skip to main | skip to sidebar

Linux Tutorial for Beginners

Pages

  • Home
 
  • RSS
  • Twitter
Showing posts with label SELinux. Show all posts
Showing posts with label SELinux. Show all posts
Tuesday, March 6, 2012

Apache and SELinux File Labels

Posted by Raju Gupta at 2:39 AM – 8 comments
 

Take a look at the SELinux settings associated with Apache. To review, SELinux settings, as they relate to a service, mostly fall into two categories: boolean settings and file labels. Start with the file labels.

Apache and SELinux File Labels

The default file labels for Apache configuration files are consistent, as shown in the output to the ls -Z /etc/httpd and ls -Z /var/www commands. Individual files use the same contexts as their directory. For web sites where scripts read and or append data to web forms, you’d consider the last two contexts, which support read/write (rw) and read/append (ra) access.

Create a Special Web Directory
In many cases, you’ll create dedicated directories for each virtual web site. It’s better to segregate the files for each web site in its own directory tree. But with SELinux, you can’t just create a special web directory. You’ll want to make sure that new directory at least matches the SELinux contexts of the default /var/www directory. Run the ls -Z /var/www command. Note the SELinux contexts. For most directories, the user context is system_u and the type is http_sys_content_t. For a newly created /www directory, you could just change the SELinux contexts with the following commands. The -R applies the changes recursively, so the new contexts are applied to files and subdirectories.

# chcon -R -u system_u /www/
# chcon -R -t httpd_sys_content_t /www/

Of course, if scripts are required for the associated web site, you’ll want to run the following command to make sure the SELinux changes survive a relabel:

# semanage fcontext -a -s system_u -t httpd_sys_content_t /www/

This command creates a file_contexts.local file in the /etc/selinux/targeted/ contexts/files directory. If there’s also a cgi-bin/ subdirectory, you’ll want to set up appropriate contexts for that subdirectory as well with the following command:

# semanage fcontext -a -s system_u -t httpd_sys_script_exec_t  /www/cgi-bin/

The differences in the file contexts are shown in Table

Directory
SELinux Context Type
/etc/httpd, /etc/httpd/conf, /etc/httpd/conf.d, /var/run/httpd
httpd_config_t
/usr/lib64/httpd/modules
httpd_modules_t
/var/log/httpd
httpd_log_t
/var/www, /var/www/error, /var/www/html, /var/www/icons,
/var/www/manual, /var/www/usage
httpd_sys_content_t
/var/www/cgi-bin
httpd_sys_script_exec_t
n/a
httpd_sys_content_rw_t
n/a
httpd_sys_content_ra_t


[ Read More ]
Read more...
Older Posts
Subscribe to: Posts (Atom)

Our Blogs

  • Java Programs with Output
  • C Programming Tutorial
  • Language Tutorial
  • Android Development Tutorial
  • Web Development Tutorial
  • Popular
  • Recent
  • Archives

Popular Posts

  • Apache Configuration File Security Option
    you’ll examine the security options available in the main Apache configuration file, httpd.conf. That file can be modified to secure the e...
  • AWS VPC Overview
    What is VPC ? A virtual private cloud (VPC) is a virtual network dedicated to your AWS account. It is logically isolated from other vir...
  • Advantages & Disadvantages of Kerberos
    Advantages of Kerberos Most conventional network services use password-based authentication schemes. Such schemes require a user to au...
  • SSH login without password
    The following steps can be used to ssh from one system to another without specifying a password: 1. On the client run the following com...
  • Apache Installation and Configuration through source code
    In this example we extract the source code to a directory under /usr/local/src/ cp httpd-2.0.46.tar.gz /usr/local/src cd /usr/local/src...
  • How to automatically chroot jail selected ssh user logins
    1. Creating basic chroot environment First we need to create a simple chroot environment. Our chroot environment will consist of a bash she...
  • How to Create the Kerberos database
    Create the database with the following command.  [root@coma ~] kdb5_util create -s This will prompt you for a password. You will ...
  • Kerberos and PAM
    Kerberos-aware services do not currently make use of Pluggable Authentication Modules (PAM) — these services bypass PAM completely. However...
  • Apache and SELinux File Labels
    Take a look at the SELinux settings associated with Apache. To review, SELinux settings, as they relate to a service, mostly fall into tw...
  • History of MINIX 3
    MINIX has a long history. It goes back to 1987 when the first edition of the book Operating Systems: Design and Implementation by Andrew S...
Powered by Blogger.

Archives

  • ▼  2014 (1)
    • ▼  May (1)
      • AWS VPC Overview
  • ►  2013 (4)
    • ►  February (4)
  • ►  2012 (89)
    • ►  November (1)
    • ►  March (4)
    • ►  February (36)
    • ►  January (48)
 

Followers

Labels

  • Apache (8)
  • aws (1)
  • Bridge (1)
  • cloud computing (1)
  • Configuration (1)
  • dhcp server (7)
  • DNS (8)
  • File system (11)
  • Fping (1)
  • Iptable basic (3)
  • KDC slave server (1)
  • Kerberos (14)
  • kerberos configuration (5)
  • kerberos database (1)
  • LaTeX (1)
  • Ldap basic (2)
  • Linux aliases (1)
  • Linux Commands (4)
  • Linux History (2)
  • Linux Installation (3)
  • Linux kernel (3)
  • Linux shell (2)
  • Linux software (2)
  • Lvm (1)
  • Mail Server (3)
  • Network Script (1)
  • PHP (1)
  • Raid (6)
  • SELinux (1)
  • Sendmail (3)
  • ssh (2)
  • Tcpdump example (1)
  • Virtualization (5)
  • Webmin (1)
  • Yum (2)
 
 
© 2011 Linux Tutorial for Beginners | Designs by Web2feel & Fab Themes

Bloggerized by DheTemplate.com - Main Blogger