13.4. Configuration examples
The following examples provide real-world demonstrations of how SELinux complements the Apache HTTP Server and how full function of the Apache HTTP Server can be maintained.
13.4.1. Running a static site
To create a static website, label the
.html
files for that website with the httpd_sys_content_t
type. By default, the Apache HTTP Server cannot write to files that are labeled with the httpd_sys_content_t
type. The following example creates a new directory to store files for a read-only website:
- Use the
mkdir
utility as root to create a top-level directory:~]#
mkdir /mywebsite
- As root, create a
/mywebsite/index.html
file. Copy and paste the following content into/mywebsite/index.html
:<html> <h2>index.html from /mywebsite/</h2> </html>
- To allow the Apache HTTP Server read only access to
/mywebsite/
, as well as files and subdirectories under it, label the directory with thehttpd_sys_content_t
type. Enter the following command as root to add the label change to file-context configuration:~]#
semanage fcontext -a -t httpd_sys_content_t "/mywebsite(/.*)?"
- Use the
restorecon
utility as root to make the label changes:~]#
restorecon -R -v /mywebsite
restorecon reset /mywebsite context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0 restorecon reset /mywebsite/index.html context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0 - For this example, edit the
/etc/httpd/conf/httpd.conf
file as root. Comment out the existingDocumentRoot
option. Add aDocumentRoot "/mywebsite"
option. After editing, these options should look as follows:#DocumentRoot "/var/www/html" DocumentRoot "/mywebsite"
- Enter the following command as root to see the status of the Apache HTTP Server. If the server is stopped, start it:
~]#
systemctl status httpd.service
httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled) Active: inactive (dead)~]#
systemctl start httpd.service
If the server is running, restart the service by executing the following command as root (this also applies any changes made tohttpd.conf
):~]#
systemctl status httpd.service
httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled) Active: active (running) since Wed 2014-02-05 13:16:46 CET; 2s ago~]#
systemctl restart httpd.service
- Use a web browser to navigate to
http://localhost/index.html
. The following is displayed:index.html from /mywebsite/
13.4.2. Sharing NFS and CIFS volumes
By default, NFS mounts on the client side are labeled with a default context defined by policy for NFS volumes. In common policies, this default context uses the
nfs_t
type. Also, by default, Samba shares mounted on the client side are labeled with a default context defined by policy. In common policies, this default context uses the cifs_t
type.
Depending on policy configuration, services may not be able to read files labeled with the
nfs_t
or cifs_t
types. This may prevent file systems labeled with these types from being mounted and then read or exported by other services. Booleans can be enabled or disabled to control which services are allowed to access the nfs_t
and cifs_t
types.
Enable the
httpd_use_nfs
Boolean to allow httpd
to access and share NFS volumes (labeled with the nfs_t
type):
~]# setsebool -P httpd_use_nfs on
Enable the
httpd_use_cifs
Boolean to allow httpd
to access and share CIFS volumes (labeled with the cifs_t
type):
~]# setsebool -P httpd_use_cifs on
Note
Do not use the
-P
option if you do not want setsebool
changes to persist across reboots.
13.4.3. Sharing files between services
Type Enforcement helps prevent processes from accessing files intended for use by another process. For example, by default, Samba cannot read files labeled with the
httpd_sys_content_t
type, which are intended for use by the Apache HTTP Server. Files can be shared between the Apache HTTP Server, FTP, rsync, and Samba, if the required files are labeled with the public_content_t
or public_content_rw_t
type.
The following example creates a directory and files, and allows that directory and files to be shared (read only) through the Apache HTTP Server, FTP, rsync, and Samba:
- Use the
mkdir
utility as root to create a new top-level directory to share files between multiple services:~]#
mkdir /shares
- Files and directories that do not match a pattern in file-context configuration may be labeled with the
default_t
type. This type is inaccessible to confined services:~]$
ls -dZ /shares
drwxr-xr-x root root unconfined_u:object_r:default_t:s0 /shares - As root, create a
/shares/index.html
file. Copy and paste the following content into/shares/index.html
:<html> <body> <p>Hello</p> </body> </html>
- Labeling
/shares/
with thepublic_content_t
type allows read-only access by the Apache HTTP Server, FTP, rsync, and Samba. Enter the following command as root to add the label change to file-context configuration:~]#
semanage fcontext -a -t public_content_t "/shares(/.*)?"
