Red Hat Summit Red Hat SummitSupportKonsoleEntwicklerDemo startenKontakt

Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.

13.4. Configuration examples

The following examples provide real-world demonstrations of how SELinux complements the Apache HTTP Server and how full function of the Apache HTTP Server can be maintained.

13.4.1. Running a static site
Link kopieren

To create a static website, label the .html files for that website with the httpd_sys_content_t type. By default, the Apache HTTP Server cannot write to files that are labeled with the httpd_sys_content_t type. The following example creates a new directory to store files for a read-only website:
  1. Use the mkdir utility as root to create a top-level directory: 
    ~]# mkdir /mywebsite
    Copy to Clipboard Toggle word wrap
  2. As root, create a /mywebsite/index.html file. Copy and paste the following content into /mywebsite/index.html: 
    <html>
<h2>index.html from /mywebsite/</h2>
</html>
    Copy to Clipboard Toggle word wrap
  3. To allow the Apache HTTP Server read only access to /mywebsite/, as well as files and subdirectories under it, label the directory with the httpd_sys_content_t type. Enter the following command as root to add the label change to file-context configuration: 
    ~]# semanage fcontext -a -t httpd_sys_content_t "/mywebsite(/.*)?"
    Copy to Clipboard Toggle word wrap
  4. Use the restorecon utility as root to make the label changes: 
    ~]# restorecon -R -v /mywebsite
restorecon reset /mywebsite context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /mywebsite/index.html context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
    Copy to Clipboard Toggle word wrap
  5. For this example, edit the /etc/httpd/conf/httpd.conf file as root. Comment out the existing DocumentRoot option. Add a DocumentRoot "/mywebsite" option. After editing, these options should look as follows: 
    #DocumentRoot "/var/www/html"
DocumentRoot "/mywebsite"
    Copy to Clipboard Toggle word wrap
  6. Enter the following command as root to see the status of the Apache HTTP Server. If the server is stopped, start it: 
    ~]# systemctl status httpd.service
httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled)
   Active: inactive (dead)
    Copy to Clipboard Toggle word wrap 
    ~]# systemctl start httpd.service
    Copy to Clipboard Toggle word wrap
    If the server is running, restart the service by executing the following command as root (this also applies any changes made to httpd.conf): 
    ~]# systemctl status httpd.service
httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled)
   Active: active (running) since Wed 2014-02-05 13:16:46 CET; 2s ago
    Copy to Clipboard Toggle word wrap 
    ~]# systemctl restart httpd.service
    Copy to Clipboard Toggle word wrap
  7. Use a web browser to navigate to http://localhost/index.html. The following is displayed: 
    index.html from /mywebsite/
    Copy to Clipboard Toggle word wrap

13.4.2. Sharing NFS and CIFS volumes
Link kopieren

By default, NFS mounts on the client side are labeled with a default context defined by policy for NFS volumes. In common policies, this default context uses the nfs_t type. Also, by default, Samba shares mounted on the client side are labeled with a default context defined by policy. In common policies, this default context uses the cifs_t type.
Depending on policy configuration, services may not be able to read files labeled with the nfs_t or cifs_t types. This may prevent file systems labeled with these types from being mounted and then read or exported by other services. Booleans can be enabled or disabled to control which services are allowed to access the nfs_t and cifs_t types.
Enable the httpd_use_nfs Boolean to allow httpd to access and share NFS volumes (labeled with the nfs_t type): 
~]# setsebool -P httpd_use_nfs on
Copy to Clipboard Toggle word wrap
Enable the httpd_use_cifs Boolean to allow httpd to access and share CIFS volumes (labeled with the cifs_t type): 
~]# setsebool -P httpd_use_cifs on
Copy to Clipboard Toggle word wrap

Note

Do not use the -P option if you do not want setsebool changes to persist across reboots.

