1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
|
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<link title="new" rel="stylesheet" href="http://www.gentoo.org/../../css/main.css" type="text/css">
<link REL="shortcut icon" HREF="http://www.gentoo.org/../../favicon.ico" TYPE="image/x-icon">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives">
<title>Gentoo Linux Documentation
--
SELinux Apache Module</title>
</head>
<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/../../images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr>
<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr>
<td width="99%" class="content" valign="top" align="left">
<br><h1>SELinux Apache Module</h1>
<form name="contents" action="http://www.gentoo.org">
<b>Content</b>:
<select name="url" size="1" OnChange="location.href=form.url.options[form.url.selectedIndex].value" style="font-family:sans-serif,Arial,Helvetica"><option value="#doc_chap1">1. Structure</option>
<option value="#doc_chap2">2. Using Apache</option></select>
</form>
<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
</span>Structure</p>
<p class="secthead"><a name="doc_chap1_sect1">Domains</a></p>
<br><a name="doc_chap1_fig1"></a><table cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Figure1.1: General Apache domain overview</p></td></tr>
<tr><td align="center" bgcolor="#ddddff"><img src="./images/apachedomain.png" alt="Fig. 1: General Apache domain overview"></td></tr>
</table>
<br><p>
The <span class="code" dir="ltr">apache</span> module provides the following domains:
</p>
<table class="ntable">
<tr>
<td class="infohead"><b>Domain</b></td>
<td class="infohead"><b>Process(es)</b></td>
<td class="infohead"><b>Description</b></td>
</tr>
<tr>
<td class="tableinfo">httpd_t</td>
<td class="tableinfo">apache<br>lighttpd</td>
<td class="tableinfo">Webserver processes</td>
</tr>
<tr>
<td class="tableinfo">httpd_helper_t</td>
<td class="tableinfo">htsslpass</td>
<td class="tableinfo">Domain for the htsslpass process</td>
</tr>
<tr>
<td class="tableinfo">httpd_php_t</td>
<td class="tableinfo">php-cgi</td>
<td class="tableinfo">Domain for PHP support through CGI (php-cgi process)</td>
</tr>
<tr>
<td class="tableinfo">httpd_rotatelogs_t</td>
<td class="tableinfo">rotatelogs</td>
<td class="tableinfo">Domain for the rotatelogs process</td>
</tr>
<tr>
<td class="tableinfo">httpd_suexec_t</td>
<td class="tableinfo">suexec</td>
<td class="tableinfo">
Domain used by the webserver suexec process to switch to another user
before calling and executing a script
</td>
</tr>
<tr>
<td class="tableinfo">httpd_sys_script_t</td>
<td class="tableinfo"></td>
<td class="tableinfo">Domain used by the system/package-provided CGI scripts</td>
</tr>
<tr>
<td class="tableinfo">httpd_user_script_t</td>
<td class="tableinfo"></td>
<td class="tableinfo">Domain used by the user-provided CGI scripts</td>
</tr>
</table>
<table class="ncontent" width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td bgcolor="#ffffbb"><p class="note"><b>Important: </b>
The <span class="code" dir="ltr">apache</span> module allows other modules to define their own domains and
types for use by the webservers. This is done through templates. The reference
policy by default enabled two of such templated sets for <span class="emphasis">user</span> and
<span class="emphasis">sys</span>, which you can see in domains like <span class="code" dir="ltr">httpd_sys_script_t</span> and
<span class="code" dir="ltr">httpd_user_script_t</span>. It is very well possible that on your system, more
of these template-instantiated domains exist.
</p></td></tr></table>
<p class="secthead"><a name="doc_chap1_sect2">File Types/Labels</a></p>
<p>
The following table lists the file type/labels defined in the <span class="code" dir="ltr">apache</span>
module.
</p>
<ul>
<li>
If the function mentions <span class="emphasis">(templated)</span> then it means that the types
are generated by the <span class="code" dir="ltr">apache</span> module, but that similar others might
exist on your system (called through other modules).
