Virtual http hosting and selinux

Fri Dec 4 14:57:35 UTC 2009

On Fri, Dec 04, 2009 at 06:45:39AM -0800, David Highley wrote:
> "Dominick Grift wrote:"
> > 
> > 
> > --===============0256136332==
> > Content-Type: multipart/signed; micalg=pgp-sha1;
> > 	protocol="application/pgp-signature"; boundary="Fig2xvG2VGoz8o/s"
> > Content-Disposition: inline
> > 
> > 
> > --Fig2xvG2VGoz8o/s
> > Content-Type: text/plain; charset=us-ascii
> > Content-Disposition: inline
> > Content-Transfer-Encoding: quoted-printable
> > 
> > On Thu, Dec 03, 2009 at 08:35:56PM -0800, David Highley wrote:
> > > A common virtual web hosting set up would be a web root directory
> > > location with the following sub directories:
> > > ftp
> > > logs
> > > pages
> > > pages/cgi-bin
> > >=20
> > > Under ftp you would have all that is needed for a chroot ftp sandbox.
> > > Since each virtual host would be a different user and or company how
> > > does one change sebool httpd_unified to off and get it all to work with
> > > selinux?
> > 
> > Well PHP needs httpd_unified but if you use CGI like perl or c or bash or w=
> > hatever then basically you would set httpd_enable_cgi and httpd_builtin_scr=
> > ipting booleans. Then label the locations with a proper type.
> 
> I'm not sure the statement that PHP needs httpd_unified on is correct in
> Fedora 12. I just finished doing some testing of Mythtv with this
> setting turned off. I tested all TV recording, weather, and streaming
> video available through the web interace and it all seems to be working
> now. Granted there is a lot more to full backend Mythtv setup but it was
> looking pretty good. Dan has put in two policy updates which should be
> out pretty soon.
> 
> I'm not done, but I also ran a quick test of squirrelmail with dovecot
> for off site email access and that appears to be working. Squirrelmail
> is all PHP.

Do your php scripts run with the httpd_sys_script_t or with the httpd_t type?
> 
> > 
> > for example:
> > 
> > # ftp:
> > /srv/ftproot(/.*)? public_content_rw_t
> > setsebool -P allow_ftpd_anon_write on (allow ftpd to write to /srv/ftproot
> > setsebool -P allow_httpd_anon_write on (allow httpd to write to /srv/ftproo=
> > t) (for php/httpd unified)
> > setsebool -P allow_httpd_sys_script_anon_write on (allow httpd system cgi s=
> > cripts to write to /srv/ftproot (other cgi)
> > 
> > # logs
> > /srv/www/logs(/.*)? httpd_sys_content_ra_t=20
> > 
> > # static content
> > /srv/www/html(/.*)? httpd_sys_content_t
> > 
> > # cgi
> > /srv/www/cgi-bin(/.*)? httpd_sys_script_exec_t
> > 
> > The above is just an example. It may or may not be what you would want.
> > 
> > >=20
> > > --
> > > fedora-selinux-list mailing list
> > > fedora-selinux-list at redhat.com
> > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> > 
> > --Fig2xvG2VGoz8o/s
> > Content-Type: application/pgp-signature
> > Content-Disposition: inline
> > 
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.10 (GNU/Linux)
> > 
> > iEYEARECAAYFAksY2X4ACgkQMlxVo39jgT84SgCffFYU9S9JDB05qOuelRkKZgxR
> > PO8AoKssSIRvpVYEuZXCZOYZUXd9SZ0r
> > =nF/1
> > -----END PGP SIGNATURE-----
> > 
> > --Fig2xvG2VGoz8o/s--
> > 
> > 
> > --===============0256136332==
> > Content-Type: text/plain; charset="us-ascii"
> > MIME-Version: 1.0
> > Content-Transfer-Encoding: 7bit
> > Content-Disposition: inline
> > 
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list at redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> > --===============0256136332==--
> > 
> 
> 
> -- 
> 
> Regards,
> 
> David Highley
> Highley Recommended, Inc.       Phone: (206) 669-0081
> 2927 SW 339th Street            WEB: http://www.highley-recommended.com
> Federal Way, WA 98023-7732
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20091204/c820fb22/attachment.sig>