diff options
Diffstat (limited to 'mod_selinux.conf')
-rw-r--r-- | mod_selinux.conf | 92 |
1 files changed, 92 insertions, 0 deletions
diff --git a/mod_selinux.conf b/mod_selinux.conf new file mode 100644 index 0000000..a1402a5 --- /dev/null +++ b/mod_selinux.conf @@ -0,0 +1,92 @@ +# +# mod_selinux.conf +# ---------------- +# Apache/SELinux plus configuration + +LoadModule selinux_module modules/mod_selinux.so + +selinuxServerDomain *:s0 + +# +# Example for the mapfile based configuration +# ------------------------------------------- +# +# <Directory "/var/www/html"> +# # +# # HTTP Basic Authentication +# # +# AuthType Basic +# AuthName "Secret Zone" +# AuthUserFile /var/www/htpasswd +# Require valid-user +# +# # +# # SELinux domain/range mapping +# # +# SetEnvIf Remote_Addr "192.168.1.[0-9]+$" SELINUX_DOMAIN=*:s0:c1 +# SetEnvIf Remote_Addr "192.168.2.[0-9]+$" SELINUX_DOMAIN=*:s0:c2 +# selinuxDomainMap /var/www/mod_selinux.map +# selinuxDomainEnv SELINUX_DOMAIN +# selinuxDomainVal anon_webapp_t:SystemLow +# +# </Directory> + +# +# Use Case: Virtual Host based separation +# --------------------------------------- +# +# NameVirtualHost *:80 +# +# <VirtualHost *:80> +# DocumentRoot /var/www/html +# ServerName dog.example.com +# selinuxDomainVal *:s0:c1 +# </VirtualHost> +# +# <VirtualHost *:80> +# DocumentRoot /var/www/html +# ServerName cat.example.com +# selinuxDomainVal *:s0:c2 +# </VirtualHost> + +# +# Use Case: Authentication integration with RDBMS +# ----------------------------------------------- +# +# LoadModule dbd_module modules/mod_dbd.so +# LoadModule authn_dbd_module modules/mod_authn_dbd.so +# +# DBDriver pgsql +# DBDParams "dbname=web user=apache" +# # NOTE: Don't forget to install apr-util-pgsql package +# # to connect PostgreSQL via mod_dbd. +# +# <Directory "/var/www/html"> +# # Digest authentication +# # --------------------- +# # AuthType Digest +# # AuthName "Secret Zone" +# # AuthDigestProvider dbd ... (4) +# # AuthDBDUserRealmQuery \ ... (5) +# # "SELECT md5(uname || ':' || $2 || ':' || upass), udomain, \ +# # %s=%s as dummy FROM uaccount WHERE uname = $1" +# +# # SELinux context mapping +# # ----------------------- +# selinuxDomainEnv AUTHENTICATE_UDOMAIN ... (6) +# selinuxDomainVal anon_webapp_t:SystemLow +# </Directory> +# +# We assume the PostgreSQL works on local machine, and it allows +# the apache user to connect the web database without passwords. +# In addition, uaccount table should be defined as follows: +# +# CREATE TABLE uaccount ( +# uname TEXT PRIMARY KEY, +# upass TEXT NOT NULL, +# udomain TEXT +# ); +# INSERT INTO uaccount VALUES ('foo', 'xxx', 'user_webapp_t:s0:c0'); +# INSERT INTO uaccount VALUES ('var', 'yyy', 'staff_webapp_t:s0:c1'); +# INSERT INTO uaccount VALUES ('baz', 'zzz', 'anon_webapp_t:s0:c2'); +# |