8.1 via the dnf module yet due to missing libraries not yet available for that release.

Since I'm making a curl call from the server to itself, one would think that if it's up to date enough to recognize the error, that it would be issuing the requests properly. The "bug" reports indicate that this is generally from non-compliant servers issuing the requests, so where should I be looking in my system to correct the request format so I can bring myself into compliance and get my curl requests working again?

Here are the current curl opts I'm using with my request...

CURLOPT_HTTPGET => TRUE,
CURLOPT_HEADER => FALSE,
CURLOPT_FAILONERROR => FALSE,
CURLOPT_RETURNTRANSFER => TRUE,
CURLOPT_CONNECTTIMEOUT => 10,
CURLOPT_TIMEOUT => 60,
CURLOPT_SSL_CIPHER_LIST => NULL,
CURLOPT_CAINFO => '/path/to/ca-certs.pem',
CURLOPT_SSL_VERIFYPEER => TRUE,
CURLOPT_SSL_VERIFYHOST => 2

And here are the SSL/TLS related options from httpd.conf...

SSLProtocol -all +TLSv1.3 +TLSv1.2
SSLProxyProtocol -all +TLSv1.3 +TLSv1.2

SSLCipherSuite    TLSv1.3   TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
SSLCipherSuite    SSL       AES256+EECDH:AES256+EDH:!SHA1:!SHA256:!SHA384

SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off

SSLOpenSSLConfCmd Curves X25519:secp521r1:prime256v1

Thanks for any help you can offer!

EDIT: Solution below, tldr; had to specify TLS version and cipher in the client request.

My application lives in one directory and is served from a public folder, and I have an API endpoint in a sub-directory of public, both of which are redirected to their own respective index.php files. Until a recent server migration everything was working great. Now though, the API requests are being intercepted by the parent directory. Here are the vhost <directory...> segments in question...

    # application root
    <Directory "/path/to/app">
        Options FollowSymLinks
        AllowOverride None
        Require all granted
    </Directory>

    # public root
    <Directory /path/to/app/public>
        RewriteBase /
        RewriteCond %{REQUEST_FILENAME} -s [OR]
        RewriteCond %{REQUEST_FILENAME} -l [OR]
        RewriteCond %{REQUEST_FILENAME} -d
        RewriteRule ^.*$ - [NC,L]
        RewriteRule ^.*\.(media.php|png|jpg|gif|ico)$ media.php [NC,L]
        RewriteRule ^.*\.(xml|txt|css|js)$ static.php [NC,L]
        RewriteRule ^.*$ index.php/ [NC,L]
        errordocument 404 /error.php?id=404
    </Directory>

    # API
    <Directory /path/to/app/public/api>
        Header set Access-Control-Allow-Methods "PUT, GET, POST, DELETE, HEAD, OPTIONS"
        RewriteCond %{HTTP:Authorization} ^(.*)
        RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
        RewriteRule ^(.*)$ index.php [L,NC]
    </Directory>

I'm using Apache 2.4.53. The /path/to/app/public directives are working as expected, any media file extensions are redirected to media.php, any text based files are redirected to static.php, and everything else is sent to index.php with a 404 error fallback.

If I request mydomain.com/api/ alone I get the proper API specific error message, because the ./api/ directory physically exists. But as soon as I request a proper endpoint like mydomain.com/api/v1.0/some-enddpoint/ which should be captured and redirected at the ./api/index.php file, I'm getting a 404 error which is coming from the parent directory.

Appreciate any help!

I'm seeing an odd error in the mysqld.service status notes...

The syntax '--ssl=off' is deprecated and will be removed in a future release. Please use --tls-version=invalid instead.

The thing is I've disabled SSL using skip_ssl in the /etc/my.cnf and I don't see any vars relating to SSL defined in /etc/my.cnf.d/*. I've also checked in /etc/systemd/system/mysqld.service.d/override.conf and the only thing I've set is LimitNOFILE.

The --ssl=off setting is a command line start up variable, so where could this error be coming from? Is there a new way to disable SSL other than skip_ssl?

I'm on Rockly Linux 8, and MySQL 8.0.26.