</li>
<li>
When talking about <span class="emphasis">scripts</span>, we mean CGI scripts or other scripts that
are triggered from the webserver, not from an interactive shell session.
</li>
</ul>
<table class="ntable">
<tr>
<td class="infohead"><b>Type</b></td>
<td class="infohead"><b>Function</b></td>
<td class="infohead"><b>Description</b></td>
</tr>
<tr>
<td class="tableinfo">httpd_exec_t</td>
<td class="tableinfo">Entrypoint</td>
<td class="tableinfo">Entrypoint for the webserver processes</td>
</tr>
<tr>
<td class="tableinfo">httpd_initrc_exec_t</td>
<td class="tableinfo">Entrypoint</td>
<td class="tableinfo">Entrypoint for the webserver init scripts</td>
</tr>
<tr>
<td class="tableinfo">httpd_helper_exec_t</td>
<td class="tableinfo">Entrypoint</td>
<td class="tableinfo">Entrypoint for the webserver helper processes</td>
</tr>
<tr>
<td class="tableinfo">httpd_php_exec_t</td>
<td class="tableinfo">Entrypoint</td>
<td class="tableinfo">Entrypoint for the PHP scripts</td>
</tr>
<tr>
<td class="tableinfo">httpd_rotatelogs_exec_t</td>
<td class="tableinfo">Entrypoint</td>
<td class="tableinfo">Entrypoint for the rotatelog helper</td>
</tr>
<tr>
<td class="tableinfo">httpd_suexec_exec_t</td>
<td class="tableinfo">Entrypoint</td>
<td class="tableinfo">Entrypoint for the suexec wrapper</td>
</tr>
<tr>
<td class="tableinfo">httpd_sys_script_exec_t</td>
<td class="tableinfo">Entrypoint (templated)</td>
<td class="tableinfo">
Entrypoint for system CGI scripts (or other callable scripts) that need
access to the system content files (httpd_sys_content_t)
</td>
</tr>
<tr>
<td class="tableinfo">httpd_user_script_exec_t</td>
<td class="tableinfo">Entrypoint (templated)</td>
<td class="tableinfo">
Entrypoint for the user-provided scripts callable from the webserver instances
</td>
</tr>
<tr>
<td class="tableinfo">httpd_squirrelmail_t</td>
<td class="tableinfo">Content</td>
<td class="tableinfo">Squirrelmail files</td>
</tr>
<tr>
<td class="tableinfo">squirrelmail_spool_t</td>
<td class="tableinfo">Content</td>
<td class="tableinfo">Squirrelmail attachment location</td>
</tr>
<tr>
<td class="tableinfo">httpd_sys_content_t</td>
<td class="tableinfo">Content (templated)</td>
<td class="tableinfo">
Readable content for the webservers and system scripts, offered through
the system / packages.
</td>
</tr>
<tr>
<td class="tableinfo">httpd_sys_htaccess_t</td>
<td class="tableinfo">Content (templated)</td>
<td class="tableinfo">
Label for the htaccess files, readable by the webserver but not from scripts
or other webserver related domains.
</td>
</tr>
<tr>
<td class="tableinfo">httpd_sys_rw_content_t</td>
<td class="tableinfo">Content (templated)</td>
<td class="tableinfo">
Read and writeable content for the webservers and system scripts (not user
scripts).
</td>
</tr>
<tr>
<td class="tableinfo">httpd_sys_ra_content_t</td>
<td class="tableinfo">Content (templated)</td>
<td class="tableinfo">
Read and appendable content for the webservers and system scripts (not user
scripts).
</td>
</tr>
<tr>
<td class="tableinfo">httpd_user_content_t</td>
<td class="tableinfo">Content (templated)</td>
<td class="tableinfo">
Readable content for the webservers and user scripts, offered by (and
writeable by) users.
