ApacheRecipes

From SELinux Wiki

(Difference between revisions)
Jump to: navigation, search
Revision as of 15:36, 29 September 2009 (edit)
JoshuaBrindle (Talk | contribs)

← Previous diff
Revision as of 10:35, 25 November 2009 (edit) (undo)
MurrayMcAllister (Talk | contribs)
(text review)
Next diff →
Line 1: Line 1:
-Apache is a very configurable service and therefore there are many ways to confine it. Here are some recipes to get you going in common configurations.+The Apache HTTP Server is very configurable; therefore, there are many ways to confine it. This page contains recipes to get started with common configurations.
-= Labeling public_html correctly =+= Labeling the public_html directory correctly =
-The public_html directory in your user home directory already has correct labeling rules, however if you create it, it may not be labeled correctly. Additionally, if you move files from your home directory they may not be labeled correctly. To relabel your public_html directory run restorecon:+The public_html directory in your user home directory already has the correct labeling rules in the system file contexts. This directory may or may not exist by default. If you create this directory, it may not be labeled correctly. Additionally, if you move files from your home directory they may not be labeled correctly. Use the restorecon command to relabel your public_html directory:
- [method@localhost ~]$ ls -Z + $ ls -Z
drwxrwxr-x. method method system_u:object_r:user_home_t:s0 public_html drwxrwxr-x. method method system_u:object_r:user_home_t:s0 public_html
- [method@localhost ~]$ restorecon -R public_html+ $ restorecon -R public_html
- [method@localhost ~]$ ls -Z + $ ls -Z
drwxrwxr-x. method method staff_u:object_r:httpd_user_content_t:s0 public_html drwxrwxr-x. method method staff_u:object_r:httpd_user_content_t:s0 public_html
-As you can see above, the directory was relabeled from user_home_t to httpd_user_content_t. The public_html directory should now be accessible by Apache.+As shown above, the public_html directory was relabeled from user_home_t to httpd_user_content_t. This directory should now be accessible to the Apache HTTP Server.
-= Allow Apache to connect to your database server =+= Allow the Apache HTTP Server to connect to your database server =
-To allow Apache to connect to a MySQL or PostgreSQL server enable the httpd_can_network_connect_db boolean.+To allow the Apache HTTP Server to connect to a database server, such as MySQL or PostgreSQL, enable the httpd_can_network_connect_db boolean:
- [root@localhost ~]# semanage boolean -m --on httpd_can_network_connect_db+ # semanage boolean -m --on httpd_can_network_connect_db
- [root@localhost ~]# +
-= Allow Apache to run CGI scripts =+= Allow the Apache HTTP Server to run CGI scripts =
-Normally we don't want Apache executing scripts but some users need Apache to execute CGI scripts. To do this first enable the httpd_enable_cgi boolean.+Allowing the Apache HTTP Server to execute scripts can be a security risk. Some users require the Apache HTTP Server to execute CGI scripts. To allow this, first enable the httpd_enable_cgi boolean:
- [root@localhost ~]# semanage boolean -m --on httpd_enable_cgi+ # semanage boolean -m --on httpd_enable_cgi
- [root@localhost ~]#+
-If your CGI scripts are in the cgi-bin directory of your web root you are done. If not you'll need to label those files as httpd_sys_script_exec_t.+If your CGI scripts are in the cgi-bin directory of your web root, no more steps are required. If they are not, you need to label the scripts with httpd_sys_script_exec_t:
- [root@localhost ~]# semanage fcontext -a -t httpd_sys_script_exec_t /var/www/html/path/to/my/cgi + # semanage fcontext -a -t httpd_sys_script_exec_t /var/www/html/path/to/my/cgi
- [root@localhost ~]# restorecon /var/www/html/path/to/my/cgi+ # restorecon /var/www/html/path/to/my/cgi
-= Allow Apache to send mail =+= Allow the Apache HTTP Server to send mail =
- To allow Apache to send mail enable the httpd_can_sendmail boolean.+To allow the Apache HTTP Server to send mail, enable the httpd_can_sendmail boolean:
- [root@localhost ~]# semanage boolean -m --on httpd_can_sendmail+ # semanage boolean -m --on httpd_can_sendmail
- [root@localhost ~]# +
= Using an NFS or CIFS home directory = = Using an NFS or CIFS home directory =
-For home directories on NFS enable the httpd_use_nfs boolean.+For home directories on NFS, enable the httpd_use_nfs boolean:
- [root@localhost ~]# semanage boolean -m --on httpd_use_nfs+ # semanage boolean -m --on httpd_use_nfs
- [root@localhost ~]# +
-For home directories on CIFS enable the httpd_use_cifs boolean.+For home directories on CIFS, enable the httpd_use_cifs boolean:
- [root@localhost ~]# semanage boolean -m --on httpd_use_cifs+ # semanage boolean -m --on httpd_use_cifs
- [root@localhost ~]#+

Revision as of 10:35, 25 November 2009

The Apache HTTP Server is very configurable; therefore, there are many ways to confine it. This page contains recipes to get started with common configurations.

Contents

Labeling the public_html directory correctly

The public_html directory in your user home directory already has the correct labeling rules in the system file contexts. This directory may or may not exist by default. If you create this directory, it may not be labeled correctly. Additionally, if you move files from your home directory they may not be labeled correctly. Use the restorecon command to relabel your public_html directory:

$ ls -Z 
drwxrwxr-x. method method system_u:object_r:user_home_t:s0 public_html

$ restorecon -R public_html
$ ls -Z 
drwxrwxr-x. method method staff_u:object_r:httpd_user_content_t:s0 public_html

As shown above, the public_html directory was relabeled from user_home_t to httpd_user_content_t. This directory should now be accessible to the Apache HTTP Server.

Allow the Apache HTTP Server to connect to your database server

To allow the Apache HTTP Server to connect to a database server, such as MySQL or PostgreSQL, enable the httpd_can_network_connect_db boolean:

# semanage boolean -m --on httpd_can_network_connect_db

Allow the Apache HTTP Server to run CGI scripts

Allowing the Apache HTTP Server to execute scripts can be a security risk. Some users require the Apache HTTP Server to execute CGI scripts. To allow this, first enable the httpd_enable_cgi boolean:

# semanage boolean -m --on httpd_enable_cgi

If your CGI scripts are in the cgi-bin directory of your web root, no more steps are required. If they are not, you need to label the scripts with httpd_sys_script_exec_t:

# semanage fcontext -a -t httpd_sys_script_exec_t /var/www/html/path/to/my/cgi   
# restorecon /var/www/html/path/to/my/cgi

Allow the Apache HTTP Server to send mail

To allow the Apache HTTP Server to send mail, enable the httpd_can_sendmail boolean:

# semanage boolean -m --on httpd_can_sendmail

Using an NFS or CIFS home directory

For home directories on NFS, enable the httpd_use_nfs boolean:

# semanage boolean -m --on httpd_use_nfs

For home directories on CIFS, enable the httpd_use_cifs boolean:

# semanage boolean -m --on httpd_use_cifs
Personal tools