The pertaining documentation, including the deprecation note can be found here: https://dev.mysql.com/doc/refman/8.0/en/server-options.html

I'm using ansible to bring up an identical server in the cloud, as well as in a VM (Virtualbox) on my workstation. The instance uses a non-public-facing recursive Bind DNS server to cache queries and it works great when it's out in the cloud, but it won't resolve anything when in the VM and I'm scratching my head as to why. Here's the named.conf...

# Bind9

options {
    listen-on port 53       { 127.0.0.1; 10.1/16; 10.2/16; 10.3/16; };
    listen-on-v6 port 53    { ::1; };
    directory               "/var/named";
    dump-file               "/var/named/data/cache_dump.db";
    statistics-file         "/var/named/data/named_stats.txt";
    memstatistics-file      "/var/named/data/named_mem_stats.txt";
    secroots-file           "/var/named/data/named.secroots";
    recursing-file          "/var/named/data/named.recursing";
    allow-query             { validated; };
    auth-nxdomain           no;
    recursion               yes;

    max-cache-size          16m;
    cleaning-interval       60;
    max-cache-ttl           3600;
    max-ncache-ttl          3600;

    version                 "";
    querylog                no;
    dnssec-enable           yes;
    dnssec-validation       yes;
    managed-keys-directory  "/var/named/dynamic";
    pid-file                "/run/named/named.pid";
    session-keyfile         "/run/named/session.key";
    include                 "/etc/crypto-policies/back-ends/bind.config";
};

acl validated {
    10.1.0.0/24;
    10.2.0.0/24;
    localhost;
    localnets;
};

controls { };

logging {
    channel default_syslog {
        syslog daemon;
        severity warning;
    };
    category default { default_syslog; };
    category unmatched { null; };
};

zone "." IN {
    type hint;
    file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

The machine IP is in the 192.168 range, and the 10... ranges in the conf file are related to a VPN running on the machine. The resolve.conf file is pointing to 127.0.0.1. Otherwise everything is pretty straightforward.

Running dig google.com results in a SERVFAIL as you can see here...

; <<>> DiG 9.11.26-RedHat-9.11.26-6.el8 <<>> google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 59078
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 84042dfe2a471323626805ee61d1e76c742ad5196cf79d37 (good)
;; QUESTION SECTION:
;google.com.                    IN      A

;; Query time: 832 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Jan 02 12:57:00 EST 2022
;; MSG SIZE  rcvd: 67

My inkling is that this is related to Virtualbox as the same config works in the cloud. Is Vbox somehow intercepting DNS requests and not providing the right response? I'm using Bridge networking though, so my understanding was that ALL traffic is routed to the network as if this is a standalone instance, is that not the case?

Not sure if it points to anything but when I run systemctl status named on the cloud machine everything looks good, but when I run it on the VM I'm seeing errors...

... managed-keys-zone: No valid trust anchors for '.'!
... managed-keys-zone: 0 key(s) revoked, 1 still pending
... managed-keys-zone: All queries to '.' will fail

I'm not sure where to begin to diagnose, appreciate any help you can offer!

I've been able to figure this out a little easier in the past just due to the context but this one has me stumped. When I run sealert -a /var/log/audit/audit.log and get the typical output such as...

--------------------------------------------------------------------------------

SELinux is preventing /usr/sbin/php-fpm from write access on the file index.html.

*****  Plugin httpd_write_content (92.2 confidence) suggests   ***************

If you want to allow php-fpm to have write access on the index.html file
Then you need to change the label on 'index.html'
Do
# semanage fcontext -a -t httpd_sys_rw_content_t 'index.html'
# restorecon -v 'index.html'

...
...
...

Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                unconfined_u:object_r:httpd_sys_content_t:s0:c30
Target Objects                index.html [ file ]
Source                        php-fpm
Source Path                   /usr/sbin/php-fpm
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           php-fpm-... 
Target RPM Packages
Policy RPM                    selinux-policy-3.14.3-20.el8.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     --REMOVED--
Platform                      --REMOVED--
Alert Count                   12
First Seen                    2020-07-28 10:31:59 EDT
Last Seen                     2020-07-28 10:31:59 EDT
Local ID                      --REMOVED--

Raw Audit Messages
type=AVC msg=audit(...): avc:  denied  { write } for  pid=... comm="php-fpm" name="index.html" dev="sda" ino=... scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0:c30 tclass=file permissive=0


type=SYSCALL msg=audit(...): arch=x86_64 syscall=access success=no exit=EACCES a0=... a1=2 a2=0 a3=0 items=0 ppid=... pid=... auid=... uid=... gid=... euid=... suid=... fsuid=... egid=... sgid=... fsgid=... tty=(none) ses=... comm=php-fpm exe=/usr/sbin/php-fpm subj=system_u:system_r:httpd_t:s0 key=(null)ARCH=x86_64 SYSCALL=access AUID=unset UID=...  GID=...  EUID=...  SUID=...  FSUID=...  EGID=...  SGID=...  FSGID=... 