</td>
</tr>
<tr>
<td class="tableinfo">httpd_user_htaccess_t</td>
<td class="tableinfo">Content (templated)</td>
<td class="tableinfo">
Label for the htaccess files, readable by the webserver but not from scripts
or other webserver related domains.
</td>
</tr>
<tr>
<td class="tableinfo">httpd_user_rw_content_t</td>
<td class="tableinfo">Content (templated)</td>
<td class="tableinfo">
Read and writeable content for the webservers and user scripts (not system
scripts).
</td>
</tr>
<tr>
<td class="tableinfo">httpd_user_ra_content_t</td>
<td class="tableinfo">Content (templated)</td>
<td class="tableinfo">
Read and appendable content for the webservers and user scripts (not system
scripts).
</td>
</tr>
<tr>
<td class="tableinfo">httpd_php_tmp_t</td>
<td class="tableinfo">Temporary Files</td>
<td class="tableinfo">Temporary files from the PHP scripts</td>
</tr>
<tr>
<td class="tableinfo">httpd_suexec_tmp_t</td>
<td class="tableinfo">Temporary Files</td>
<td class="tableinfo">Temporery files for the suexec domain</td>
</tr>
<tr>
<td class="tableinfo">httpd_tmp_t<br>httpd_tmpfs_t</td>
<td class="tableinfo">Temporary Files</td>
<td class="tableinfo">Temporary files from the httpd domain</td>
</tr>
<tr>
<td class="tableinfo">httpd_cache_t</td>
<td class="tableinfo"></td>
<td class="tableinfo">Web server cache</td>
</tr>
<tr>
<td class="tableinfo">httpd_config_t</td>
<td class="tableinfo"></td>
<td class="tableinfo">Configuration files</td>
</tr>
<tr>
<td class="tableinfo">httpd_lock_t</td>
<td class="tableinfo"></td>
<td class="tableinfo">Lock files</td>
</tr>
<tr>
<td class="tableinfo">httpd_log_t</td>
<td class="tableinfo"></td>
<td class="tableinfo">Web server log files</td>
</tr>
<tr>
<td class="tableinfo">httpd_modules_t</td>
<td class="tableinfo"></td>
<td class="tableinfo">Webserver modules</td>
</tr>
<tr>
<td class="tableinfo">httpd_var_lib_t</td>
<td class="tableinfo"></td>
<td class="tableinfo">Webserver libraries</td>
</tr>
<tr>
<td class="tableinfo">httpd_var_run_t</td>
<td class="tableinfo"></td>
<td class="tableinfo">Runtime files for httpd</td>
</tr>
</table>
<p class="chaphead"><a name="doc_chap2"></a><span class="chapnum">2.
</span>Using Apache</p>
<p class="secthead"><a name="doc_chap2_sect1">File Locations</a></p>
<p>
The policy offered only contains the right file context rules for the default
locations. If you deviate from these locations, you'll need to update the
contexts accordingly.
</p>
<p>
The following table provides an overview of common Apache settings (variables in
<span class="path" dir="ltr">httpd.conf</span>) that are often changed by end users, and the file
context that it should have. If you use a different webserver you'll need to
base it on the description instead.