13.4.3. Sharing files between services
Link kopieren

Type Enforcement helps prevent processes from accessing files intended for use by another process. For example, by default, Samba cannot read files labeled with the httpd_sys_content_t type, which are intended for use by the Apache HTTP Server. Files can be shared between the Apache HTTP Server, FTP, rsync, and Samba, if the required files are labeled with the public_content_t or public_content_rw_t type.
The following example creates a directory and files, and allows that directory and files to be shared (read only) through the Apache HTTP Server, FTP, rsync, and Samba:
  1. Use the mkdir utility as root to create a new top-level directory to share files between multiple services: 
    ~]# mkdir /shares
    Copy to Clipboard Toggle word wrap
  2. Files and directories that do not match a pattern in file-context configuration may be labeled with the default_t type. This type is inaccessible to confined services: 
    ~]$ ls -dZ /shares
drwxr-xr-x  root root unconfined_u:object_r:default_t:s0 /shares
    Copy to Clipboard Toggle word wrap
  3. As root, create a /shares/index.html file. Copy and paste the following content into /shares/index.html: 
    <html>
<body>
<p>Hello</p>
</body>
</html>
    Copy to Clipboard Toggle word wrap
  4. Labeling /shares/ with the public_content_t type allows read-only access by the Apache HTTP Server, FTP, rsync, and Samba. Enter the following command as root to add the label change to file-context configuration: 
    ~]# semanage fcontext -a -t public_content_t "/shares(/.*)?"
    Copy to Clipboard Toggle word wrap
  5. Use the restorecon utility as root to apply the label changes: 
    ~]# restorecon -R -v /shares/
restorecon reset /shares context unconfined_u:object_r:default_t:s0->system_u:object_r:public_content_t:s0
restorecon reset /shares/index.html context unconfined_u:object_r:default_t:s0->system_u:object_r:public_content_t:s0
    Copy to Clipboard Toggle word wrap
To share /shares/ through Samba:
  1. Confirm the samba, samba-common, and samba-client packages are installed (version numbers may differ): 
    ~]$ rpm -q samba samba-common samba-client
samba-3.4.0-0.41.el6.3.i686
samba-common-3.4.0-0.41.el6.3.i686
samba-client-3.4.0-0.41.el6.3.i686
    Copy to Clipboard Toggle word wrap
    If any of these packages are not installed, install them by running the following command as root: 
    ~]# yum install package-name
    Copy to Clipboard Toggle word wrap
  2. Edit the /etc/samba/smb.conf file as root. Add the following entry to the bottom of this file to share the /shares/ directory through Samba: 
    [shares]
comment = Documents for Apache HTTP Server, FTP, rsync, and Samba
path = /shares
public = yes
writable = no
    Copy to Clipboard Toggle word wrap
  3. A Samba account is required to mount a Samba file system. Enter the following command as root to create a Samba account, where username is an existing Linux user. For example, smbpasswd -a testuser creates a Samba account for the Linux testuser user: 
    ~]# smbpasswd -a testuser
New SMB password: Enter a password
Retype new SMB password: Enter the same password again
Added user testuser.
    Copy to Clipboard Toggle word wrap
    If you run the above command, specifying a user name of an account that does not exist on the system, it causes a Cannot locate Unix account for 'username'! error.
  4. Start the Samba service: 
    ~]# systemctl start smb.service
    Copy to Clipboard Toggle word wrap
  5. Enter the following command to list the available shares, where username is the Samba account added in step 3. When prompted for a password, enter the password assigned to the Samba account in step 3 (version numbers may differ): 
    ~]$ smbclient -U username -L localhost
Enter username's password:
Domain=[HOSTNAME] OS=[Unix] Server=[Samba 3.4.0-0.41.el6]

Sharename       Type      Comment
---------       ----      -------
shares          Disk      Documents for Apache HTTP Server, FTP, rsync, and Samba
IPC$            IPC       IPC Service (Samba Server Version 3.4.0-0.41.el6)
username        Disk      Home Directories
Domain=[HOSTNAME] OS=[Unix] Server=[Samba 3.4.0-0.41.el6]