Hash: php-fpm,httpd_t,httpd_sys_content_t,file,write

--------------------------------------------------------------------------------

(some info removed for brevity, some for privacy)

There is nothing in this synopsis that indicates the location of the index.html file anywhere. My only thought it that one of the bits of info returned can be used to be a more detailed answer? But which? I'm sure with a little time I could figure out this specific one, as there won't be too many index.html files on my system, but I keep running into this and it's very time consuming trying to locate the files being referenced. Any help would be greatly appreciated!

I'm getting a BAD... error when running a LIST command against an IMAP server that I'm not understanding and could use some help with. I run almost an identical command just prior to it to list the root mailboxes and have no problem, but then as I begin to iterate over those mailboxes and try to list their child mailboxes, I get the error. The odd thing is that even though the first returned line from the IMAP server is the BAD... response, it still fulfills the rest of the query as if nothing was wrong?!?!

To start off, you'll need to know the namespace details of the server in question...

NAMESPACE

Array
(
    [0] => * NAMESPACE (("" ".")) NIL NIL
)

This server uses an empty root namespace, and a period (.) for the mailbox delimiter.

Here's the command I'm using for the root list...

LIST "" "%" RETURN (SUBSCRIBED CHILDREN SPECIAL-USE STATUS (MESSAGES UNSEEN)) 

For which I get the expected response...

Array
(
    [0] => * LIST (\Subscribed \HasChildren) "." Archives
    [1] => * STATUS Archives (MESSAGES 0 UNSEEN 0)
    ...
)

I should mention that all of the RETURN meta capabilities were established from an earlier CAPABILITIES request.

So based on the results, I begin to iterate over them to get the child mailboxes, with the first one being Archives. The syntax I'm using is based almost identically to that outlined in the RFC 3501 #6.3.8 examples under LIST...

LIST "Archives." "%" RETURN (SUBSCRIBED CHILDREN SPECIAL-USE STATUS (MESSAGES UNSEEN)) 

I would expect it to list all of the child mailboxes relative to the Archives mailbox, which it does, however it first lists a BAD... response...

Array
(
    [0] => * BAD Error in IMAP command : Unknown command (0.000 + 0.000 secs).
    [1] => * LIST (\Subscribed \HasNoChildren) "." Archives.2017
    [2] => * STATUS Archives.2017 (MESSAGES 0 UNSEEN 0)
    [3] => * LIST (\Subscribed \HasNoChildren) "." Archives.2016
    [4] => * STATUS Archives.2016 (MESSAGES 192 UNSEEN 0)
    [5] => * LIST (\Subscribed \HasNoChildren) "." Archives.2019
    [6] => * STATUS Archives.2019 (MESSAGES 1 UNSEEN 0)
)

First, I don't understand what I've done wrong, and further, the BAD... error is not referencing a specific command like it should, so I really don't have anything to go on here. Second, if it's failing, then why is it still completing the rest of the request?

Could really use some help, thanks!

EDIT 1: I'm getting this same unexplained error from two different IMAP servers I'm testing against, and they're both exhibiting the same behaviour... returning the correct records, but not before including a BAD... error first. So it must be something in the syntax of my LIST... requests, but I feel like I'm using the same examples that the RFC defines, so I'm at a loss.

There is so much static around this it's hard to find an answer that actually applies, so my apologies if there is an answer for this, I just haven't been able to find it.

My situation is that I want to display errors from our application on the page when they happen... in our DEVELOPMENT environment.... I don't need to be told to only send them to the logs, it's a giant waste of time during dev and not near as formatted to have to read them out of the logs. We of course turn this off in production.

My errors ARE being logged, this is not the problem, the issue is, they are not being DISPLAYED before Apache redirects them with a 503 response code, most likely because of PHP/FPM dying with a fatal error that we didn't catch properly.