</p>
<table class="ntable">
<tr>
<td class="infohead"><b>Setting in httpd.conf</b></td>
<td class="infohead"><b>Description</b></td>
<td class="infohead"><b>Default Location</b></td>
<td class="infohead"><b>File Context(s)</b></td>
</tr>
<tr>
<td class="tableinfo">DocumentRoot</td>
<td class="tableinfo">Location where web content is stored (html pages and such)</td>
<td class="tableinfo">/srv/localhost/www</td>
<td class="tableinfo">system_u:object_r:httpd_sys_content_t</td>
</tr>
<tr>
<td class="tableinfo">Document</td>
<td class="tableinfo">Location where CGI scripts are stored</td>
<td class="tableinfo">/srv/localhost/cgi-bin</td>
<td class="tableinfo">system_u:object_r:httpd_sys_script_exec_t</td>
</tr>
<tr>
<td class="tableinfo">Directory</td>
<td class="tableinfo">User home directory location where user-provided content is stored</td>
<td class="tableinfo">/home/*/public_html</td>
<td class="tableinfo">system_u:object_r:httpd_user_content_t</td>
</tr>
<tr>
<td class="tableinfo">Directory</td>
<td class="tableinfo">User home directory location where user-provided CGI scripts are stored</td>
<td class="tableinfo">/home/*/public_html/cgi-bin</td>
<td class="tableinfo">system_u:object_r:httpd_user_script_exec_t</td>
</tr>
</table>
<p>
If you use different locations, use the following commands to update the file
contexts accordingly:
</p>
<a name="doc_chap2_pre1"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.1: Updating file contexts</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
<span class="code-comment">( Example for a different PORTDIR location, say /var/repo/portage )</span>
~# <span class="code-input">semanage -a -t portage_ebuild_t /var/repo/portage</span>
~# <span class="code-input">restorecon -R /var/repo/portage</span>
</pre></td></tr>
</table>
<p>
Don't forget that Portage uses subdirectories with different labels (think
distfiles or the repositories for the live ebuilds) so take care when
relabeling locations!
</p>
<p class="secthead"><a name="doc_chap2_sect2">Sharing Files</a></p>
<p>
The SELinux policy (as part of the <span class="code" dir="ltr">miscfiles</span> module) supports two
additional types: <span class="code" dir="ltr">public_content_t</span> and <span class="code" dir="ltr">public_content_rw_t</span>. These
are used for what is called <span class="emphasis">anonymous files</span> which are readable by all
file-serving services. If all services only need to read from it, then
<span class="code" dir="ltr">public_content_t</span> is used. If at least one services needs to write to it,
use <span class="code" dir="ltr">public_content_rw_t</span> and toggle the right SELinux boolean for the
domain that needs write access to it (<span class="code" dir="ltr">allow_DOMAIN_anon_write</span>).
</p>
<p>
For instance, if you have files that are shared by Apache, NFS, Samba, ... you
label these <span class="code" dir="ltr">public_content_t</span> (read-only) or <span class="code" dir="ltr">public_content_rw_t</span>
(read-write for some) and then toggle the appropriate booleans:
</p>
<a name="doc_chap2_pre2"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.2: Enable write access for the httpd_sys_script_t domain to the public_content_rw_t domain</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
~# <span class="code-input">setsebool -P allow_httpd_sys_script_anon_write on</span>
</pre></td></tr>
</table>
<p class="secthead"><a name="doc_chap2_sect3">Booleans</a></p>
<p>
The <span class="code" dir="ltr">apache</span> module has several booleans which manipulate the allowed
permissions within your installation. The table below gives an overview of the
booleans, but also mentions which USE flags you <span class="emphasis">could</span> associate with it.
Note that the booleans are <span class="emphasis">not</span> linked to USE flags. However, if you have
set a particular USE flag for the webserver environment, then you might want to
toggle these booleans as well.
