Fedora Server optimizations and recommendations

Hello,

I am using headless Fedora Server Edition since version 26.
Now I am on 33 and I am very satisfied to run Fedora as home server.

The server is used for the following services:

  • Nextcloud (latest version official packages from Nextcloud) and OnlyOffice with Apache, MySql, Php-fpm, Redis, fail2ban
  • TV streaming via tvheadend
  • Local Samba server
  • As a part of a little renderfarm with virtual Windows 10 via qemu-kvm, virtio for GPU passthrough
  • and last but not least as mediaserver for individual Kodiclients at home

I connect to the server via Cockpit and ssh using 2FA Google-Authenticator.
The biggest challenge is SELinux. The guides on Google are not detailed enough with a lot of bug reports on Github.
I needed to issue the following to run Cockpit, ssh and OnlyOffice smoothly:

semanage permissive -a httpd_t
semanage permissive -a cockpit_session_t
semanage permissive -a sshd_t

I know the right way is to create rules but that’s something I do not know, because I do not understand how to use audit2allow.

Isn’t it possible to create an overview which is specified to Fedora (maybe also Centos) where users collect their solutions to fix SElinux permissions for upcoming Nextcloud versions and its content?
I also could wish an overview for generell Fedora Server hardening and optimizing. The most guides on Google are based on Ubuntu and its derivats.

Last but not least: what about gpu passthrough by using Cockpit? I came over some tutorials they all are using GUI and virt-manager. How to do in Cockpit without GUI?

Best regards,
Woti

4 Likes

No respons at all? Unbelievable :smirk:

@woti sorry that you haven’t had any responses. I actually decided to watch your post because I would also like good documentation on SELinux.

I looks like you saw my post looking for resources:
https://discussion.fedoraproject.org/t/documentation-suggestions-for-podman-selinux-cockpit/77494

Did any of those help you out? I haven’t had time to read all of the links, but I’m guessing that the SELinux resources referenced on RedHat will probably give you the best information.

I know when my son was setting up Syncthing to work on Fedora 32 server he ran into SELinux issues. He said most of them could be solved by following the advice of the error messages that SELinux gave, but I didn’t do any of that set up or trouble shooting so I don’t think I can give a good answer to your question that you put here.

Honestly, I’ve been dipping my little toe into homelab and haven’t exposed anything to the Internet yet. I’ve been following tutorials on setting things up on RaspberryOS and Debian because those have been easier for me to follow. So while we are still running Fedora 32 Server for our Syncthing server and our OpenVPN server (my son manages that), I’m running my personal static sites and a CRM on Debian and RaspberryOS staying away from SELinux and focusing on locking down SSH and using ufm for my firewall on those machines.

Hopefully, now with a few posts to this thread and the boost you will get someone who has more expertise in SELinux to answer your specific question. Thanks for posting, I appreciate the homelab questions on Fedora.

@woti

Hi, I have not that much experience with SELinux, however maybe you’ll find this guide usefull:

As of cockpit,I only tested it once and since it doesn’t suits my administration needs and habits, I didn’t use it. At the end of the day it adds just another layer where attacks might be possible, imho. It can be used as remote administration tool over a website. So if you want to use cockpit, you don’t need a gui on the server running it. You would access it from another computer by using a browser by opening an url.

Regarding hardening there are some principles:

  • Every additional software adds possible attack vectors.
  • Use a Firewall and allow only ports you need.
  • Use strong passwords, don’t save them unencrypted. You can use Password manager
  • Don’t use the root account for everything. Use sudo if possible.
  • Set some kernel parameters.
  • Use ssh and restrict access. Use fail2ban and so on.
    …

Giving hardening suggestions is not so easy.

You may want to follow guides like this:

Or better this:

There is loads of documentation:

Basically security starts with your router. Close IPs, Ports, UPNP…
Then you need to have hardware that can be trusted.
Also it is a good idea to use different networks separted by multiple routers and dedicated server for certain services.
Sometime it’s suggested to set BIOS/UEFI passwords and try to restrict the Intel Management Engine.

There is no one-answer-fits-all-scenarios.
You have to harden the base system and every single service your server provides.

You don’t need to use and follow every security suggestion.
There are so many and most are very hard to master.
You always need to ask yourself, is it worth the effort? Does it satisfy the expense?
Do you really need to open your server to the world wide web?
Can you live with having your cloud only at home?
Maybe using vpn, ssh tuneling, port forwarding, wireguard…?

3 Likes

Hello again. The time is flying fast :slight_smile: Thanks for your answers. I read some parts of you links. Interesting stuff. Some things with SELinux I could fix but not everything. But I just need to keep on trying. :slight_smile: