Support for adding SELinux contexts on discourse-setup

Could discourse-setup add contexts for SELinux systems? It would vastly improve security for RHEL users (CentOS, Fedora, etc.).

2 Likes

Best way to get traction here is to make a proof of concept PR.

4 Likes

I can’t find any discourse-setup in the source repo root. Isn’t it a sh script?

Edit: Found it. I was looking at discourse/discourse instead of discourse/discourse-docker.

1 Like

@GalacticLion7

I understand many people require the enhanced security of SELinux and all that brings.

One of the main purposes and strong benefits of containerized architectures (like Docker) is that containerized applications can run on any underlying architecture as long as the container management system (in this Discourse case, Docker) is working.

My thoughts, for what it is worth, is that an application development team should not go down the rabbit-hole of supporting every requested OS distribution (non-standard) Docker install. That defeats one of the main purposes of running a containerized architecture.

More maintainable, in my view, is for sys admins to insure their Docker installation are working in a standard way, and if their Docker setup is not matching the “Discourse standard”, then they should add symbolic links to binaries, files and directories to match mainstream standard Docker configurations.

OS distributions can and do change at any time, and this includes the configuration for installed applications. If an application team (like Discourse, for example) begins expanding their setup files to adapt to various Docker configuration, then they will have to track each OS distribution for changes with each new OS distribution release.

For us, if we were going to run Discourse on SELinux (we run on Ubuntu, BTW), we would more-than-likely start by writing a script to create the required symbolic links for SELinux to match the required Docker files as installed and configured in the standard distribution supported by Discourse.

I did a quick check of a few VPS providers for you and thought I might do this (create the script for you) if I could get a SELinux distribution setup on a cheap VPS. Unfortunately, the VPS providers I use (Linode and Digital Ocean) do not offer SELinux so I abandoned the idea.

Do you know of any “cheap, reliable VPS” provider where I can set up SELinux quickly?

3 Likes

@neounix thank you for your response.

The same discourse-docker setup will work in SELinux systems without adding SELinux contexts to the Docker run parameters. Therefore, the philosophy of containerized architectures will still be conserved.

Adding SELinux contexts is just meant to be an optional optimization for the host OS, which many sysadmins will end up doing in large containerized setups (such as discourse-docker) anyways.

Also, please note that SELinux not a distribution. SELinux is a built-in component in RHEL distributions, most notably CentOS and Fedora. SELinux is a bit like AppArmor, which is included in Debian.

I agree that this would all result in a bit of extra maintaining, but not for “each different OS distribution.” SELinux is the same for all known RHEL distributions (CentOS, Fedora), so there are no distribution-specific SELinux contexts.

As with almost all providers, DigitalOcean do support CentOS and Fedora. I’d focus on working with CentOS since it’s the best for servers (a bit of bias, haha), though SELinux is the same between all RHEL distributions, as mentioned before.

As Discourse recommends Ubuntu surely you’re making a case for AppArmor support before any time is spent on SELinux?

1 Like

I knew someone would bring this up. I’m not too familiar with AppArmor, though, but it may or may not work the same way as SELinux.

Thanks. I recall that now. Thanks for pointing that out.

Security-Enhanced Linux ( SELinux ) is a Linux kernel security module that provides a mechanism for supporting access control security policies, including mandatory access controls (MAC).

Linux kernel security module

SELinux represents one of several possible approaches to the problem of restricting the actions that installed software can take. Another popular alternative is called AppArmor and is available on SUSE Linux Enterprise Server (SLES), openSUSE, and Debian-basedplatforms. AppArmor was developed as a component to the now-defunct Immunix Linux platform. Because AppArmor and SELinux differ radically from one another, they form distinct alternatives for software control. Whereas SELinux re-invents certain concepts to provide access to a more expressive set of policy choices, AppArmor was designed to be simple by extending the same administrative semantics used for DAC up to the mandatory access control level.

Honestly, I forgot SELinux was a module, not a distro. My mistake.

Maybe @GalacticLion7, if you need this level of access control have you considered SELinux on Ubuntu?

See, for example:

Seems you have a myriad of options @GalacticLion7 to choose from :slight_smile: Maybe pick one which is designed or works with Ubuntu (since Discourse “officially” supports Ubuntu), is as good idea, don’t you think?

1 Like

@neounix But like I said, it doesn’t matter which distribution. It’s just for systems that have SELinux, whether it’s built-in or manually installed.

1 Like

Then my suggestions is that you go with Ubuntu (officially supported by Discourse), install SELinux and do a proof-of-concept, and when it is working, consider submitting a PR and opening a discussion in dev about it.

How does that sound?

2 Likes