|
|
e7fdaae |
#
|
|
|
e7fdaae |
# mod_selinux.conf
|
|
|
e7fdaae |
# ----------------
|
|
|
e7fdaae |
# Apache/SELinux plus configuration
|
|
|
e7fdaae |
|
|
|
e7fdaae |
LoadModule selinux_module modules/mod_selinux.so
|
|
|
e7fdaae |
|
|
|
e7fdaae |
selinuxServerDomain *:s0
|
|
|
e7fdaae |
|
|
|
e7fdaae |
#
|
|
|
e7fdaae |
# Example for the mapfile based configuration
|
|
|
e7fdaae |
# -------------------------------------------
|
|
|
e7fdaae |
#
|
|
|
e7fdaae |
# <Directory "/var/www/html">
|
|
|
e7fdaae |
# #
|
|
|
e7fdaae |
# # HTTP Basic Authentication
|
|
|
e7fdaae |
# #
|
|
|
e7fdaae |
# AuthType Basic
|
|
|
e7fdaae |
# AuthName "Secret Zone"
|
|
|
e7fdaae |
# AuthUserFile /var/www/htpasswd
|
|
|
e7fdaae |
# Require valid-user
|
|
|
e7fdaae |
#
|
|
|
e7fdaae |
# #
|
|
|
e7fdaae |
# # SELinux domain/range mapping
|
|
|
e7fdaae |
# #
|
|
|
e7fdaae |
# SetEnvIf Remote_Addr "192.168.1.[0-9]+$" SELINUX_DOMAIN=*:s0:c1
|
|
|
e7fdaae |
# SetEnvIf Remote_Addr "192.168.2.[0-9]+$" SELINUX_DOMAIN=*:s0:c2
|
|
|
e7fdaae |
# selinuxDomainMap /var/www/mod_selinux.map
|
|
|
e7fdaae |
# selinuxDomainEnv SELINUX_DOMAIN
|
|
|
3abd944 |
# selinuxDomainVal anon_webapp_t:SystemLow
|
|
|
e7fdaae |
#
|
|
|
e7fdaae |
# </Directory>
|
|
|
e7fdaae |
|
|
|
e7fdaae |
#
|
|
|
e7fdaae |
# Use Case: Virtual Host based separation
|
|
|
e7fdaae |
# ---------------------------------------
|
|
|
e7fdaae |
#
|
|
|
e7fdaae |
# NameVirtualHost *:80
|
|
|
e7fdaae |
#
|
|
|
e7fdaae |
# <VirtualHost *:80>
|
|
|
e7fdaae |
# DocumentRoot /var/www/html
|
|
|
e7fdaae |
# ServerName dog.example.com
|
|
|
e7fdaae |
# selinuxDomainVal *:s0:c1
|
|
|
e7fdaae |
# </VirtualHost>
|
|
|
e7fdaae |
#
|
|
|
e7fdaae |
# <VirtualHost *:80>
|
|
|
e7fdaae |
# DocumentRoot /var/www/html
|
|
|
e7fdaae |
# ServerName cat.example.com
|
|
|
e7fdaae |
# selinuxDomainVal *:s0:c2
|
|
|
e7fdaae |
# </VirtualHost>
|
|
|
e7fdaae |
|
|
|
e7fdaae |
#
|
|
|
e7fdaae |
# Use Case: Authentication integration with RDBMS
|
|
|
e7fdaae |
# -----------------------------------------------
|
|
|
e7fdaae |
#
|
|
|
e7fdaae |
# LoadModule dbd_module modules/mod_dbd.so
|
|
|
e7fdaae |
# LoadModule authn_dbd_module modules/mod_authn_dbd.so
|
|
|
e7fdaae |
#
|
|
|
e7fdaae |
# DBDriver pgsql
|
|
|
e7fdaae |
# DBDParams "dbname=web user=apache"
|
|
|
e7fdaae |
# # NOTE: Don't forget to install apr-util-pgsql package
|
|
|
e7fdaae |
# # to connect PostgreSQL via mod_dbd.
|
|
|
e7fdaae |
#
|
|
|
e7fdaae |
# <Directory "/var/www/html">
|
|
|
e7fdaae |
# # Digest authentication
|
|
|
e7fdaae |
# # ---------------------
|
|
|
e7fdaae |
# # AuthType Digest
|
|
|
e7fdaae |
# # AuthName "Secret Zone"
|
|
|
e7fdaae |
# # AuthDigestProvider dbd ... (4)
|
|
|
e7fdaae |
# # AuthDBDUserRealmQuery \ ... (5)
|
|
|
e7fdaae |
# # "SELECT md5(uname || ':' || $2 || ':' || upass), udomain, \
|
|
|
e7fdaae |
# # %s=%s as dummy FROM uaccount WHERE uname = $1"
|
|
|
e7fdaae |
#
|
|
|
e7fdaae |
# # SELinux context mapping
|
|
|
e7fdaae |
# # -----------------------
|
|
|
e7fdaae |
# selinuxDomainEnv AUTHENTICATE_UDOMAIN ... (6)
|
|
|
3abd944 |
# selinuxDomainVal anon_webapp_t:SystemLow
|
|
|
e7fdaae |
# </Directory>
|
|
|
e7fdaae |
#
|
|
|
e7fdaae |
# We assume the PostgreSQL works on local machine, and it allows
|
|
|
e7fdaae |
# the apache user to connect the web database without passwords.
|
|
|
e7fdaae |
# In addition, uaccount table should be defined as follows:
|
|
|
e7fdaae |
#
|
|
|
e7fdaae |
# CREATE TABLE uaccount (
|
|
|
e7fdaae |
# uname TEXT PRIMARY KEY,
|
|
|
e7fdaae |
# upass TEXT NOT NULL,
|
|
|
e7fdaae |
# udomain TEXT
|
|
|
e7fdaae |
# );
|
|
|
e7fdaae |
# INSERT INTO uaccount VALUES ('foo', 'xxx', 'user_webapp_t:s0:c0');
|
|
|
e7fdaae |
# INSERT INTO uaccount VALUES ('var', 'yyy', 'staff_webapp_t:s0:c1');
|
|
|
e7fdaae |
# INSERT INTO uaccount VALUES ('baz', 'zzz', 'anon_webapp_t:s0:c2');
|
|
|
e7fdaae |
#
|