Server               Comment
---------            -------

Workgroup            Master
---------            -------
    Copy to Clipboard Toggle word wrap
  6. User the mkdir utility to create a new directory. This directory will be used to mount the shares Samba share: 
    ~]# mkdir /test/
    Copy to Clipboard Toggle word wrap
  7. Enter the following command as root to mount the shares Samba share to /test/, replacing username with the user name from step 3: 
    ~]# mount //localhost/shares /test/ -o user=username
    Copy to Clipboard Toggle word wrap
    Enter the password for username, which was configured in step 3.
  8. View the content of the file, which is being shared through Samba: 
    ~]$ cat /test/index.html
<html>
<body>
<p>Hello</p>
</body>
</html>
    Copy to Clipboard Toggle word wrap
To share /shares/ through the Apache HTTP Server:
  1. Confirm the httpd package is installed (version number may differ): 
    ~]$ rpm -q httpd
httpd-2.2.11-6.i386
    Copy to Clipboard Toggle word wrap
    If this package is not installed, use the yum utility as root to install it: 
    ~]# yum install httpd
    Copy to Clipboard Toggle word wrap
  2. Change into the /var/www/html/ directory. Enter the following command as root to create a link (named shares) to the /shares/ directory: 
    html]# ln -s /shares/ shares
    Copy to Clipboard Toggle word wrap
  3. Start the Apache HTTP Server: 
    ~]# systemctl start httpd.service
    Copy to Clipboard Toggle word wrap
  4. Use a web browser to navigate to http://localhost/shares. The /shares/index.html file is displayed.
By default, the Apache HTTP Server reads an index.html file if it exists. If /shares/ did not have index.html, and instead had file1, file2, and file3, a directory listing would occur when accessing http://localhost/shares:
  1. Remove the index.html file: 
    ~]# rm -i /shares/index.html
    Copy to Clipboard Toggle word wrap
  2. Use the touch utility as root to create three files in /shares/: 
    ~]# touch /shares/file{1,2,3}
~]# ls -Z /shares/
-rw-r--r--  root root system_u:object_r:public_content_t:s0 file1
-rw-r--r--  root root unconfined_u:object_r:public_content_t:s0 file2
-rw-r--r--  root root unconfined_u:object_r:public_content_t:s0 file3
    Copy to Clipboard Toggle word wrap
  3. Enter the following command as root to see the status of the Apache HTTP Server: 
    ~]# systemctl status httpd.service
httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled)
   Active: inactive (dead)
    Copy to Clipboard Toggle word wrap
    If the server is stopped, start it: 
    ~]# systemctl start httpd.service
    Copy to Clipboard Toggle word wrap
  4. Use a web browser to navigate to http://localhost/shares. A directory listing is displayed:
    View larger image

13.4.4. Changing port numbers
Link kopieren

Depending on policy configuration, services may only be allowed to run on certain port numbers. Attempting to change the port a service runs on without changing policy may result in the service failing to start. Use the semanage utility as the root user to list the ports SELinux allows httpd to listen on: 
~]# semanage port -l | grep -w http_port_t
http_port_t                    tcp      80, 443, 488, 8008, 8009, 8443
Copy to Clipboard Toggle word wrap
By default, SELinux allows httpd to listen on TCP ports 80, 443, 488, 8008, 8009, or 8443. If /etc/httpd/conf/httpd.conf is configured so that httpd listens on any port not listed for http_port_t, httpd fails to start.
To configure httpd to run on a port other than TCP ports 80, 443, 488, 8008, 8009, or 8443:
  1. Edit the /etc/httpd/conf/httpd.conf file as root so the Listen option lists a port that is not configured in SELinux policy for httpd. The following example configures httpd to listen on the 10.0.0.1 IP address, and on TCP port 12345: 
    # Change this to Listen on specific IP addresses as shown below to 
# prevent Apache from glomming onto all bound IP addresses (0.0.0.0)
#
#Listen 12.34.56.78:80
Listen 10.0.0.1:12345
    Copy to Clipboard Toggle word wrap
  2. Enter the following command as the root user to add the port to SELinux policy configuration: 
    ~]# semanage port -a -t http_port_t -p tcp 12345
    Copy to Clipboard Toggle word wrap
  3. Confirm that the port is added: 
    ~]# semanage port -l | grep -w http_port_t
http_port_t                    tcp      12345, 80, 443, 488, 8008, 8009, 8443
    Copy to Clipboard Toggle word wrap
If you no longer run httpd on port 12345, use the semanage utility as root to remove the port from policy configuration: 
~]# semanage port -d -t http_port_t -p tcp 12345
Copy to Clipboard Toggle word wrap
Nach oben
Red Hat logoGithubredditYoutubeTwitter

Lernen

Testen, kaufen und verkaufen

Communitys

Über Red Hat Dokumentation

Wir helfen Red Hat Benutzern, mit unseren Produkten und Diensten innovativ zu sein und ihre Ziele zu erreichen – mit Inhalten, denen sie vertrauen können. Entdecken Sie unsere neuesten Updates.

Mehr Inklusion in Open Source

Red Hat hat sich verpflichtet, problematische Sprache in unserem Code, unserer Dokumentation und unseren Web-Eigenschaften zu ersetzen. Weitere Einzelheiten finden Sie in Red Hat Blog.

Über Red Hat

Wir liefern gehärtete Lösungen, die es Unternehmen leichter machen, plattform- und umgebungsübergreifend zu arbeiten, vom zentralen Rechenzentrum bis zum Netzwerkrand.

Theme

© 2025 Red Hat