Changeset 34


Ignore:
Timestamp:
03/03/09 22:45:39 (5 years ago)
Author:
mdious
Message:
  • minor fixes.
Location:
community/trunk/Managing_Confined_Services/en-US
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • community/trunk/Managing_Confined_Services/en-US/Apache_HTTP_Server.xml

    r32 r34  
    1616        </para> 
    1717        <para> 
    18                 In Fedora 11, the <package>httpd</package> package provides the Apache HTTP Server. Run the <command>rpm -q httpd</command> command to see if <package>httpd</package> is installed. If it is installed, the output is similar to the following (version number may differ): 
     18                In Fedora 11, the <package>httpd</package> package provides the Apache HTTP Server. Run <command>rpm -q httpd</command> to see if the <package>httpd</package> package is installed. If it is not installed and you want to use the Apache HTTP Server, run the following command as the root user to install it: 
    1919        </para> 
    2020         
    2121<screen> 
    22 $ rpm -q httpd 
    23 httpd-2.2.11-6.i386 
    24 </screen> 
    25         <para> 
    26                 If you want to use the Apache HTTP Server and the <package>httpd</package> package is not installed, run the following command as the Linux root user to install it: 
    27         </para> 
    28          
    29 <screen> 
    3022yum install httpd 
    3123</screen> 
     
    3325                <title>The Apache HTTP Server and SELinux</title> 
    3426                <para> 
    35                         When SELinux is enabled, the Apache HTTP Server (<systemitem class="daemon">httpd</systemitem>) runs confined by default. Confined services run in their own domains, and are separated from other confined services. The following example demonstrates the <systemitem class="daemon">httpd</systemitem> process running in its own domain, and assumes the <package>httpd</package> package is installed: 
     27                        When SELinux is enabled, the Apache HTTP Server (<systemitem class="daemon">httpd</systemitem>) runs confined by default. Confined processes run in their own domains, and are separated from other confined processes. If a confined process is compromised by an attacker, depending on SELinux policy configuration, an attacker's access to resources and the possible damage they can do is limited. The following example demonstrates the <systemitem class="daemon">httpd</systemitem> process running in its own domain. This example assumes the <package>httpd</package> package is installed: 
    3628                </para> 
    3729                <orderedlist> 
    3830                        <listitem> 
    3931                                <para> 
    40                                         Run the <command>getenforce</command> command to confirm SELinux is running in enforcing mode: 
     32                                        Run <command>getenforce</command> to confirm SELinux is running in enforcing mode: 
    4133                                </para> 
    4234                                 
     
    5143                        <listitem> 
    5244                                <para> 
    53                                         Run the <command>service httpd start</command> command as the Linux root user to start <systemitem class="daemon">httpd</systemitem>: 
     45                                        Run <command>service httpd start</command> as the root user to start <systemitem class="daemon">httpd</systemitem>: 
    5446                                </para> 
    5547                                 
     
    6153                        <listitem> 
    6254                                <para> 
    63                                         Run the <command>ps -eZ | grep httpd</command> command to view the <systemitem class="daemon">httpd</systemitem> processes: 
     55                                        Run <command>ps -eZ | grep httpd</command> to view the <systemitem class="daemon">httpd</systemitem> processes: 
    6456                                </para> 
    6557                                 
     