</p>
<table class="ntable">
<tr>
<td class="infohead"><b>Boolean</b></td>
<td class="infohead"><b>Description</b></td>
<td class="infohead"><b>Gentoo USE flag suggestion</b></td>
</tr>
<tr>
<td class="tableinfo">allow_httpd_anon_write</td>
<td class="tableinfo">
Allow the webserver to modify public files (labeled
<span class="code" dir="ltr">public_content_rw_t</span>)
</td>
<td class="tableinfo"></td>
</tr>
<tr>
<td class="tableinfo">allow_httpd_sys_script_anon_write</td>
<td class="tableinfo">
Allow the system scripts to modify public files
</td>
<td class="tableinfo"></td>
</tr>
<tr>
<td class="tableinfo">allow_httpd_user_script_anon_wriet</td>
<td class="tableinfo">
Allow the user scripts to modify public files
</td>
<td class="tableinfo"></td>
</tr>
<tr>
<td class="tableinfo">allow_httpd_mod_auth_pam</td>
<td class="tableinfo">
Allow the webserver to use the auth_pam module
</td>
<td class="tableinfo"></td>
</tr>
<tr>
<td class="tableinfo">httpd_builtin_scripting</td>
<td class="tableinfo">
Needed when your webservers use internal scripting languages like PHP
(languages that are read and interpreted by the webserver directly rather than
called through separate processes like with CGI)
</td>
<td class="tableinfo"></td>
</tr>
<tr>
<td class="tableinfo">httpd_can_network_connect</td>
<td class="tableinfo">
Allow the webserver scripts and modules to connect to the network
</td>
<td class="tableinfo"></td>
</tr>
<tr>
<td class="tableinfo">httpd_can_network_connect_db</td>
<td class="tableinfo">
Allow the webserver scripts and modules to connect to databases over the
network
</td>
<td class="tableinfo"></td>
</tr>
<tr>
<td class="tableinfo">httpd_can_network_relay</td>
<td class="tableinfo">
Allow webservers to act as a relay
</td>
<td class="tableinfo"></td>
</tr>
<tr>
<td class="tableinfo">httpd_can_sendmail</td>
<td class="tableinfo">
Allow webservers to send e-mails
</td>
<td class="tableinfo"></td>
</tr>
<tr>
<td class="tableinfo">httpd_dbus_avahi</td>
<td class="tableinfo">
Allow webservers to communicate with avahi service via dbus
</td>
<td class="tableinfo"></td>
</tr>
<tr>
<td class="tableinfo">httpd_enable_cgi</td>
<td class="tableinfo">
Allow webservers to call CGI scripts (labeled <span class="code" dir="ltr">httpd_sys_script_exec_t</span>
or <span class="code" dir="ltr">httpd_user_script_exec_t</span>)
</td>
<td class="tableinfo"></td>
</tr>
<tr>
<td class="tableinfo">httpd_enable_ftp_server</td>
<td class="tableinfo">
Allow webservers to act as an FTP server by listening on the FTP ports
</td>
<td class="tableinfo"></td>
</tr>
<tr>
<td class="tableinfo">httpd_enable_homedirs</td>
<td class="tableinfo">
Allow webservers to read home directories (<span class="code" dir="ltr">user_home_t</span>). Not to be
mistaken with <span class="code" dir="ltr">httpd_user_content_t</span>, which resides in the users' home
directory but is labeled, well, <span class="code" dir="ltr">httpd_user_content_t</span> ;-)
</td>
<td class="tableinfo"></td>
</tr>
<tr>
<td class="tableinfo">httpd_ssi_exec</td>
<td class="tableinfo">
Allow webservers to run SSI executables in the same domain as the CGI
scripts
</td>
<td class="tableinfo"></td>
</tr>
<tr>
<td class="tableinfo">httpd_tty_com</td>
<td class="tableinfo">
Unify webservers to communicate with the terminal. This is needed when you
need to enter a passphraze for certificates at the terminal.
</td>
<td class="tableinfo"></td>
</tr>
<tr>
<td class="tableinfo">httpd_unified</td>
<td class="tableinfo">
When enabled, the various webserver content types (all types with attribute
<span class="code" dir="ltr">httpdcontent</span> set) are not differentiated anymore, but all considered
to be readable, writeable and executable by the webserver.
