skip to main | skip to sidebar

Linux Tutorial for Beginners

Pages

  • Home
 
  • RSS
  • Twitter
Tuesday, March 6, 2012

Apache and SELinux File Labels

Posted by Raju Gupta at 2:39 AM – 6 comments
 

Take a look at the SELinux settings associated with Apache. To review, SELinux settings, as they relate to a service, mostly fall into two categories: boolean settings and file labels. Start with the file labels.

Apache and SELinux File Labels

The default file labels for Apache configuration files are consistent, as shown in the output to the ls -Z /etc/httpd and ls -Z /var/www commands. Individual files use the same contexts as their directory. For web sites where scripts read and or append data to web forms, you’d consider the last two contexts, which support read/write (rw) and read/append (ra) access.

Create a Special Web Directory
In many cases, you’ll create dedicated directories for each virtual web site. It’s better to segregate the files for each web site in its own directory tree. But with SELinux, you can’t just create a special web directory. You’ll want to make sure that new directory at least matches the SELinux contexts of the default /var/www directory. Run the ls -Z /var/www command. Note the SELinux contexts. For most directories, the user context is system_u and the type is http_sys_content_t. For a newly created /www directory, you could just change the SELinux contexts with the following commands. The -R applies the changes recursively, so the new contexts are applied to files and subdirectories.

# chcon -R -u system_u /www/
# chcon -R -t httpd_sys_content_t /www/

Of course, if scripts are required for the associated web site, you’ll want to run the following command to make sure the SELinux changes survive a relabel:

# semanage fcontext -a -s system_u -t httpd_sys_content_t /www/

This command creates a file_contexts.local file in the /etc/selinux/targeted/ contexts/files directory. If there’s also a cgi-bin/ subdirectory, you’ll want to set up appropriate contexts for that subdirectory as well with the following command:

# semanage fcontext -a -s system_u -t httpd_sys_script_exec_t  /www/cgi-bin/

The differences in the file contexts are shown in Table

Directory
SELinux Context Type
/etc/httpd, /etc/httpd/conf, /etc/httpd/conf.d, /var/run/httpd
httpd_config_t
/usr/lib64/httpd/modules
httpd_modules_t
/var/log/httpd
httpd_log_t
/var/www, /var/www/error, /var/www/html, /var/www/icons,
/var/www/manual, /var/www/usage
httpd_sys_content_t
/var/www/cgi-bin
httpd_sys_script_exec_t
n/a
httpd_sys_content_rw_t
n/a
httpd_sys_content_ra_t


Labels: Apache, SELinux Email This BlogThis! Share to Twitter Share to Facebook

6 Responses so far.

  1. Deepika says:
    March 18, 2018 at 10:16 PM

    Very good informative article. Thanks for sharing such nice article, keep on up dating such good articles.
    NO.1 API DEVELOPMENT SERVICES | MASSIL TECHNOLOGIES

  2. Rebecca says:
    June 24, 2018 at 11:39 PM

    Last time, I introduced you to SELinux: what it is, what it can do, and really why you need it (or a system like it). It is especially important with reported (and fixed) security vulnerabilities on the rise, and each year brings more reports, and more updates for end-users to install. This data tells us that we are in greater need of proactive security measures now than we ever were before. And this is where software like SELinux fits in.
    3V0-624 exam dumps for free

  3. Deepika says:
    October 10, 2018 at 11:09 PM

    Excellent informative blog, keep for sharing.

    Best System Integration services | Massil Technologies

  4. for ict 99 says:
    October 10, 2019 at 7:30 PM

    Great Article
    Cyber Security Projects for CSE Students


    JavaScript Training in Chennai



    Project Centers in Chennai




    JavaScript Training in Chennai

  5. Jack Vick says:
    February 21, 2020 at 4:24 AM

    great content! smartparaphrasingtool.com I found your blog on google and loved reading it greatly. It is a great post indeed. Much obliged to you and good. keep it up..

  6. madin says:
    July 1, 2020 at 12:08 AM

    Rolex propose une replique rolex montres large gamme de modèles, des montres professionnelles fausses rolex cosmograph daytona montres aux montres classiques, qui s'adaptent à tous les poignets. Choisissez votre modèle préféré, la matière, la lunette, le cadran et le bracelet pour explorer la collection Rolex et trouver la montre qui vous convient.

Leave a Reply

Newer Post Older Post
Subscribe to: Post Comments (Atom)

Our Blogs

  • Java Programs with Output
  • C Programming Tutorial
  • Language Tutorial
  • Android Development Tutorial
  • Web Development Tutorial
  • Popular
  • Recent
  • Archives

Popular Posts

  • Apache Configuration File Security Option
    you’ll examine the security options available in the main Apache configuration file, httpd.conf. That file can be modified to secure the e...
  • Advantages & Disadvantages of Kerberos
    Advantages of Kerberos Most conventional network services use password-based authentication schemes. Such schemes require a user to au...
  • AWS VPC Overview
    What is VPC ? A virtual private cloud (VPC) is a virtual network dedicated to your AWS account. It is logically isolated from other vir...
  • Apache Installation and Configuration through source code
    In this example we extract the source code to a directory under /usr/local/src/ cp httpd-2.0.46.tar.gz /usr/local/src cd /usr/local/src...
  • How to automatically chroot jail selected ssh user logins
    1. Creating basic chroot environment First we need to create a simple chroot environment. Our chroot environment will consist of a bash she...
  • Tcpdump command with some examples
    To print all packets arriving at or departing from sundown: tcpdump host sundown To print traffic between helios and either hot or ace: ...
  • History of MINIX 3
    MINIX has a long history. It goes back to 1987 when the first edition of the book Operating Systems: Design and Implementation by Andrew S...
  • SSH login without password
    The following steps can be used to ssh from one system to another without specifying a password: 1. On the client run the following com...
  • How to Create the Kerberos database
    Create the database with the following command.  [root@coma ~] kdb5_util create -s This will prompt you for a password. You will ...
  • Apache and SELinux File Labels
    Take a look at the SELinux settings associated with Apache. To review, SELinux settings, as they relate to a service, mostly fall into tw...
Powered by Blogger.

Archives

  • ►  2014 (1)
    • ►  May (1)
  • ►  2013 (4)
    • ►  February (4)
  • ▼  2012 (89)
    • ►  November (1)
    • ▼  March (4)
      • Apache Configuration File Security Option
      • Apache and SELinux File Labels
      • Apache Port and Firewalls
      • Apache Log Files Details
    • ►  February (36)
    • ►  January (48)
 

Followers

Labels

  • Apache (8)
  • aws (1)
  • Bridge (1)
  • cloud computing (1)
  • Configuration (1)
  • dhcp server (7)
  • DNS (8)
  • File system (11)
  • Fping (1)
  • Iptable basic (3)
  • KDC slave server (1)
  • Kerberos (14)
  • kerberos configuration (5)
  • kerberos database (1)
  • LaTeX (1)
  • Ldap basic (2)
  • Linux aliases (1)
  • Linux Commands (4)
  • Linux History (2)
  • Linux Installation (3)
  • Linux kernel (3)
  • Linux shell (2)
  • Linux software (2)
  • Lvm (1)
  • Mail Server (3)
  • Network Script (1)
  • PHP (1)
  • Raid (6)
  • SELinux (1)
  • Sendmail (3)
  • ssh (2)
  • Tcpdump example (1)
  • Virtualization (5)
  • Webmin (1)
  • Yum (2)
 
 
© 2011 Linux Tutorial for Beginners | Designs by Web2feel & Fab Themes

Bloggerized by DheTemplate.com - Main Blogger