Prior to moving to PHP-FPM, any kind of error was displayed no problem, we have the standard settings in place in /etc/php.ini...

error_reporting = E_ALL
error_display_errors = On
display_startup_errors = On
log_errors = On

And my exception/error handler was working great, I could access my stack trace details, extra meta, etc., however now that I've got PHP-FPM enabled, Apache seems to be capturing the returning http 503 status, and is redirecting to the generic apache error message. I've tried using...

errordocument 503 /error.php?...

... but this loses state so I don't get all the details I would normally have gotten in the shutdown handler I normally use. I've added the following to the FPM pool definition...

php_admin_flag[display_errors] = On
php_admin_flag[log_errors] = On

... but they had no effect. php_info() is showing both master and local values are working as expected, so it's not a misconfiguration, or errant include file somewhere.

What am I doing wrong, how can I stop apache from forwarding to it's own error handler and just display the output of PHP-FPM, and by extension my own error handler?

Apache:  2.4.37-21
PHP/FPM: 7.3.5-5

I'm looking to add the HSTS header in Apache...

# HSTS / Header Strict Transport Security
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"

... but I have a long list of vhosts for different but related sites/sub-sites. I'd rather not have to define it in every one of my vhost definitions, but I'm not aware of a way to include a setting in the main https.conf that ONLY applies to the 443 / https versions of those vhosts since it raises warnings in validators when you apply HSTS to a standard 80 / http site.

I've tried wrapping it in <IfModule mod_ssl.c>...</IfModule> tags but if I'm not mistaken, this is really just asking Is the SSL module loaded? I tried searching lots of different ways, but when you don't know the term your looking for, it's difficult to sort through all the static. Any suggestions? Thanks!

I'm attempting to track the total data being transmitted from a specific set of IP addresses (both IPv4 and IPv6) using nftables with a named counter on the rule. My goal is to be able to track this total over the course of a calendar month so I can bill against usage.

The related rules look like this:

add table stats
add counter stats os-traffic-4
add counter stats os-traffic-6
add chain inet stats INPUT { type filter hook input priority 0; }
add rule ip  stats INPUT ip  saddr 192.168.123.123 counter name os-traffic-4
add rule ip  stats INPUT ip  saddr 192.168.123.234 counter name os-traffic-4
add rule ip  stats INPUT ip  saddr 192.168.123.345 counter name os-traffic-4
add rule ip6 stats INPUT ip6 saddr 1234:1234:1234:1234:1234:1234:1234:1234 counter name os-traffic-6
add rule ip6 stats INPUT ip6 saddr 1234:1234:1234:1234:1234:1234:1234:2345 counter name os-traffic-6
add rule ip6 stats INPUT ip6 saddr 1234:1234:1234:1234:1234:1234:1234:3456 counter name os-traffic-6

I'm using stateful objects (named counters) to sum all of the traffic from the IPv4 and IPv6 addresses respectively, named os-traffic-4 and os-traffic-6. I can then use the command line to get those stats with nft list counter stats os-traffic-6.

My questions are:

1. Where are these stats stored, I don't see them in a log anywhere and can't find reference in any documentation?

2. Will these statistics persist past a reboot of the machine or will the counters reset?

3. If they do reset, how do I restore them at boot time? I believe it's possible to include the counter values when using add rule... packets 1234 bytes 123456 but how do I do it for a named counter and also... #1... where do I get these numbers from?

Thanks for any help!

I need to be able to track client data usage between their VM and an S3 compatible object storage bucket (accessed via https). I've installed ntopng community edition on the VM and right now it's dumping all it's data into a MySQL database.

I've noticed that the overhead of ntopng is not inconsequential, and these are not resource rich VM's, so I'd like to lessen it's memory/resource footprint if I can. I'm ONLY interested in the connection described above, so is there a way to apply a filter to only track connections from a certain origin rather than tracking ALL traffic?

I'm actually only interested in the INBOUND traffic as well, as uploads are not billable, so I've already set the --capture-direction=1 flag to only track RX traffic (from Bucket to VM).

I'm assuming that the web server component is either idle or disabled as I have not set any values for those params. Or do I need to specifically disable them somehow? Lastly, I've disabled all DNS features.

Here is my current configuration at /etc/ntopng/ntopng.conf...

# ntopng Configuration
--community
-G=/run/ntopng.pid
-e=
-i=eth0
-n=3
--capture-direction=1
-N=myhost.tld
-F=mysql;/run/mysqld/mysqld.sock;ntop;flows;user;pass

Alternatively, is there a better and/or lighter weight method of achieving what I need? My goal is simply at the end of the month to know that Acme Co's VM used n GB of data.

The /run/spamassassin directory is not being re-created at boot because there is no /usr/lib/tmpfiles.d/spamassassin file telling it to do so. If I manually create /run/spamassassin and start the service everything runs fine, but after reboot, same problem. The spamassassin.service is enabled, so I'm not sure what I'm supposed to do. I'm on version 3.4.2-6.el8.

It looks like it's supposed to be included with the package based on searches on the web, but I can't seem to find the file contents anywhere. When I run dnf repoquery -l spamassassin it's not listed as one of the files, so I'm not sure if it's generated after the fact.

Am I supposed to manually create this file; is that file supposed to be generated after install; or is it supposed to be installed as part of the package?

Appreciate any help!

CentOS 8 does not always come with Python pre-installed, and so Ansible will fail running on the remote machine until it's been installed. However in a classic Chicken/Egg, you can't use the Ansible dnf module to install Python.

I've been using:

- name: Install Python 3
  raw: dnf -y install python3

However the problem with this is that I either have to set changed_when: false or it will always return a changed state. I'd like the state reported properly if it's possible.

I found easy_install however this appears to only deal with Python Libraries, and not Python itself. Is there a built-in way to handle this or is raw: the only option?

I'm stuck on Dovecot 2.2.x because 2.3 package isn't available yet for CentOS 8.x, and I don't want to custom build in this use case. Further, I'm bootstrapping this machine in order to snapshot it and launch many from the image.

One important step in getting Dovecot running the first time is allowing it to generate its own DHParams file (specifying an existing one doesn't come until 2.3). This process takes a LONG time on a low resource machine, so my goal is to either generate them remotely on another more powerful machine, or symlink to one generated locally that uses a quicker method in openssl based on different primes.

As per the docs, the dh params file generated by Dovecot is located at:

/var/lib/dovecot/ssl-parameters.dat

The issue I'm facing is, any dh params I've generated before come in the PEM format, but the one generated internally by Dovecot is NOT in PEM format.... can anyone tell me what format it is, and if it's possible to create it using openssl?

I haven't found any reference to the DH params format in any dovecot documentation, maybe because it was changed in 2.3, there wasn't a big need to document it?

I have MySQL 8 with the mysqlx plugin enabled running on a standalone server that will never allow access to 3306 from outside the instance and have no worries about security within the instance.

I do not want the overhead of SSL connections for clients accessing either the standard or X interfaces.

I have disabled SSL in the my.cnf using the skip_ssl flag, however I'm now seeing in my logs a warning coming from the mysqlx plugin after a restart stating...

[Warning] [MY-011302] [Server] Plugin mysqlx reported: 'Failed at SSL configuration: "SSL context is not usable without certificate and private key"'

I understand this is just a warning but is there no way to silence this message by specifically disabling SSL for the mysqlx plugin? Or some other way?

I have 2 sites/apps on a server; a proprietary app, and Nextcloud. Nextcloud will be using the files_external storage plugin which allows for local mounts, but I do NOT want it to be able to browse and view the source of the proprietary app... thus mod_selinux and sedomain children.

I'm using mod_selinux to create domain children, and I'm assigning a child id to each of the sites and labelling their respective app and data directories accordingly in their vhost definitions...

httpd.conf

selinuxServerDomain *:s0-s0:c0.c100

proprietary.vhost.conf

selinuxDomainVal *:s0:c10

nextcloud.vhost.conf

selinuxDomainVal *:s0:c20

The app directory, where the code is located has the following permissions and contexts applied...

drwxr-x---.  4 apache apache unconfined_u:object_r:httpd_sys_content_t:s0:c10 4096 Jan 17 17:02 proprietary_app_dir
drwxr-x---. 15 apache apache unconfined_u:object_r:httpd_sys_content_t:s0:c20 4096 Jan 20 08:09 nextcloud

The problem... Everything is running, but the problem is, I can still browse the proprietary app folder using nextcloud even though the proprietary app's directory has a domain context limited to s0:c10, and as far as the vhost is defined, Nextcloud should be running as s0:c20.