    7769</screen> 
    7870                                <para> 
    79                                         The SELinux context associated with <systemitem class="daemon">httpd</systemitem> is <computeroutput>unconfined_u:system_r:httpd_t:s0</computeroutput>. The second last part of the context, <computeroutput>httpd_t</computeroutput>, is the type. A type defines a domain for processes and a type for files. In this case, the <systemitem class="daemon">httpd</systemitem> processes are running in the <computeroutput>httpd_t</computeroutput> domain. 
     71                                        The SELinux context associated with the <systemitem class="daemon">httpd</systemitem> processes is <computeroutput>unconfined_u:system_r:httpd_t:s0</computeroutput>. The second last part of the context, <computeroutput>httpd_t</computeroutput>, is the type. A type defines a domain for processes and a type for files. In this case, the <systemitem class="daemon">httpd</systemitem> processes are running in the <computeroutput>httpd_t</computeroutput> domain. 
    8072                                </para> 
    8173                        </listitem> 
    8274                </orderedlist> 
    8375                <para> 
    84                         SELinux policy defines how processes running in confined domains, for example, <computeroutput>httpd_t</computeroutput>, interact with files, other processes, and the system in general. Files must be labeled correctly to allow <systemitem class="daemon">httpd</systemitem> access to them. For example, <systemitem class="daemon">httpd</systemitem> can read files labeled with the <computeroutput>httpd_sys_content_t</computeroutput> type, but can not write to them, even if Linux permissions allow write access. Booleans must be turned on to allow certain behavior, such as allowing scripts network access, allowing <systemitem class="daemon">httpd</systemitem> access to NFS and CIFS file systems, and <systemitem class="daemon">httpd</systemitem> being allowed to execute Common Gateway Interface (CGI) scripts. 
    85                 </para> 
    86                 <para> 
    87                         When <filename>/etc/httpd/conf/httpd.conf</filename> is configured so <systemitem class="daemon">httpd</systemitem> listens on a port other than TCP ports 80, 443, 488, 8008, 8009, or 8443, the <command>semanage port</command> command must be used to add the new port number to SELinux policy configuration. The following example demonstrates configuring <systemitem class="daemon">httpd</systemitem> to listen on a port that is not defined in SELinux policy, and <systemitem class="daemon">httpd</systemitem> failing to start as a consequence. This example assumes the <package>httpd</package> package is installed: 
     76                        SELinux policy defines how processes running in confined domains, such as <computeroutput>httpd_t</computeroutput>, interact with files, other processes, and the system in general. Files must be labeled correctly to allow <systemitem class="daemon">httpd</systemitem> access to them. For example, <systemitem class="daemon">httpd</systemitem> can read files labeled with the <computeroutput>httpd_sys_content_t</computeroutput> type, but can not write to them, even if Linux permissions allow write access. Booleans must be turned on to allow certain behavior, such as allowing scripts network access, allowing <systemitem class="daemon">httpd</systemitem> access to NFS and CIFS file systems, and <systemitem class="daemon">httpd</systemitem> being allowed to execute Common Gateway Interface (CGI) scripts. 
     77                </para> 
     78                <para> 
     79                        When <filename>/etc/httpd/conf/httpd.conf</filename> is configured so <systemitem class="daemon">httpd</systemitem> listens on a port other than TCP ports 80, 443, 488, 8008, 8009, or 8443, the <command>semanage port</command> command must be used to add the new port number to SELinux policy configuration. The following example demonstrates configuring <systemitem class="daemon">httpd</systemitem> to listen on a port that is not defined in SELinux policy configuration for <systemitem class="daemon">httpd</systemitem>, and, as a consequence, <systemitem class="daemon">httpd</systemitem> failing to start. This example assumes the <package>httpd</package> package is installed: 
    8880                </para> 
    8981                <orderedlist> 
    9082                        <listitem> 
    9183                                <para> 
    92                                         Run the <command>service httpd status</command> command to confirm <systemitem class="daemon">httpd</systemitem> is not running: 
     84                                        Run <command>service httpd status</command> to confirm <systemitem class="daemon">httpd</systemitem> is not running: 
    9385                                </para> 
    9486                                 
     
    9890</screen> 
    9991                                <para> 
    100                                         If the output differs, run the <command>service httpd stop</command> command as the Linux root user to stop the process: 
     92                                        If the output differs, run <command>service httpd stop</command> as the root user to stop the process: 
    10193                                </para> 
    10294                                 
     
