Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

13.4. Configuration examples

The following examples provide real-world demonstrations of how SELinux complements the Apache HTTP Server and how full function of the Apache HTTP Server can be maintained.

13.4.1. Running a static site

To create a static website, label the .html files for that website with the httpd_sys_content_t type. By default, the Apache HTTP Server cannot write to files that are labeled with the httpd_sys_content_t type. The following example creates a new directory to store files for a read-only website:
  1. Use the mkdir utility as root to create a top-level directory: 
    ~]# mkdir /mywebsite
  2. As root, create a /mywebsite/index.html file. Copy and paste the following content into /mywebsite/index.html: 
    <html>
<h2>index.html from /mywebsite/</h2>
</html>
  3. To allow the Apache HTTP Server read only access to /mywebsite/, as well as files and subdirectories under it, label the directory with the httpd_sys_content_t type. Enter the following command as root to add the label change to file-context configuration: 
    ~]# semanage fcontext -a -t httpd_sys_content_t "/mywebsite(/.*)?"
  4. Use the restorecon utility as root to make the label changes: 
    ~]# restorecon -R -v /mywebsite
restorecon reset /mywebsite context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /mywebsite/index.html context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
  5. For this example, edit the /etc/httpd/conf/httpd.conf file as root. Comment out the existing DocumentRoot option. Add a DocumentRoot "/mywebsite" option. After editing, these options should look as follows: 
    #DocumentRoot "/var/www/html"
DocumentRoot "/mywebsite"
  6. Enter the following command as root to see the status of the Apache HTTP Server. If the server is stopped, start it: 
    ~]# systemctl status httpd.service
httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled)
   Active: inactive (dead)

    ~]# systemctl start httpd.service
    If the server is running, restart the service by executing the following command as root (this also applies any changes made to httpd.conf): 
    ~]# systemctl status httpd.service
httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled)
   Active: active (running) since Wed 2014-02-05 13:16:46 CET; 2s ago

    ~]# systemctl restart httpd.service
  7. Use a web browser to navigate to http://localhost/index.html. The following is displayed: 
    index.html from /mywebsite/

13.4.2. Sharing NFS and CIFS volumes

By default, NFS mounts on the client side are labeled with a default context defined by policy for NFS volumes. In common policies, this default context uses the nfs_t type. Also, by default, Samba shares mounted on the client side are labeled with a default context defined by policy. In common policies, this default context uses the cifs_t type.
Depending on policy configuration, services may not be able to read files labeled with the nfs_t or cifs_t types. This may prevent file systems labeled with these types from being mounted and then read or exported by other services. Booleans can be enabled or disabled to control which services are allowed to access the nfs_t and cifs_t types.
Enable the httpd_use_nfs Boolean to allow httpd to access and share NFS volumes (labeled with the nfs_t type): 
~]# setsebool -P httpd_use_nfs on
Enable the httpd_use_cifs Boolean to allow httpd to access and share CIFS volumes (labeled with the cifs_t type): 
~]# setsebool -P httpd_use_cifs on

Note

Do not use the -P option if you do not want setsebool changes to persist across reboots.

13.4.3. Sharing files between services

Type Enforcement helps prevent processes from accessing files intended for use by another process. For example, by default, Samba cannot read files labeled with the httpd_sys_content_t type, which are intended for use by the Apache HTTP Server. Files can be shared between the Apache HTTP Server, FTP, rsync, and Samba, if the required files are labeled with the public_content_t or public_content_rw_t type.
The following example creates a directory and files, and allows that directory and files to be shared (read only) through the Apache HTTP Server, FTP, rsync, and Samba:
  1. Use the mkdir utility as root to create a new top-level directory to share files between multiple services: 
    ~]# mkdir /shares
  2. Files and directories that do not match a pattern in file-context configuration may be labeled with the default_t type. This type is inaccessible to confined services: 
    ~]$ ls -dZ /shares
drwxr-xr-x  root root unconfined_u:object_r:default_t:s0 /shares
  3. As root, create a /shares/index.html file. Copy and paste the following content into /shares/index.html: 
    <html>
<body>
<p>Hello</p>
</body>
</html>
  4. Labeling /shares/ with the public_content_t type allows read-only access by the Apache HTTP Server, FTP, rsync, and Samba. Enter the following command as root to add the label change to file-context configuration: 
    ~]# semanage fcontext -a -t public_content_t "/shares(/.*)?"
  5. Use the restorecon utility as root to apply the label changes: 
    ~]# restorecon -R -v /shares/
restorecon reset /shares context unconfined_u:object_r:default_t:s0->system_u:object_r:public_content_t:s0
restorecon reset /shares/index.html context unconfined_u:object_r:default_t:s0->system_u:object_r:public_content_t:s0
To share /shares/ through Samba:
  1. Confirm the samba, samba-common, and samba-client packages are installed (version numbers may differ): 
    ~]$ rpm -q samba samba-common samba-client
samba-3.4.0-0.41.el6.3.i686
samba-common-3.4.0-0.41.el6.3.i686
samba-client-3.4.0-0.41.el6.3.i686
    If any of these packages are not installed, install them by running the following command as root: 
    ~]# yum install package-name
  2. Edit the /etc/samba/smb.conf file as root. Add the following entry to the bottom of this file to share the /shares/ directory through Samba: 
    [shares]
comment = Documents for Apache HTTP Server, FTP, rsync, and Samba
path = /shares
public = yes
writable = no
  3. A Samba account is required to mount a Samba file system. Enter the following command as root to create a Samba account, where username is an existing Linux user. For example, smbpasswd -a testuser creates a Samba account for the Linux testuser user: 
    ~]# smbpasswd -a testuser
New SMB password: Enter a password
Retype new SMB password: Enter the same password again
Added user testuser.
    If you run the above command, specifying a user name of an account that does not exist on the system, it causes a Cannot locate Unix account for 'username'! error.
  4. Start the Samba service: 
    ~]# systemctl start smb.service
  5. Enter the following command to list the available shares, where username is the Samba account added in step 3. When prompted for a password, enter the password assigned to the Samba account in step 3 (version numbers may differ): 
    ~]$ smbclient -U username -L localhost
Enter username's password:
Domain=[HOSTNAME] OS=[Unix] Server=[Samba 3.4.0-0.41.el6]

