ApacheRecipes - Revision history

Jaxelson: added category

2010-08-31T18:28:52Z

added category

←Older revision		Revision as of 18:28, 31 August 2010
Line 46:		Line 46:

	# semanage boolean -m --on httpd_use_cifs		# semanage boolean -m --on httpd_use_cifs
		+
		+	[[Category:Recipes]]

MurrayMcAllister: text review

2009-11-25T10:35:48Z

text review

←Older revision		Revision as of 10:35, 25 November 2009
Line 1:		Line 1:
-	Apache is a very configurable ~~service and~~ therefore there are many ways to confine it. ~~Here are some~~ recipes to get ~~you going in~~ common configurations.	+	The Apache HTTP Server is very configurable; therefore, there are many ways to confine it. This page contains recipes to get started with common configurations.

-	= Labeling public_html correctly =	+	= Labeling the public_html directory correctly =

-	The public_html directory in your user home directory already has correct labeling rules~~, however if~~ you create it, it may not be labeled correctly. Additionally, if you move files from your home directory they may not be labeled correctly. To relabel your public_html directory ~~run restorecon~~:	+	The public_html directory in your user home directory already has the correct labeling rules in the system file contexts. This directory may or may not exist by default. If you create this directory, it may not be labeled correctly. Additionally, if you move files from your home directory they may not be labeled correctly. Use the restorecon command to relabel your public_html directory:

-	~~[method@localhost ~]~~$ ls -Z	+	$ ls -Z
	drwxrwxr-x. method method system_u:object_r:user_home_t:s0 public_html		drwxrwxr-x. method method system_u:object_r:user_home_t:s0 public_html

-	~~[method@localhost ~]~~$ restorecon -R public_html	+	$ restorecon -R public_html
-	~~[method@localhost ~]~~$ ls -Z	+	$ ls -Z
	drwxrwxr-x. method method staff_u:object_r:httpd_user_content_t:s0 public_html		drwxrwxr-x. method method staff_u:object_r:httpd_user_content_t:s0 public_html

-	As ~~you can see~~ above, the directory was relabeled from user_home_t to httpd_user_content_t. ~~The public_html~~ directory should now be accessible by Apache.	+	As shown above, the public_html directory was relabeled from user_home_t to httpd_user_content_t. This directory should now be accessible to the Apache HTTP Server.

-	= Allow Apache to connect to your database server =	+	= Allow the Apache HTTP Server to connect to your database server =

-	To allow Apache to connect to a MySQL or PostgreSQL ~~server~~ enable the httpd_can_network_connect_db boolean.	+	To allow the Apache HTTP Server to connect to a database server, such as MySQL or PostgreSQL, enable the httpd_can_network_connect_db boolean:

-	~~[root@localhost ~]~~# semanage boolean -m --on httpd_can_network_connect_db	+	# semanage boolean -m --on httpd_can_network_connect_db
-	~~[root@localhost ~]#~~	+

-	= Allow Apache to run CGI scripts =	+	= Allow the Apache HTTP Server to run CGI scripts =

-	~~Normally we don't want~~ Apache ~~executing~~ scripts ~~but some~~ users ~~need~~ Apache to execute CGI scripts. To do this first enable the httpd_enable_cgi boolean.	+	Allowing the Apache HTTP Server to execute scripts can be a security risk. Some users require the Apache HTTP Server to execute CGI scripts. To allow this, first enable the httpd_enable_cgi boolean:

-	~~[root@localhost ~]~~# semanage boolean -m --on httpd_enable_cgi	+	# semanage boolean -m --on httpd_enable_cgi
-	~~[root@localhost ~]#~~	+

-	If your CGI scripts are in the cgi-bin directory of your web root ~~you~~ are ~~done~~. If not you~~'ll~~ need to label ~~those files as~~ httpd_sys_script_exec_t.	+	If your CGI scripts are in the cgi-bin directory of your web root, no more steps are required. If they are not, you need to label the scripts with httpd_sys_script_exec_t:

-	~~[root@localhost ~]~~# semanage fcontext -a -t httpd_sys_script_exec_t /var/www/html/path/to/my/cgi	+	# semanage fcontext -a -t httpd_sys_script_exec_t /var/www/html/path/to/my/cgi
-	~~[root@localhost ~]~~# restorecon /var/www/html/path/to/my/cgi	+	# restorecon /var/www/html/path/to/my/cgi