I know that SELinux is doing it's job because I can't view folders like /etc even though other users have read permissions on it, I can only view folders with contexts of httpd_sys_(rw_)content_t as it should be.

I would have expected that a child process of c20 should not be able to read a folder asking for c10. So the only thing I can think of is that the spawned children of httpd_t (via mod_selinux) are not using the selinuxDomainVal contexts that I've defined in the vhost files.

I'm not sure what I've done wrong, have I misconfigured this somehow, or have I forgotten a step? Would appreciate any help you can offer.

Extra info...

• CentOS8
• Apache 2.4.37
• PHP 7.3 (via remi)
• PHP-FPM
• mod_selinux (repackaged RPM from fedora 31)

I've got a server that will have several applications on it, one of which is proprietary code, and another with the ability to examine files on the server due to the nature of our needs. This will not do. I'm trying to achieve per-vhost privilege separation to prevent one from examining the other. There are several mitigating circumstances which have complicated this...

• CentOS8
• Must use SELinux
• Apache 2.4.37, PHP73, FCGI, PHP_FPM... using mpm_event
• No mod_permissions, mod_itk/mpm_itk, mod_selinux modules out of the box on CentOS8

Since SELinux must be enabled in our case, and it also offers the best granularity for achieving our purposes, I've started down that path. In order to get it installed (from a Fedora Core 31 src) I followed these steps...

1. dnf install httpd-devel selinux-policy-devel
2. wget https://download.fedoraproject.org/pub/fedora/linux/releases/31/Everything/source/tree/Packages/m/mod_selinux-2.4.4-14.fc31.src.rpm
3. rpmbuild --rebuild mod_selinux-2.4.4-14.fc31.src.rpm --define "_rpmdir /tmp"
4. dnf install /tmp/x86_64/mod_selinux-2.4.4-14.el8.x86_64.rpm

This all went well, no errors, and everything was installed where it was supposed to be.

I have consolidated our serverwide settings into a single httpd.conf file rather than using lots of different conf files in conf.d (this is mostly due to simplicity when working with ansible templates and seeing everything in one place). NB: This does NOT include each of our vhost conf files / declarations which are still separate and included individually.

The default declaration for the httpd contexts is...

selinuxServerDomain    *:s0

I have 4x vhosts that I wish to compartmentalize, and I want to leave room for future expansion, so I adjusted that declaration to the following and added it to my httpd.conf file...

selinuxServerDomain    *:s0-s0:c0.c50

I then added the following to each of my vhost declarations respectively...

selinuxDomainVal *:s0:c10
selinuxDomainVal *:s0:c20
selinuxDomainVal *:s0:c30
selinuxDomainVal *:s0:c40

Lastly, I changed the context of the document roots on each of the respective vhost sites as follows...

chcon -R -l s0:c10 /var/www/site1
chcon -R -l s0:c20 /var/www/site2
chcon -R -l s0:c30 /var/www/site3
chcon -R -l s0:c40 /var/www/site4

Prior to using the context-sites, I was already successfully running the websites using the standard httpd related contexts (unconfined_u:object_r:httpd_sys_content_t, system_u:object_r:httpd_sys_rw_content_t), so I left them as is.

So the problem is, using the original *:s0 context, systemctl start httpd works fine, though none of the vhosts are accessible for the obvious reason that none of the spawned handlers are using the correct context.

However, when I change the context declaration to *:s0-s0:c0.c50, systemctl start httpd fails. status shows the following...

● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
  Drop-In: /usr/lib/systemd/system/httpd.service.d
           └─php73-php-fpm.conf
   Active: failed (Result: exit-code) since Fri 2020-01-10 09:56:45 EST; 7s ago
     Docs: man:httpd.service(8)
  Process: 19362 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE)
 Main PID: 19362 (code=exited, status=1/FAILURE)
   Status: "Reading configuration..."

Jan 10 09:56:45 myhost.tld systemd[1]: Stopped The Apache HTTP Server.
Jan 10 09:56:45 myhost.tld systemd[1]: Starting The Apache HTTP Server...
Jan 10 09:56:45 myhost.tld systemd[1]: httpd.service: Main process exited, code=exited, status=1/FAILURE
Jan 10 09:56:45 myhost.tld systemd[1]: httpd.service: Failed with result 'exit-code'.
Jan 10 09:56:45 myhost.tld systemd[1]: Failed to start The Apache HTTP Server.

