Virtual http hosting and selinux
Dominick Grift
domg472 at gmail.com
Fri Dec 4 09:42:23 UTC 2009
On Thu, Dec 03, 2009 at 08:35:56PM -0800, David Highley wrote:
> A common virtual web hosting set up would be a web root directory
> location with the following sub directories:
> ftp
> logs
> pages
> pages/cgi-bin
>
> Under ftp you would have all that is needed for a chroot ftp sandbox.
> Since each virtual host would be a different user and or company how
> does one change sebool httpd_unified to off and get it all to work with
> selinux?
Well PHP needs httpd_unified but if you use CGI like perl or c or bash or whatever then basically you would set httpd_enable_cgi and httpd_builtin_scripting booleans. Then label the locations with a proper type.
for example:
# ftp:
/srv/ftproot(/.*)? public_content_rw_t
setsebool -P allow_ftpd_anon_write on (allow ftpd to write to /srv/ftproot
setsebool -P allow_httpd_anon_write on (allow httpd to write to /srv/ftproot) (for php/httpd unified)
setsebool -P allow_httpd_sys_script_anon_write on (allow httpd system cgi scripts to write to /srv/ftproot (other cgi)
# logs
/srv/www/logs(/.*)? httpd_sys_content_ra_t
# static content
/srv/www/html(/.*)? httpd_sys_content_t
# cgi
/srv/www/cgi-bin(/.*)? httpd_sys_script_exec_t
The above is just an example. It may or may not be what you would want.
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20091204/1b58af5e/attachment.sig>
More information about the fedora-selinux-list
mailing list