</td>
<td class="tableinfo"></td>
</tr>
<tr>
<td class="tableinfo">httpd_use_cifs</td>
<td class="tableinfo">
Allow webservers to access CIFS file systems
</td>
<td class="tableinfo"></td>
</tr>
<tr>
<td class="tableinfo">httpd_use_gpg</td>
<td class="tableinfo">
Allow webservers to run gpg
</td>
<td class="tableinfo"></td>
</tr>
<tr>
<td class="tableinfo">httpd_use_nfs</td>
<td class="tableinfo">
Allow webservers to access NFS file systems
</td>
<td class="tableinfo"></td>
</tr>
</table>
<p>
If you want to toggle booleans, you can do so through <span class="code" dir="ltr">setsebool</span>:
</p>
<a name="doc_chap2_pre3"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.3: Enabling the gentoo_try_dontaudit boolean</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
<span class="code-comment">( With the -P flag, the boolean state is persisted across reboots)</span>
~# <span class="code-input">setsebool -P httpd_enable_homedirs on</span>
</pre></td></tr>
</table>
<p class="secthead"><a name="doc_chap2_sect4">Ports</a></p>
<p>
If you need to run the webserver on a non-default port, you can either mark this
port as an HTTP port (<span class="code" dir="ltr">http_port_t</span>) or create the appropriate rule to allow
it to bind to the specified port.
</p>
<p>
To mark a particular port (say 81) as an HTTP port, use <span class="code" dir="ltr">semanage</span>:
</p>
<a name="doc_chap2_pre4"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.4: Labeling port 81 as http_port_t</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
~# <span class="code-input">semanage port -a -t http_port_t -p tcp 81</span>
</pre></td></tr>
</table>
<p>
If you need to allow the webserver to bind on a port but are not allowed to
modify that ports' type, you'll need to create a policy that allows the
<span class="code" dir="ltr">httpd_t</span> domain to bind to the particular port. For instance, to allow it
to bind on the SMTP port:
</p>
<a name="doc_chap2_pre5"></a><table class="ntable" width="100%" cellspacing="0" cellpadding="0" border="0">
<tr><td bgcolor="#7a5ada"><p class="codetitle">Code Listing2.5: Allow rules to allow httpd_t to bind on SMTP ports</p></td></tr>
<tr><td bgcolor="#eeeeff" align="left" dir="ltr"><pre>
allow httpd_t smtp_port_t:tcp_socket name_bind;
</pre></td></tr>
</table>
<br><p class="copyright">
The contents of this document are licensed under the <a href="http://creativecommons.org/licenses/by-sa/2.5">Creative Commons -
Attribution / Share Alike</a> license.
</p>
<!--
<rdf:RDF xmlns="http://web.resource.org/cc/"
xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">
<License rdf:about="http://creativecommons.org/licenses/by-sa/2.5/">
<permits rdf:resource="http://web.resource.org/cc/Reproduction" />
<permits rdf:resource="http://web.resource.org/cc/Distribution" />
<requires rdf:resource="http://web.resource.org/cc/Notice" />
<requires rdf:resource="http://web.resource.org/cc/Attribution" />
<permits rdf:resource="http://web.resource.org/cc/DerivativeWorks" />
<requires rdf:resource="http://web.resource.org/cc/ShareAlike" />
</License>
</rdf:RDF>
--><br>
</td>
<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="selinux/modules/apache.xml?style=printable">Print</a></p></td></tr>
<tr><td class="topsep" align="center"><p class="alttext">Updated June 2, 2011</p></td></tr>
<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
Within SELinux, the apache module is responsible for defining the
web server related domains and privileges. It is not tied to Apache, despite
its name.
</p></td></tr>
<tr><td align="left" class="topsep"><p class="alttext">
<a href="mailto:sven.vermeulen@siphos.be" class="altlink"><b>Sven Vermeulen</b></a>
<br><i>Author</i><br></p></td></tr>
<tr lang="en"><td align="center" class="topsep">
<p class="alttext"><b>Donate</b> to support our development efforts.
</p>
<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo">
</form>
</td></tr>
<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr>
</table></td>
</tr></table></td></tr>
<tr><td colspan="2" align="right" class="infohead">
Copyright 2001-2011 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
</td></tr>
</table></body>
</html>
|
GitWeb