    108100                        <listitem> 
    109101                                <para> 
    110                                         Run <command>semanage port -l | grep -w http_port_t</command> as the Linux root user to view the ports SELinux allows <systemitem class="daemon">httpd</systemitem> to listen on: 
     102                                        Run <command>semanage port -l | grep -w http_port_t</command> as the root user to view the ports SELinux allows <systemitem class="daemon">httpd</systemitem> to listen on: 
    111103                                </para> 
    112104                                 
     
    118110                        <listitem> 
    119111                                <para> 
    120                                         Edit <filename>/etc/httpd/conf/httpd.conf</filename> as the Linux root user so the <option>Listen</option> option lists a port that is not configured in SELinux policy for <systemitem class="daemon">httpd</systemitem>: 
     112                                        Edit <filename>/etc/httpd/conf/httpd.conf</filename> as the root user. Configure the <option>Listen</option> option so it lists a port that is not configured in SELinux policy configuration for <systemitem class="daemon">httpd</systemitem>. In this example, <systemitem class="daemon">httpd</systemitem> is configured to listen on port 12345: 
    121113                                </para> 
    122114                                 
     
    126118# 
    127119#Listen 12.34.56.78:80 
    128 Listen 12345 
    129 </screen> 
    130                         </listitem> 
    131                         <listitem> 
    132                                 <para> 
    133                                         Run the <command>service httpd start</command> command as the Linux root user to start <systemitem class="daemon">httpd</systemitem>: 
     120Listen 127.0.0.1:12345 
     121</screen> 
     122                        </listitem> 
     123                        <listitem> 
     124                                <para> 
     125                                        Run the <command>service httpd start</command> command as the root user to start <systemitem class="daemon">httpd</systemitem>: 
    134126                                </para> 
    135127                                 
    136128<screen> 
    137129# service httpd start 
    138 Starting httpd: (13)Permission denied: make_sock: could not bind to address [::]:12345 
    139 (13)Permission denied: make_sock: could not bind to address 0.0.0.0:12345 
     130Starting httpd: (13)Permission denied: make_sock: could not bind to address 127.0.0.1:12345 
    140131no listening sockets available, shutting down 
    141 Unable to open logs 
    142                                                             [FAILED] 
     132Unable to open logs                                        [FAILED] 
    143133</screen> 
    144134                        </listitem> 
  • community/trunk/Managing_Confined_Services/en-US/FTP.xml

    r33 r34  
    2323        </para> 
    2424        <para> 
    25                 In Fedora 11, the <package>vsftpd</package> package provides the Very Secure FTP daemon. If you want an FTP server, and the <package>vsftpd</package> package is not installed, run the following command as the root user to install it: 
     25                In Fedora 11, the <package>vsftpd</package> package provides the Very Secure FTP daemon. Run <command>rpm -q vsftpd</command> to see if <package>vsftpd</package> is installed. If it is installed, the output is similar to the following (version number may differ): 
     26        </para> 
     27<screen> 
     28$ rpm -q vsftpd 
     29</screen> 
     30        <para> 
     31                If you want an FTP server and the <package>vsftpd</package> package is not installed, run the following command as the root user to install it: 
    2632        </para> 
    2733         
  • community/trunk/Managing_Confined_Services/en-US/Targeted_Policy.xml

    r26 r34  
    2727                <title>Confined processes</title> 
    2828                <para> 
    29                         Almost every service that listens on a network is confined in Fedora 10. Also, most processes that run as the Linux root user and perform tasks for users, such as the <application>passwd</application> application, are confined. When a process is confined, it runs in its own domain, such as the <systemitem class="daemon">httpd</systemitem> process running in the <computeroutput>httpd_t</computeroutput> domain. If a confined process is compromised by an attacker, depending on SELinux policy configuration, an attacker&#39;s access to resources and the possible damage they can do is limited. 
     29                        Almost every service that listens on a network is confined in Fedora 10. Also, most processes that run as the root user and perform tasks for users, such as the <application>passwd</application> application, are confined. When a process is confined, it runs in its own domain, such as the <systemitem class="daemon">httpd</systemitem> process running in the <computeroutput>httpd_t</computeroutput> domain. If a confined process is compromised by an attacker, depending on SELinux policy configuration, an attacker&#39;s access to resources and the possible damage they can do is limited. 
    3030                </para> 
    3131                <para> 
     
