Difference between revisions of "ApacheRecipes"
(Initial apache recipes page) |
|||
Line 15: | Line 15: | ||
= Allow Apache to connect to your database server = | = Allow Apache to connect to your database server = | ||
+ | |||
+ | To allow Apache to connect to a MySQL or PostgreSQL server enable the httpd_can_network_connect_db boolean. | ||
+ | |||
+ | [root@localhost ~]# semanage boolean -m --on httpd_can_network_connect_db | ||
+ | [root@localhost ~]# | ||
= Allow Apache to run CGI scripts = | = Allow Apache to run CGI scripts = | ||
+ | |||
+ | Normally we don't want Apache executing scripts but some users need Apache to execute CGI scripts. To do this first enable the httpd_enable_cgi boolean. | ||
+ | |||
+ | [root@localhost ~]# semanage boolean -m --on httpd_enable_cgi | ||
+ | [root@localhost ~]# | ||
+ | |||
+ | If your CGI scripts are in the cgi-bin directory of your web root you are done. If not you'll need to label those files as httpd_sys_script_exec_t. | ||
+ | |||
+ | [root@localhost ~]# semanage fcontext -a -t httpd_sys_script_exec_t /var/www/html/path/to/my/cgi | ||
+ | [root@localhost ~]# restorecon /var/www/html/path/to/my/cgi | ||
= Allow Apache to send mail = | = Allow Apache to send mail = | ||
+ | |||
+ | To allow Apache to send mail enable the httpd_can_sendmail boolean. | ||
+ | |||
+ | [root@localhost ~]# semanage boolean -m --on httpd_can_sendmail | ||
+ | [root@localhost ~]# | ||
= Using an NFS or CIFS home directory = | = Using an NFS or CIFS home directory = | ||
+ | |||
+ | For home directories on NFS enable the httpd_use_nfs boolean. | ||
+ | |||
+ | [root@localhost ~]# semanage boolean -m --on httpd_use_nfs | ||
+ | [root@localhost ~]# | ||
+ | |||
+ | For home directories on CIFS enable the httpd_use_cifs boolean. | ||
+ | |||
+ | [root@localhost ~]# semanage boolean -m --on httpd_use_cifs | ||
+ | [root@localhost ~]# |
Revision as of 15:36, 29 September 2009
Apache is a very configurable service and therefore there are many ways to confine it. Here are some recipes to get you going in common configurations.
Contents
Labeling public_html correctly
The public_html directory in your user home directory already has correct labeling rules, however if you create it, it may not be labeled correctly. Additionally, if you move files from your home directory they may not be labeled correctly. To relabel your public_html directory run restorecon:
[method@localhost ~]$ ls -Z drwxrwxr-x. method method system_u:object_r:user_home_t:s0 public_html [method@localhost ~]$ restorecon -R public_html [method@localhost ~]$ ls -Z drwxrwxr-x. method method staff_u:object_r:httpd_user_content_t:s0 public_html
As you can see above, the directory was relabeled from user_home_t to httpd_user_content_t. The public_html directory should now be accessible by Apache.
Allow Apache to connect to your database server
To allow Apache to connect to a MySQL or PostgreSQL server enable the httpd_can_network_connect_db boolean.
[root@localhost ~]# semanage boolean -m --on httpd_can_network_connect_db [root@localhost ~]#
Allow Apache to run CGI scripts
Normally we don't want Apache executing scripts but some users need Apache to execute CGI scripts. To do this first enable the httpd_enable_cgi boolean.
[root@localhost ~]# semanage boolean -m --on httpd_enable_cgi [root@localhost ~]#
If your CGI scripts are in the cgi-bin directory of your web root you are done. If not you'll need to label those files as httpd_sys_script_exec_t.
[root@localhost ~]# semanage fcontext -a -t httpd_sys_script_exec_t /var/www/html/path/to/my/cgi [root@localhost ~]# restorecon /var/www/html/path/to/my/cgi
Allow Apache to send mail
To allow Apache to send mail enable the httpd_can_sendmail boolean.
[root@localhost ~]# semanage boolean -m --on httpd_can_sendmail [root@localhost ~]#
Using an NFS or CIFS home directory
For home directories on NFS enable the httpd_use_nfs boolean.
[root@localhost ~]# semanage boolean -m --on httpd_use_nfs [root@localhost ~]#
For home directories on CIFS enable the httpd_use_cifs boolean.
[root@localhost ~]# semanage boolean -m --on httpd_use_cifs [root@localhost ~]#