-	= Allow Apache to send mail =	+	= Allow the Apache HTTP Server to send mail =

-	To allow Apache to send mail enable the httpd_can_sendmail boolean.	+	To allow the Apache HTTP Server to send mail, enable the httpd_can_sendmail boolean:

-	~~[root@localhost ~]~~# semanage boolean -m --on httpd_can_sendmail	+	# semanage boolean -m --on httpd_can_sendmail
-	~~[root@localhost ~]#~~	+

	= Using an NFS or CIFS home directory =		= Using an NFS or CIFS home directory =

-	For home directories on NFS enable the httpd_use_nfs boolean.	+	For home directories on NFS, enable the httpd_use_nfs boolean:

-	~~[root@localhost ~]~~# semanage boolean -m --on httpd_use_nfs	+	# semanage boolean -m --on httpd_use_nfs
-	~~[root@localhost ~]#~~	+

-	For home directories on CIFS enable the httpd_use_cifs boolean.	+	For home directories on CIFS, enable the httpd_use_cifs boolean:

-	~~[root@localhost ~]~~# semanage boolean -m --on httpd_use_cifs	+	# semanage boolean -m --on httpd_use_cifs
-	~~[root@localhost ~]#~~	+

JoshuaBrindle at 15:36, 29 September 2009

2009-09-29T15:36:42Z

←Older revision		Revision as of 15:36, 29 September 2009
Line 15:		Line 15:

	= Allow Apache to connect to your database server =		= Allow Apache to connect to your database server =
		+
		+	To allow Apache to connect to a MySQL or PostgreSQL server enable the httpd_can_network_connect_db boolean.
		+
		+	[root@localhost ~]# semanage boolean -m --on httpd_can_network_connect_db
		+	[root@localhost ~]#

	= Allow Apache to run CGI scripts =		= Allow Apache to run CGI scripts =
		+
		+	Normally we don't want Apache executing scripts but some users need Apache to execute CGI scripts. To do this first enable the httpd_enable_cgi boolean.
		+
		+	[root@localhost ~]# semanage boolean -m --on httpd_enable_cgi
		+	[root@localhost ~]#
		+
		+	If your CGI scripts are in the cgi-bin directory of your web root you are done. If not you'll need to label those files as httpd_sys_script_exec_t.
		+
		+	[root@localhost ~]# semanage fcontext -a -t httpd_sys_script_exec_t /var/www/html/path/to/my/cgi
		+	[root@localhost ~]# restorecon /var/www/html/path/to/my/cgi

	= Allow Apache to send mail =		= Allow Apache to send mail =
		+
		+	To allow Apache to send mail enable the httpd_can_sendmail boolean.
		+
		+	[root@localhost ~]# semanage boolean -m --on httpd_can_sendmail
		+	[root@localhost ~]#

	= Using an NFS or CIFS home directory =		= Using an NFS or CIFS home directory =
		+
		+	For home directories on NFS enable the httpd_use_nfs boolean.
		+
		+	[root@localhost ~]# semanage boolean -m --on httpd_use_nfs
		+	[root@localhost ~]#
		+
		+	For home directories on CIFS enable the httpd_use_cifs boolean.
		+
		+	[root@localhost ~]# semanage boolean -m --on httpd_use_cifs
		+	[root@localhost ~]#

JoshuaBrindle: Initial apache recipes page

2009-09-29T15:15:20Z

Initial apache recipes page

New page

Apache is a very configurable service and therefore there are many ways to confine it. Here are some recipes to get you going in common configurations.

= Labeling public_html correctly =

The public_html directory in your user home directory already has correct labeling rules, however if you create it, it may not be labeled correctly. Additionally, if you move files from your home directory they may not be labeled correctly. To relabel your public_html directory run restorecon:

[method@localhost ~]$ ls -Z
drwxrwxr-x. method method system_u:object_r:user_home_t:s0 public_html

[method@localhost ~]$ restorecon -R public_html
[method@localhost ~]$ ls -Z
drwxrwxr-x. method method staff_u:object_r:httpd_user_content_t:s0 public_html

As you can see above, the directory was relabeled from user_home_t to httpd_user_content_t. The public_html directory should now be accessible by Apache.

= Allow Apache to connect to your database server =

= Allow Apache to run CGI scripts =

= Allow Apache to send mail =

= Using an NFS or CIFS home directory =