|
|
(6 intermediate revisions by 2 users not shown) |
Line 1: |
Line 1: |
| == Trademark Information ==
| | {{admon/important|Deprecated process|This is not the page you are looking for.! Please, This page has moved to https://fedorahosted.org/managing-confined-services/wiki/ContentSpecification}} |
|
| |
|
| Fedora and the Fedora Infinity Design logo are trademarks or registered trademarks of Red Hat, Inc., in the U.S. and other countries.
| |
|
| |
|
| Red Hat and the Red Hat "Shadow Man" logo are registered trademarks of Red Hat Inc. in the United States and other countries.
| |
|
| |
|
| Linux® is the registered trademark of Linus Torvalds in the U.S. and other countries.
| | [[Category:SELinux docs]] |
| | |
| UNIX is a registered trademark of The Open Group.
| |
| | |
| Type Enforcement is a trademark of Secure Computing Corporation, registered in the U.S. and in other countries. Secure Computing Corporation has not consented to the use or reference to this trademark by the author outside of this guide.
| |
| | |
| Apache is a trademark of The Apache Software Foundation.
| |
| | |
| == Introduction ==
| |
| | |
| === Brief Introduction to SELinux ===
| |
| | |
| Copy bits from "Chapter 2. Introduction" of the Fedora 10 Security-Enhanced Linux User Guide. <http://docs.fedoraproject.org/selinux-user-guide/f10/en-US/>.
| |
| | |
| === Brief Introduction to Confined and Unconfined Services ===
| |
| | |
| Copy first/second paragraphs from the "Chapter 4. Targeted Policy", "4.1. Confined Processes", and "4.2. Unconfined Processes" sections of the Fedora 10 Security-Enhanced Linux User Guide.
| |
| <http://docs.fedoraproject.org/selinux-user-guide/f10/en-US/>.
| |
| | |
| Services can be run in a variety of ways. To cater for this, you must tell SELinux how you are running services. This can be achieved via Booleans that allow parts of SELinux policy to be changed at runtime, without any knowledge of SELinux policy writing. This allows changes, such as allowing services access to NFS file systems, without reloading or recompiling SELinux policy.
| |
| | |
| == The Apache HTTP Server ==
| |
| | |
| From the Apache HTTP Server Project page <http://httpd.apache.org/>:
| |
| | |
| The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows NT. The goal of this project is to provide a secure, efficient and extensible server that provides HTTP services in sync with the current HTTP standards [1].
| |
| | |
| In Fedora, the httpd package provides the Apache HTTP Server. If you want to use the Apache HTTP Server, and the httpd package is not installed, run the following command as the Linux root user to install it:
| |
| | |
| <pre>yum install httpd</pre>
| |
| | |
| [1] The Apache HTTP Server Project page: <http://httpd.apache.org/>. From the Apache HTTP Server Project page <http://httpd.apache.org/>: "The Apache HTTP Server is a project of the Apache Software Foundation". Accessed 19 January 2009. | |
| | |
| === 2.1 The Apache HTTP Server and SELinux ===
| |
| | |
| When running SELinux, the Apache HTTP Server (httpd) runs confined by default. SELinux policy defines how httpd interacts with files, processes, and with the system in general. To allow access, files must be labeled correctly. Booleans must be set to allow certain behavior, such as network access and access to NFS and CIFS file systems. The "semanage port" command is required to allow httpd to listen on ports other than TCP ports 80, 443, 488, 8008, 8009, and 8443. Also, files must be labeled correctly and Booleans set to allow content to be shared between the Apache HTTP Server, Samba, and FTP services.
| |
| | |
| === 2.2 Types ===
| |
| | |
| Type Enforcement is the main permission control used in SELinux targeted policy, and as such, httpd can only access certain types. This helps prevent processes from accessing files intended for use by another process, for example, httpd can access files labeled with the with the httpd_sys_content_t type (intended for httpd), but not the samba_share_t type (intended for Samba).
| |
| | |
| * explanation of each one, when to use them, and how to change them (chcon and semanage. man httpd_selinux).
| |
| * httpd_sys_content_t for standard serving and non-default directories (other than /var/www/html/ and /srv/www/, and /srv/gallery2).
| |
| * allow executable scripts (httpd_sys_script_exec_t type?).
| |
| * allow data to be written to by scripts (httpd_sys_content_rw_t type).
| |
| | |
| === 2.3 Booleans ===
| |
| | |
| Booleans allow parts of SELinux policy to be changed at runtime, without any knowledge of SELinux policy writing. This allows changes, such as allowing services access to NFS file systems, without reloading or recompiling SELinux policy.
| |
| | |
| * use output of "semanage boolean -l | grep http" as a base.
| |
| * how to set them (setsebool...semanage boolean stable?).
| |
| * how to list them (getsebool and semanage boolean).
| |
| * access and share NFS file systems: httpd_use_nfs on.
| |
| * access and share CIFS file systems: httpd_use_cifs on.
| |
| * use SSL (setsebool -P httpd_tty_comm on).
| |
| * man httpd_selinux.
| |
| | |
| === 2.4 Configuration Examples ===
| |
| | |
| * sharing files:
| |
| ** the public_content_t and public_content_rw_t types.
| |
| ** the allow_httpd_anon_write and allow_httpd_sys_script_anon_write types.
| |
| * allow httpd to write image files (directory labeled with the httpd_tmp_t type?).
| |
| * serve mounted ISOs (mount -o context=).
| |
| * make only httpd run permissive (add: "semanage permissive -a httpd_t". remove: "semanage permissive -d httpd_t").
| |
| * change the port httpd listens on (semanage port -a -t http_port_t -p tcp 7777).
| |
| | |
| = Samba =
| |
| | |
| From the Samba website <http://us1.samba.org/samba/>:
| |
| | |
| Samba is an [http://www.opensource.org/ Open Source]/[http://www.gnu.org/philosophy/free-sw.html Free Software] suite that has, [http://us1.samba.org/samba/docs/10years.html since 1992], provided file and print services to all manner of SMB/CIFS clients, including the numerous versions of Microsoft Windows operating systems. Samba is freely available under the [http://us1.samba.org/samba/docs/GPL.html GNU General Public License][1].
| |
| | |
| In Fedora 11, the samba package provides the Samba server. If you want to use the Samba server, and the samba package is not installed, run the following command as the Linux root user to install it:
| |
| | |
| <pre>yum install samba</pre>
| |
| | |
| [1] The Samba website: <http://us1.samba.org/samba/>. Accessed 20 January 2009.
| |
| | |
| == Samba and SELinux ==
| |
| | |
| When running SELinux, Samba runs confined by default. SELinux policy defines how the Samba server, smbd, interacts with files, processes, and with the system in general. Files and directories must be labeled correctly so they can be exported through Samba. Booleans must be set to allow home directories and NFS file systems to be exported through Samba. The "semanage port" command is required to allow smbd to listen on ports other than TCP ports 137, 138, 139, and 445.
| |