There is no helpful info there I can see. Similarly journalctl -xe shows the same message lines, no additional help. The only thing I could find was in the error.log...

[Fri Jan 10 09:56:45.245476 2020] [core:notice] [pid 19362:tid 139989213628672] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
[Fri Jan 10 09:56:45.253134 2020] [:error] [pid 19362:tid 139989213628672] (13)Permission denied: SELinux: setcon_raw("system_u:system_r:httpd_t:s0-s0:c0.c50") failed
AH00016: Configuration Failed

But due to my relative infancy when dealing with SEL policies, I'm not exactly sure what it's telling me. Can someone help shed some light on what I'm doing wrong here?

I've tried moving the context declaration up and down in the conf file just in case it was trying to set before another dependency but no change. I tried changing the context users from system_u to unconfined_u in the directory contexts and back again, no change. Not sure what else to try.

Thanks in advance for any help you can offer!

EDIT:

I've been able to get a little more specific info on the AVC Denial from the audit.log...

type=AVC msg=audit(1578928482.042:458750): avc:  denied  { setcurrent } for  pid=11335 comm="httpd" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process permissive=0
type=SYSCALL msg=audit(1578928482.042:458750): arch=c000003e syscall=1 success=no exit=-13 a0=d a1=55e37564e5c0 a2=29 a3=0 items=0 ppid=1 pid=11335 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)^]ARCH=x86_64 SYSCALL=write AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=PROCTITLE msg=audit(1578928482.042:458750): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44
type=SERVICE_START msg=audit(1578928482.054:458751): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=httpd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'^]UID="root" AUID="unset"

Does that help at all?

We have a vhost conf file which is a catch-all in a multi-tenant scenario, however there's a requirement for one of our clients to have a specific alias declaration which is currently defined like so...

Alias /special "/srv/application/public/example/special"

Currently this means that EVERY single client / domain in the system would be caught and forced to serve /special/ which is obviously a problem.

How can I limit the scope of this Alias declaration so that it is only applied when the requested domain matches example.com or www.example.com?

FYI, we're moving from Apache 2.2 to 2.4 shortly, if there are any differences in the particular case, please point them out. Thanks!

EDIT I should point out we're limited in this instance by middle ware and must keep everything in a single vhost declaration.

We're a multi-tenant service and terminate our SSL at our load balancers (HAProxy + Apache for SSL termination), this has caused growing pains due to dedicated IP requirements. But times have changed and we're considering moving to SNI so I was hoping for educated opinions for 2015 about adopting it as our standard.

I'm going to outline our assumptions:

• SSL is dead (long live TLS) due to the POODLE attack,
• TLS has SNI built in
• IE6 / Windows XP ( < sp3) are dead for many reasons, not the least of which is XP going EOL
• We've terminated support for IE7 and essentially IE8 at this point

Am I correct in assuming that SNI is essentially globally supported now?

... and ...

Are there scenarios that I should consider beyond this that would affect support?

... and finally ...

Now that HAProxy 1.5 supports SSL Termination directly, are there any caveats in your experience directly relating to SNI that will affect our ability to roll out this service?

We're migrating our deployment from regular EC2 into a VPC, we have two load balancers in the public cloud that we have a number of domain "A" records pointed at, however I didn't realize that a public Elastic IP could not be attached to a VPC instance, you must use VPC based Elastic IP's.

So you're aware, our LB's are HAProxy based instances, NOT Elastic Load Balancers. So we've got Apache to work with here if that helps answer my question or offers an alternative.

Because not all of the domains in question pointing at the public LB's are under my control, it's very difficult to schedule the change to DNS with everyone, lets call it impossible.

So my question is, is it possible that I can redirect calls to our public LB's to their replacements in the VPC? This would have to be transparent while we go through our clients and have them update their DNS.

Any suggestions would be greatly appreciated!

EDIT: To expand just a little, it would be a benefit if I could do this simply using EC2 features so I don't have to keep the two public LB instances running. Failing that, I need to know specifically how to accomplish the "redirect", is it done in DNS, or is it done somewhere else?

EDIT 2: Nobody was able to offer any insights into an Amazon specific resolution that didn't require the LB instances to remain up, so I've outlined what we did with HAProxy in the selected answer below.