ApacheRecipes

From SELinux Wiki

(Difference between revisions)
Jump to: navigation, search
Revision as of 15:15, 29 September 2009 (edit)
JoshuaBrindle (Talk | contribs)
(Initial apache recipes page)
← Previous diff
Current revision (18:28, 31 August 2010) (edit) (undo)
Jaxelson (Talk | contribs)
(added category)
 
(2 intermediate revisions not shown.)
Line 1: Line 1:
-Apache is a very configurable service and therefore there are many ways to confine it. Here are some recipes to get you going in common configurations.+The Apache HTTP Server is very configurable; therefore, there are many ways to confine it. This page contains recipes to get started with common configurations.
-= Labeling public_html correctly =+= Labeling the public_html directory correctly =
-The public_html directory in your user home directory already has correct labeling rules, however if you create it, it may not be labeled correctly. Additionally, if you move files from your home directory they may not be labeled correctly. To relabel your public_html directory run restorecon:+The public_html directory in your user home directory already has the correct labeling rules in the system file contexts. This directory may or may not exist by default. If you create this directory, it may not be labeled correctly. Additionally, if you move files from your home directory they may not be labeled correctly. Use the restorecon command to relabel your public_html directory:
- [method@localhost ~]$ ls -Z + $ ls -Z
drwxrwxr-x. method method system_u:object_r:user_home_t:s0 public_html drwxrwxr-x. method method system_u:object_r:user_home_t:s0 public_html
- [method@localhost ~]$ restorecon -R public_html+ $ restorecon -R public_html
- [method@localhost ~]$ ls -Z + $ ls -Z
drwxrwxr-x. method method staff_u:object_r:httpd_user_content_t:s0 public_html drwxrwxr-x. method method staff_u:object_r:httpd_user_content_t:s0 public_html
-As you can see above, the directory was relabeled from user_home_t to httpd_user_content_t. The public_html directory should now be accessible by Apache.+As shown above, the public_html directory was relabeled from user_home_t to httpd_user_content_t. This directory should now be accessible to the Apache HTTP Server.
-= Allow Apache to connect to your database server =+= Allow the Apache HTTP Server to connect to your database server =
-= Allow Apache to run CGI scripts =+To allow the Apache HTTP Server to connect to a database server, such as MySQL or PostgreSQL, enable the httpd_can_network_connect_db boolean:
-= Allow Apache to send mail =+ # semanage boolean -m --on httpd_can_network_connect_db
 + 
 += Allow the Apache HTTP Server to run CGI scripts =
 + 
 +Allowing the Apache HTTP Server to execute scripts can be a security risk. Some users require the Apache HTTP Server to execute CGI scripts. To allow this, first enable the httpd_enable_cgi boolean:
 + 
 + # semanage boolean -m --on httpd_enable_cgi
 + 
 +If your CGI scripts are in the cgi-bin directory of your web root, no more steps are required. If they are not, you need to label the scripts with httpd_sys_script_exec_t:
 + 
 + # semanage fcontext -a -t httpd_sys_script_exec_t /var/www/html/path/to/my/cgi
 + # restorecon /var/www/html/path/to/my/cgi
 + 
 += Allow the Apache HTTP Server to send mail =
 + 
 +To allow the Apache HTTP Server to send mail, enable the httpd_can_sendmail boolean:
 + 
 + # semanage boolean -m --on httpd_can_sendmail
= Using an NFS or CIFS home directory = = Using an NFS or CIFS home directory =
 +
 +For home directories on NFS, enable the httpd_use_nfs boolean:
 +
 + # semanage boolean -m --on httpd_use_nfs
 +
 +For home directories on CIFS, enable the httpd_use_cifs boolean:
 +
 + # semanage boolean -m --on httpd_use_cifs
 +
 +[[Category:Recipes]]

Current revision

The Apache HTTP Server is very configurable; therefore, there are many ways to confine it. This page contains recipes to get started with common configurations.

Contents

[edit] Labeling the public_html directory correctly

The public_html directory in your user home directory already has the correct labeling rules in the system file contexts. This directory may or may not exist by default. If you create this directory, it may not be labeled correctly. Additionally, if you move files from your home directory they may not be labeled correctly. Use the restorecon command to relabel your public_html directory:

$ ls -Z 
drwxrwxr-x. method method system_u:object_r:user_home_t:s0 public_html

$ restorecon -R public_html
$ ls -Z 
drwxrwxr-x. method method staff_u:object_r:httpd_user_content_t:s0 public_html

As shown above, the public_html directory was relabeled from user_home_t to httpd_user_content_t. This directory should now be accessible to the Apache HTTP Server.

[edit] Allow the Apache HTTP Server to connect to your database server

To allow the Apache HTTP Server to connect to a database server, such as MySQL or PostgreSQL, enable the httpd_can_network_connect_db boolean:

# semanage boolean -m --on httpd_can_network_connect_db

[edit] Allow the Apache HTTP Server to run CGI scripts

Allowing the Apache HTTP Server to execute scripts can be a security risk. Some users require the Apache HTTP Server to execute CGI scripts. To allow this, first enable the httpd_enable_cgi boolean:

# semanage boolean -m --on httpd_enable_cgi

If your CGI scripts are in the cgi-bin directory of your web root, no more steps are required. If they are not, you need to label the scripts with httpd_sys_script_exec_t:

# semanage fcontext -a -t httpd_sys_script_exec_t /var/www/html/path/to/my/cgi   
# restorecon /var/www/html/path/to/my/cgi

[edit] Allow the Apache HTTP Server to send mail

To allow the Apache HTTP Server to send mail, enable the httpd_can_sendmail boolean:

# semanage boolean -m --on httpd_can_sendmail

[edit] Using an NFS or CIFS home directory

For home directories on NFS, enable the httpd_use_nfs boolean:

# semanage boolean -m --on httpd_use_nfs

For home directories on CIFS, enable the httpd_use_cifs boolean:

# semanage boolean -m --on httpd_use_cifs
Personal tools