    5353                        <listitem> 
    5454                                <para> 
    55                                         As the Linux root user, run the <command>touch /var/www/html/testfile</command> command to create a file. 
     55                                        As the root user, run the <command>touch /var/www/html/testfile</command> command to create a file. 
    5656                                </para> 
    5757                        </listitem> 
     
    7373                        <listitem> 
    7474                                <para> 
    75                                         As the Linux root user, run the <command>service httpd start</command> command to start the <systemitem class="daemon">httpd</systemitem> process. The output is as follows if <systemitem class="daemon">httpd</systemitem> starts successfully: 
     75                                        As the root user, run the <command>service httpd start</command> command to start the <systemitem class="daemon">httpd</systemitem> process. The output is as follows if <systemitem class="daemon">httpd</systemitem> starts successfully: 
    7676                                </para> 
    7777                                 
     
    9999                        <listitem> 
    100100                                <para> 
    101                                         The <command>chcon</command> command relabels files; however, such label changes do not survive when the file system is relabeled. For permanent changes that survive a file system relabel, use the <command>semanage</command> command, which is discussed later. As the Linux root user, run the following command to change the type to a type used by Samba: 
     101                                        The <command>chcon</command> command relabels files; however, such label changes do not survive when the file system is relabeled. For permanent changes that survive a file system relabel, use the <command>semanage</command> command, which is discussed later. As the root user, run the following command to change the type to a type used by Samba: 
    102102                                </para> 
    103103                                <para> 
     
    125125                        <listitem> 
    126126                                <para> 
    127                                         As the Linux root user, run the <command>rm -i /var/www/html/testfile</command> command to remove <filename>testfile</filename>. 
    128                                 </para> 
    129                         </listitem> 
    130                         <listitem> 
    131                                 <para> 
    132                                         If you do not require <systemitem class="daemon">httpd</systemitem> to be running, as the Linux root user, run the <command>service httpd stop</command> command to stop <systemitem class="daemon">httpd</systemitem>: 
     127                                        As the root user, run the <command>rm -i /var/www/html/testfile</command> command to remove <filename>testfile</filename>. 
     128                                </para> 
     129                        </listitem> 
     130                        <listitem> 
     131                                <para> 
     132                                        If you do not require <systemitem class="daemon">httpd</systemitem> to be running, as the root user, run the <command>service httpd stop</command> command to stop <systemitem class="daemon">httpd</systemitem>: 
    133133                                </para> 
    134134                                 
     
    196196                        <listitem> 
    197197                                <para> 
    198                                         As the Linux root user, run the <command>touch /var/www/html/test2file</command> command to create a file. 
     198                                        As the root user, run the <command>touch /var/www/html/test2file</command> command to create a file. 
    199199                                </para> 
    200200                        </listitem> 
     
    216216                        <listitem> 
    217217                                <para> 
    218                                         The <command>chcon</command> command relabels files; however, such label changes do not survive when the file system is relabeled. For permanent changes that survive a file system relabel, use the <command>semanage</command> command, which is discussed later. As the Linux root user, run the following command to change the type to a type used by Samba: 
     218                                        The <command>chcon</command> command relabels files; however, such label changes do not survive when the file system is relabeled. For permanent changes that survive a file system relabel, use the <command>semanage</command> command, which is discussed later. As the root user, run the following command to change the type to a type used by Samba: 
    219219                                </para> 
    220220                                <para> 
     
