Use SELinux to protect your Apache

Your Web server may indeed be attacked, but SELinux can be used to ensure that your website does not have to withstand real harm.

You can use the SELinux type to create an exact definition: What a service can do and where it can do it. By default, the httpd_sys_content type is set to/var/www, which specifies that the httpd process can work in this directory. If attackers break the Apache Web server and try to write data elsewhere, like the default/tmp of similar Linux versions such as RedHat, Fedora, and CentOS, you need to know what you are working on. If you configure Apache to serve the content in the/data directory, SELinux will also prevent this by default.

Many Linux administrators disable SELinux because these default settings may cause complexity. Although disabling SELinux makes it easier for your server to provide services, it still increases security risks.

Set SELinux management for Apache

Setting SELinux management for services such as Apache is not difficult. The problem is that there is no simple graphic tool for you to install quickly. However, you only need to use three commands to configure it.

To set the file type in the directory you want the service to access, you must first determine the file system type to use. To do this, enter ls-ldZ in the default directory used by the Service.

For Apache, you will use ls-ldZ/var/www. In this case, the-Z option provides additional file attributes, and the-t option is the most critical one. This process specifies the existing file system type, which is httpd_sys_content_t set by Apache ). This is also the file type you need to set according to the new file root.

You can use two commands to set your content format: You can use chcon to make a temporary change, and it disappears after restart; Use the semanage followed by followed, you can make permanent changes.

The semanage command seems complicated, but it is actually very simple, because you only need to change the type and target directory you want to use. In the following example, you only need to change two parameters.

semanage fcontext -a -t httpd_sys_content_t /web(/.*)/?

After using semanage to set the default file type, use the restorecon command to ensure that it is applied. In the preceding example, if the directory/web file type is changed to allow Apache to access the server file in that directory, run the following command to apply the change:

restorecon -R -v /web

At this point, Apache will be able to serve files in the new non-default file root directory.

Manage boolean values for SELinux

Another aspect of SELinux you need to manage is the Boolean value of SELinux. These are binary values that enable or disable some features. Boolean values can be obtained from multiple services. Use the getsebool-a command to summarize the existing boolean values. This command will usually list the settings you can apply into a long list.

Find all boolean values for the service you want to configure and transmit the output of all getsebool-a through grep. For example, getsebool-a | grep http is used to locate all boolean values that match the row http. Even if you do not have a clear understanding of all boolean values, you can still understand them by observing their names and what they may do.

Use getsebool-a to find out which SELinux can be used to modify Service Behavior:

[root@bia Desktop]# getsebool -a | grep httpallow_httpd_anon_write --> offallow_httpd_mod_auth_ntlm_winbind --> offallow_httpd_mod_auth_pam --> offallow_httpd_sys_script_anon_write --> offhttpd_builtin_scripting --> onhttpd_can_check_spam --> offhttpd_can_network_connect --> offhttpd_can_network_connect_cobbler --> offhttpd_can_network_connect_db --> offhttpd_can_network_relay --> offhttpd_can_sendmail --> offhttpd_dbus_avahi --> onhttpd_enable_cgi --> onhttpd_enable_ftp_server --> offhttpd_enable_homedirs --> offhttpd_execmem --> offhttpd_read_user_content --> offhttpd_setrlimit --> offhttpd_ssi_exec --> offhttpd_tmp_exec --> offhttpd_tty_comm --> onhttpd_unified --> onhttpd_use_cifs --> offhttpd_use_gpg --> offhttpd_use_nfs --> off

After learning which Boolean value you want to use, use setsebool-P to apply them. If you want Apache to use nfs, use setsebool-P http_use_nfs. To obtain a complete list of all available boolean values, consult the httpd_selinux page, which explains the Apache-specific file labels and boolean values.

Original article: http://www.searchsv.com.cn/showcontent_53067.htm