|
|
| (14 intermediate revisions by 3 users not shown) |
| Line 1: |
Line 1: |
| = Content Specification =
| | {{admon/important|Deprecated process|This is not the page you are looking for.! Please, This page has moved to https://fedorahosted.org/managing-confined-services/wiki/ContentSpecification}} |
|
| |
|
| == Trademark Information ==
| |
|
| |
|
| Fedora and the Fedora Infinity Design logo are trademarks or registered trademarks of Red Hat, Inc., in the U.S. and other countries.
| |
|
| |
|
| Red Hat and the Red Hat "Shadow Man" logo are registered trademarks of Red Hat Inc. in the United States and other countries.
| | [[Category:SELinux docs]] |
| | |
| Linux® is the registered trademark of Linus Torvalds in the U.S. and other countries.
| |
| | |
| UNIX is a registered trademark of The Open Group.
| |
| | |
| Type Enforcement is a trademark of Secure Computing Corporation, registered in the U.S. and in other countries. Secure Computing Corporation has not consented to the use or reference to this trademark by the author outside of this guide.
| |
| | |
| Apache is a trademark of The Apache Software Foundation.
| |
| | |
| == Introduction ==
| |
| | |
| === Brief Introduction to SELinux ===
| |
| | |
| Copy bits from "Chapter 2. Introduction" of the Fedora 10 Security-Enhanced Linux User Guide. <http://docs.fedoraproject.org/selinux-user-guide/f10/en-US/>.
| |
| | |
| === Brief Introduction to Confined and Unconfined Services ===
| |
| | |
| Copy first/second paragraphs from the "Chapter 4. Targeted Policy", "4.1. Confined Processes", and "4.2. Unconfined Processes" sections of the Fedora 10 Security-Enhanced Linux User Guide.
| |
| <http://docs.fedoraproject.org/selinux-user-guide/f10/en-US/>.
| |
| | |
| == The Apache HTTP Server ==
| |
| | |
| From the Apache HTTP Server Project page <http://httpd.apache.org/>:
| |
| | |
| The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows NT. The goal of this project is to provide a secure, efficient and extensible server that provides HTTP services in sync with the current HTTP standards [1].
| |
| | |
| In Fedora, the httpd package provides the Apache HTTP Server. If you want to use the Apache HTTP Server, and the httpd package is not installed, run the following command as the Linux root user to install it:
| |
| | |
| {{{ yum install httpd }}}
| |
| | |
| [1] The Apache HTTP Server Project page: <http://httpd.apache.org/>. From the Apache HTTP Server Project page <http://httpd.apache.org/>: "The Apache HTTP Server is a project of the Apache Software Foundation". Accessed 19 January 2009.
| |
| | |
| === 2.1 The Apache HTTP Server and SELinux ===
| |
| | |
| When running SELinux, the Apache HTTP Server (httpd) runs confined by default. SELinux policy defines how httpd interacts with files, processes, and with the system in general. Services can be run in a variety of ways. To cater for this, you must tell SELinux how you are running services. This can be achieved via Booleans that allow parts of SELinux policy to be changed at runtime, without any knowledge of SELinux policy writing. This allows changes, such as allowing services access to NFS file systems, without reloading or recompiling SELinux policy.
| |
| | |
| The semanage tool can be used to label files to allow services access to them, as well as changing port-numbers services can listen on. For example, by default, httpd can only listen on TCP ports 80, 443, 488, 8008, 8009, and 8443. This helps maintain least privilege. Other ports must be defined with the "semanage port" command, otherwise httpd fails to start if configured to listen on a different port.
| |
| | |
| === 2.2 Types ===
| |
| | |
| Type Enforcement is the main permission control used in SELinux targeted policy, and as such, httpd can only access certain types. This helps prevent processes from accessing files intended for use by another process, for example, httpd can access files labeled with the with the httpd_sys_content_t type (intended for httpd), but not the samba_share_t type (intended for Samba).
| |
| | |
| * explanation of each one, when to use them, and how to change them (chcon and semanage. man httpd_selinux).
| |
| * httpd_sys_content_t for standard serving and non-default directories (other than /var/www/html/ and /srv/www/, and /srv/gallery2).
| |
| * allow executable scripts (httpd_sys_script_exec_t type?).
| |
| * allow data to be written to by scripts (httpd_sys_content_rw_t type).
| |
| | |
| === 2.3 Booleans ===
| |
| | |
| Booleans allow parts of SELinux policy to be changed at runtime, without any knowledge of SELinux policy writing. This allows changes, such as allowing services access to NFS file systems, without reloading or recompiling SELinux policy.
| |
| | |
| * use output of "semanage boolean -l | grep http" as a base.
| |
| * how to set them (setsebool...semanage boolean stable?).
| |
| * how to list them (getsebool and semanage boolean).
| |
| * access and share NFS file systems: httpd_use_nfs on.
| |
| * access and share CIFS file systems: httpd_use_cifs on.
| |
| * use SSL (setsebool -P httpd_tty_comm on).
| |
| * man httpd_selinux.
| |
| | |
| === 2.4 Configuration Examples ===
| |
| | |
| * sharing files:
| |
| ** the public_content_t and public_content_rw_t types.
| |
| ** the allow_httpd_anon_write and allow_httpd_sys_script_anon_write types.
| |
| * allow httpd to write image files (directory labeled with the httpd_tmp_t type?).
| |
| * serve mounted ISOs (mount -o context=).
| |
| * make only httpd run permissive (add: "semanage permissive -a httpd_t". remove: "semanage permissive -d httpd_t").
| |
| * change the port httpd listens on (semanage port -a -t http_port_t -p tcp 7777).
| |
