Take a look at the
SELinux settings associated with Apache. To review, SELinux settings, as they
relate to a service, mostly fall into two categories: boolean settings and file
labels. Start with the file labels.
Apache and SELinux
File Labels
The default file
labels for Apache configuration files are consistent, as shown in the output to the ls -Z /etc/httpd and ls -Z /var/www commands. Individual
files use the
same
contexts as their directory. For web sites where scripts read and or append data to web
forms, you’d consider the last two contexts, which support read/write (rw)
and read/append (ra) access.
Create a Special Web Directory
In many cases, you’ll create
dedicated directories for each virtual web site. It’s better to
segregate the files for each web site in its own directory tree. But with
SELinux, you can’t just create a special web
directory. You’ll want to make sure that new directory
at least matches the SELinux contexts of the default /var/www directory. Run
the ls -Z /var/www command. Note
the SELinux contexts. For most directories,
the user context is system_u and the type is http_sys_content_t. For a newly
created /www directory, you could just change the SELinux contexts with the following
commands. The -R applies the
changes recursively, so the new contexts are
applied to files and subdirectories.
# chcon -R -u system_u /www/
# chcon -R -t httpd_sys_content_t /www/
Of course, if scripts are required for the associated web
site, you’ll want to run the following command to make sure the SELinux changes
survive a relabel:
# semanage fcontext -a -s system_u -t
httpd_sys_content_t /www/
This command creates a
file_contexts.local file in the /etc/selinux/targeted/ contexts/files directory.
If there’s also a cgi-bin/ subdirectory, you’ll want to set up appropriate contexts
for that subdirectory as well with the following command:
# semanage fcontext -a -s system_u -t
httpd_sys_script_exec_t /www/cgi-bin/
The differences in the file contexts
are shown in
Table
|
Directory
|
SELinux Context
Type
|
|
/etc/httpd,
/etc/httpd/conf, /etc/httpd/conf.d, /var/run/httpd
|
httpd_config_t
|
|
/usr/lib64/httpd/modules
|
httpd_modules_t
|
|
/var/log/httpd
|
httpd_log_t
|
|
/var/www,
/var/www/error, /var/www/html, /var/www/icons,
/var/www/manual,
/var/www/usage
|
httpd_sys_content_t
|
|
/var/www/cgi-bin
|
httpd_sys_script_exec_t
|
|
n/a
|
httpd_sys_content_rw_t
|
|
n/a
|
httpd_sys_content_ra_t
|
Very good informative article. Thanks for sharing such nice article, keep on up dating such good articles.
NO.1 API DEVELOPMENT SERVICES | MASSIL TECHNOLOGIES
Last time, I introduced you to SELinux: what it is, what it can do, and really why you need it (or a system like it). It is especially important with reported (and fixed) security vulnerabilities on the rise, and each year brings more reports, and more updates for end-users to install. This data tells us that we are in greater need of proactive security measures now than we ever were before. And this is where software like SELinux fits in.
3V0-624 exam dumps for free
Excellent informative blog, keep for sharing.
Best System Integration services | Massil Technologies