Sharename       Type      Comment
---------       ----      -------
shares          Disk      Documents for Apache HTTP Server, FTP, rsync, and Samba
IPC$            IPC       IPC Service (Samba Server Version 3.4.0-0.41.el6)
username        Disk      Home Directories
Domain=[HOSTNAME] OS=[Unix] Server=[Samba 3.4.0-0.41.el6]

Server               Comment
---------            -------

Workgroup            Master
---------            -------
  6. User the mkdir utility to create a new directory. This directory will be used to mount the shares Samba share: 
    ~]# mkdir /test/
  7. Enter the following command as root to mount the shares Samba share to /test/, replacing username with the user name from step 3: 
    ~]# mount //localhost/shares /test/ -o user=username
    Enter the password for username, which was configured in step 3.
  8. View the content of the file, which is being shared through Samba: 
    ~]$ cat /test/index.html
<html>
<body>
<p>Hello</p>
</body>
</html>
To share /shares/ through the Apache HTTP Server:
  1. Confirm the httpd package is installed (version number may differ): 
    ~]$ rpm -q httpd
httpd-2.2.11-6.i386
    If this package is not installed, use the yum utility as root to install it: 
    ~]# yum install httpd
  2. Change into the /var/www/html/ directory. Enter the following command as root to create a link (named shares) to the /shares/ directory: 
    html]# ln -s /shares/ shares
  3. Start the Apache HTTP Server: 
    ~]# systemctl start httpd.service
  4. Use a web browser to navigate to http://localhost/shares. The /shares/index.html file is displayed.
By default, the Apache HTTP Server reads an index.html file if it exists. If /shares/ did not have index.html, and instead had file1, file2, and file3, a directory listing would occur when accessing http://localhost/shares:
  1. Remove the index.html file: 
    ~]# rm -i /shares/index.html
  2. Use the touch utility as root to create three files in /shares/: 
    ~]# touch /shares/file{1,2,3}
~]# ls -Z /shares/
-rw-r--r--  root root system_u:object_r:public_content_t:s0 file1
-rw-r--r--  root root unconfined_u:object_r:public_content_t:s0 file2
-rw-r--r--  root root unconfined_u:object_r:public_content_t:s0 file3
  3. Enter the following command as root to see the status of the Apache HTTP Server: 
    ~]# systemctl status httpd.service
httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled)
   Active: inactive (dead)
    If the server is stopped, start it: 
    ~]# systemctl start httpd.service
  4. Use a web browser to navigate to http://localhost/shares. A directory listing is displayed:

13.4.4. Changing port numbers

Depending on policy configuration, services may only be allowed to run on certain port numbers. Attempting to change the port a service runs on without changing policy may result in the service failing to start. Use the semanage utility as the root user to list the ports SELinux allows httpd to listen on: 
~]# semanage port -l | grep -w http_port_t
http_port_t                    tcp      80, 443, 488, 8008, 8009, 8443
By default, SELinux allows httpd to listen on TCP ports 80, 443, 488, 8008, 8009, or 8443. If /etc/httpd/conf/httpd.conf is configured so that httpd listens on any port not listed for http_port_t, httpd fails to start.
To configure httpd to run on a port other than TCP ports 80, 443, 488, 8008, 8009, or 8443:
  1. Edit the /etc/httpd/conf/httpd.conf file as root so the Listen option lists a port that is not configured in SELinux policy for httpd. The following example configures httpd to listen on the 10.0.0.1 IP address, and on TCP port 12345: 
    # Change this to Listen on specific IP addresses as shown below to 
# prevent Apache from glomming onto all bound IP addresses (0.0.0.0)
#
#Listen 12.34.56.78:80
Listen 10.0.0.1:12345
  2. Enter the following command as the root user to add the port to SELinux policy configuration: 
    ~]# semanage port -a -t http_port_t -p tcp 12345
  3. Confirm that the port is added: 
    ~]# semanage port -l | grep -w http_port_t
http_port_t                    tcp      12345, 80, 443, 488, 8008, 8009, 8443
If you no longer run httpd on port 12345, use the semanage utility as root to remove the port from policy configuration: 
~]# semanage port -d -t http_port_t -p tcp 12345