    237237</screen> 
    238238                                <para> 
    239                                         If the output differs, run the <command>service httpd stop</command> command as the Linux root user to stop the <systemitem class="daemon">httpd</systemitem> process: 
     239                                        If the output differs, run the <command>service httpd stop</command> command as the root user to stop the <systemitem class="daemon">httpd</systemitem> process: 
    240240                                </para> 
    241241                                 
     
    246246                        <listitem> 
    247247                                <para> 
    248                                         To make the <systemitem class="daemon">httpd</systemitem> process run unconfined, run the following command as the Linux root user to change the type of <filename>/usr/sbin/httpd</filename>, to a type that does not transition to a confined domain: 
     248                                        To make the <systemitem class="daemon">httpd</systemitem> process run unconfined, run the following command as the root user to change the type of <filename>/usr/sbin/httpd</filename>, to a type that does not transition to a confined domain: 
    249249                                </para> 
    250250                                <para> 
     
    262262                        <listitem> 
    263263                                <para> 
    264                                         As the Linux root user, run the <command>service httpd start</command> command to start the <systemitem class="daemon">httpd</systemitem> process. The output is as follows if <systemitem class="daemon">httpd</systemitem> starts successfully: 
     264                                        As the root user, run the <command>service httpd start</command> command to start the <systemitem class="daemon">httpd</systemitem> process. The output is as follows if <systemitem class="daemon">httpd</systemitem> starts successfully: 
    265265                                </para> 
    266266                                 
     
    308308                        <listitem> 
    309309                                <para> 
    310                                         The <command>restorecon</command> command restores the default SELinux context for files. As the Linux root user, run the <command>restorecon -v /usr/sbin/httpd</command> command to restore the default SELinux context for <filename>/usr/sbin/httpd</filename>: 
     310                                        The <command>restorecon</command> command restores the default SELinux context for files. As the root user, run the <command>restorecon -v /usr/sbin/httpd</command> command to restore the default SELinux context for <filename>/usr/sbin/httpd</filename>: 
    311311                                </para> 
    312312                                 
     
    324324                        <listitem> 
    325325                                <para> 
    326                                         As the Linux root user, run the <command>/sbin/service httpd restart</command> command to restart <systemitem class="daemon">httpd</systemitem>. After restarting, run the <command>ps -eZ | grep httpd</command> to confirm that <systemitem class="daemon">httpd</systemitem> is running in the confined <computeroutput>httpd_t</computeroutput> domain: 
     326                                        As the root user, run the <command>/sbin/service httpd restart</command> command to restart <systemitem class="daemon">httpd</systemitem>. After restarting, run the <command>ps -eZ | grep httpd</command> to confirm that <systemitem class="daemon">httpd</systemitem> is running in the confined <computeroutput>httpd_t</computeroutput> domain: 
    327327                                </para> 
    328328                                 
     
    344344                        <listitem> 
    345345                                <para> 
    346                                         As the Linux root user, run the <command>rm -i /var/www/html/test2file</command> command to remove <filename>test2file</filename>. 
    347                                 </para> 
    348                         </listitem> 
    349                         <listitem> 
    350                                 <para> 
    351                                         If you do not require <systemitem class="daemon">httpd</systemitem> to be running, as the Linux root user, run the <command>service httpd stop</command> command to stop <systemitem class="daemon">httpd</systemitem>: 
     346                                        As the root user, run the <command>rm -i /var/www/html/test2file</command> command to remove <filename>test2file</filename>. 
     347                                </para> 
     348                        </listitem> 
     349                        <listitem> 
     350                                <para> 
     351                                        If you do not require <systemitem class="daemon">httpd</systemitem> to be running, as the root user, run the <command>service httpd stop</command> command to stop <systemitem class="daemon">httpd</systemitem>: 
    352352                                </para> 
    353353                                 
Note: See TracChangeset for help on using the changeset viewer.