Changeset 17


Ignore:
Timestamp:
02/22/09 23:38:55 (5 years ago)
Author:
mdious
Message:
  • minor content addition.
File:
1 edited

Legend:

Unmodified
Added
Removed
  • community/trunk/Managing_Confined_Services/en-US/Apache_HTTP_Server.xml

    r16 r17  
    281281                </para> 
    282282                <para> 
    283                         Use the <command>semanage fcontext</command> command to make label changes that survive a relabel and the <command>restorecon</command> command. This command adds changes to file-context configuration. Then, run the <command>restorecon</command> command, which reads file-context configuration, to make the label change. The following example demonstrates creating a new directory and an <filename>index.html</filename> file for use by <systemitem class="daemon">httpd</systemitem>, and persistently changing the label of that directory and file to allow <systemitem class="daemon">httpd</systemitem> access to them: 
     283                        Use the <command>semanage fcontext</command> command to make label changes that survive a relabel and the <command>restorecon</command> command. This command adds changes to file-context configuration. Then, run the <command>restorecon</command> command, which reads file-context configuration, to apply the label change. The following example demonstrates creating a new directory and an <filename>index.html</filename> file for use by <systemitem class="daemon">httpd</systemitem>, and persistently changing the label of that directory and file to allow <systemitem class="daemon">httpd</systemitem> access to them: 
    284284                </para> 
    285285                <orderedlist> 
     
    308308                        <listitem> 
    309309                                <para> 
    310                                         Run <command>restorecon -R -v /my/</command> as the root user to make the label changes (<command>restorecon</command> reads file-context configuration, which was modified by the <command>semanage</command> command in step 2): 
     310                                        Run <command>restorecon -R -v /my/</command> as the root user to apply the label changes (<command>restorecon</command> reads file-context configuration, which was modified by the <command>semanage</command> command in step 2): 
    311311                                </para> 
    312312                                 
     
    536536                        <title>Sharing files between services</title> 
    537537                        <para> 
    538                                 ... 
    539                         </para> 
     538                                Type Enforcement helps prevent processes from accessing files intended for use by another process. For example, by default, Samba can not read files labeled with the <computeroutput>httpd_sys_content_t</computeroutput>, which are intended for use by the Apache HTTP Server. Files can be shared between the Apache HTTP Server, FTP, rsync, and Samba, if the desired files are labeled with the <computeroutput>public_content_t</computeroutput> or <computeroutput>public_content_rw_t</computeroutput> type. 
     539                        </para> 
     540                        <para> 
     541                                The following example creates a directory and files, and allows that directory and files to be shared (read only) through the Apache HTTP Server, FTP, rsync, and Samba: 
     542                        </para> 
     543                        <orderedlist> 
     544                                <listitem> 
     545                                        <para> 
     546                                                Run <command>mkdir /shares</command> as the root user to create a new top-level directory to share files between multiple services. 
     547                                        </para> 
     548                                </listitem> 
     549                                <listitem> 
     550                                        <para> 
     551                                                Files and directories that do not match a pattern in file-context configuration may be labeled with the <computeroutput>default_t</computeroutput> type. This type is inaccessible to confined services: 
     552                                        </para> 
     553<screen> 
     554$ ls -dZ /shares 
     555drwxr-xr-x  root root unconfined_u:object_r:default_t:s0 /shares 
     556</screen> 
     557                                </listitem> 
     558                                <listitem> 
     559                                        <para> 
     560                                                As the root user, create a <filename>/shares/index.html</filename> file. Copy and paste the following content into <filename>/shares/index.html</filename>: 
     561                                        </para> 
     562<screen> 
     563&lt;html&gt; 
     564&lt;body&gt; 
     565&lt;p&gt;Hello&lt;/p&gt; 
     566&lt;/body&gt; 
     567&lt;/html&gt; 
     568</screen> 
     569                                </listitem> 
     570                                <listitem> 
     571                                        <para> 
     572                                                Labeling <filename>/shares/</filename> with the <computeroutput>public_content_t</computeroutput> type allows read-only access by the Apache HTTP Server, FTP, rsync, and Samba. Run the following command as the root user to add the label change to file-context configuration: 
     573                                        </para> 
     574<screen> 
     575semanage fcontext -a -t public_content_t "/shares(/.*)?" 
     576</screen> 
     577                                </listitem> 
     578                                <listitem> 
     579                                        <para> 
     580                                                Run <command>restorecon -R -v /shares/</command> as the root user to apply the label changes: 
     581                                        </para> 
     582<screen> 
     583# restorecon -R -v /shares/ 
     584restorecon reset /shares context unconfined_u:object_r:default_t:s0->system_u:object_r:public_content_t:s0 
     585restorecon reset /shares/index.html context unconfined_u:object_r:default_t:s0->system_u:object_r:public_content_t:s0 
     586</screen> 
     587                                </listitem> 
     588                        </orderedlist> 
    540589                </section> 
    541590 
Note: See TracChangeset for help on using the changeset viewer.