- Use the
restorecon
utility as root to apply the label changes:~]#
restorecon -R -v /shares/
restorecon reset /shares context unconfined_u:object_r:default_t:s0->system_u:object_r:public_content_t:s0 restorecon reset /shares/index.html context unconfined_u:object_r:default_t:s0->system_u:object_r:public_content_t:s0
To share
/shares/
through Samba:
- Confirm the samba, samba-common, and samba-client packages are installed (version numbers may differ):
~]$
rpm -q samba samba-common samba-client
samba-3.4.0-0.41.el6.3.i686 samba-common-3.4.0-0.41.el6.3.i686 samba-client-3.4.0-0.41.el6.3.i686If any of these packages are not installed, install them by running the following command as root:~]#
yum install package-name
- Edit the
/etc/samba/smb.conf
file as root. Add the following entry to the bottom of this file to share the/shares/
directory through Samba:[shares] comment = Documents for Apache HTTP Server, FTP, rsync, and Samba path = /shares public = yes writable = no
- A Samba account is required to mount a Samba file system. Enter the following command as root to create a Samba account, where username is an existing Linux user. For example,
smbpasswd -a testuser
creates a Samba account for the Linuxtestuser
user:~]#
smbpasswd -a testuser
New SMB password: Enter a password Retype new SMB password: Enter the same password again Added user testuser.If you run the above command, specifying a user name of an account that does not exist on the system, it causes aCannot locate Unix account for 'username'!
error. - Start the Samba service:
~]#
systemctl start smb.service
- Enter the following command to list the available shares, where username is the Samba account added in step 3. When prompted for a password, enter the password assigned to the Samba account in step 3 (version numbers may differ):
~]$
smbclient -U username -L localhost
Enter username's password: Domain=[HOSTNAME] OS=[Unix] Server=[Samba 3.4.0-0.41.el6] Sharename Type Comment --------- ---- ------- shares Disk Documents for Apache HTTP Server, FTP, rsync, and Samba IPC$ IPC IPC Service (Samba Server Version 3.4.0-0.41.el6) username Disk Home Directories Domain=[HOSTNAME] OS=[Unix] Server=[Samba 3.4.0-0.41.el6] Server Comment --------- ------- Workgroup Master --------- ------- - User the
mkdir
utility to create a new directory. This directory will be used to mount theshares
Samba share:~]#
mkdir /test/
- Enter the following command as root to mount the
shares
Samba share to/test/
, replacing username with the user name from step 3:~]#
mount //localhost/shares /test/ -o user=username
Enter the password for username, which was configured in step 3. - View the content of the file, which is being shared through Samba:
~]$
cat /test/index.html
<html> <body> <p>Hello</p> </body> </html>
To share
/shares/
through the Apache HTTP Server:
- Confirm the httpd package is installed (version number may differ):
~]$
rpm -q httpd
httpd-2.2.11-6.i386If this package is not installed, use theyum
utility as root to install it:~]#
yum install httpd
- Change into the
/var/www/html/
directory. Enter the following command as root to create a link (namedshares
) to the/shares/
directory:html]#
ln -s /shares/ shares
- Start the Apache HTTP Server:
~]#
systemctl start httpd.service
- Use a web browser to navigate to
http://localhost/shares
. The/shares/index.html
file is displayed.
By default, the Apache HTTP Server reads an
index.html
file if it exists. If /shares/
did not have index.html
, and instead had file1
, file2
, and file3
, a directory listing would occur when accessing http://localhost/shares
:
- Remove the
index.html
file:~]#
rm -i /shares/index.html
- Use the
touch
utility as root to create three files in/shares/
:~]#
touch /shares/file{1,2,3}
~]#ls -Z /shares/
-rw-r--r-- root root system_u:object_r:public_content_t:s0 file1 -rw-r--r-- root root unconfined_u:object_r:public_content_t:s0 file2 -rw-r--r-- root root unconfined_u:object_r:public_content_t:s0 file3 - Enter the following command as root to see the status of the Apache HTTP Server:
~]#
systemctl status httpd.service
httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled) Active: inactive (dead)If the server is stopped, start it:~]#
systemctl start httpd.service
- Use a web browser to navigate to
http://localhost/shares
. A directory listing is displayed:
13.4.4. Changing port numbers
Depending on policy configuration, services may only be allowed to run on certain port numbers. Attempting to change the port a service runs on without changing policy may result in the service failing to start. Use the
semanage
utility as the root user to list the ports SELinux allows httpd
to listen on:
~]# semanage port -l | grep -w http_port_t
http_port_t tcp 80, 443, 488, 8008, 8009, 8443
By default, SELinux allows
httpd
to listen on TCP ports 80, 443, 488, 8008, 8009, or 8443. If /etc/httpd/conf/httpd.conf
is configured so that httpd
listens on any port not listed for http_port_t
, httpd
fails to start.
To configure
httpd
to run on a port other than TCP ports 80, 443, 488, 8008, 8009, or 8443:
- Edit the
/etc/httpd/conf/httpd.conf
file as root so theListen
option lists a port that is not configured in SELinux policy forhttpd
. The following example configureshttpd
to listen on the 10.0.0.1 IP address, and on TCP port 12345:# Change this to Listen on specific IP addresses as shown below to # prevent Apache from glomming onto all bound IP addresses (0.0.0.0) # #Listen 12.34.56.78:80 Listen 10.0.0.1:12345
- Enter the following command as the root user to add the port to SELinux policy configuration:
~]#
semanage port -a -t http_port_t -p tcp 12345
- Confirm that the port is added:
~]#
semanage port -l | grep -w http_port_t
http_port_t tcp 12345, 80, 443, 488, 8008, 8009, 8443
If you no longer run
httpd
on port 12345, use the semanage
utility as root to remove the port from policy configuration:
~]# semanage port -d -t http_port_t -p tcp 12345