Re: Virtual http hosting and selinux

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



"Dominick Grift wrote:"
> 
> 
> --===============1080715742==
> Content-Type: multipart/signed; micalg=pgp-sha1;
> 	protocol="application/pgp-signature"; boundary="llIrKcgUOe3dCx0c"
> Content-Disposition: inline
> 
> 
> --llIrKcgUOe3dCx0c
> Content-Type: text/plain; charset=us-ascii
> Content-Disposition: inline
> Content-Transfer-Encoding: quoted-printable
> 
> On Fri, Dec 04, 2009 at 06:45:39AM -0800, David Highley wrote:
> > "Dominick Grift wrote:"
> > >=20
> > >=20
> > > --=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D0256136332=3D=3D
> > > Content-Type: multipart/signed; micalg=3Dpgp-sha1;
> > > 	protocol=3D"application/pgp-signature"; boundary=3D"Fig2xvG2VGoz8o/s"
> > > Content-Disposition: inline
> > >=20
> > >=20
> > > --Fig2xvG2VGoz8o/s
> > > Content-Type: text/plain; charset=3Dus-ascii
> > > Content-Disposition: inline
> > > Content-Transfer-Encoding: quoted-printable
> > >=20
> > > On Thu, Dec 03, 2009 at 08:35:56PM -0800, David Highley wrote:
> > > > A common virtual web hosting set up would be a web root directory
> > > > location with the following sub directories:
> > > > ftp
> > > > logs
> > > > pages
> > > > pages/cgi-bin
> > > >=3D20
> > > > Under ftp you would have all that is needed for a chroot ftp sandbox.
> > > > Since each virtual host would be a different user and or company how
> > > > does one change sebool httpd_unified to off and get it all to work wi=
> th
> > > > selinux?
> > >=20
> > > Well PHP needs httpd_unified but if you use CGI like perl or c or bash =
> or w=3D
> > > hatever then basically you would set httpd_enable_cgi and httpd_builtin=
> _scr=3D
> > > ipting booleans. Then label the locations with a proper type.
> >=20
> > I'm not sure the statement that PHP needs httpd_unified on is correct in
> > Fedora 12. I just finished doing some testing of Mythtv with this
> > setting turned off. I tested all TV recording, weather, and streaming
> > video available through the web interace and it all seems to be working
> > now. Granted there is a lot more to full backend Mythtv setup but it was
> > looking pretty good. Dan has put in two policy updates which should be
> > out pretty soon.
> >=20
> > I'm not done, but I also ran a quick test of squirrelmail with dovecot
> > for off site email access and that appears to be working. Squirrelmail
> > is all PHP.
> 
> Do your php scripts run with the httpd_sys_script_t or with the httpd_t typ=
> e?

I have not had to change any labels for the PHP files. When I look at
squirrelmail, ls -Z /usr/share/squirrelmail/class. I see:
system_u:object_r:usr_t:s0

For all files. I do have httpd_builtin_scripting turned on and
httpd_can_network_connect is on.

For Mythtv I need to change /usr/share/mythtvweb/mythweb.pl to
httpd_sys_script_exec_t and also /usr/share/mythtv/mythweather/scripts.
Last it needed /usr/mythweb/data to be httpd_sys_content_t and the
recording library storage area if you want to be able to stream video or
play with other video players.

> >=20
> > >=20
> > > for example:
> > >=20
> > > # ftp:
> > > /srv/ftproot(/.*)? public_content_rw_t
> > > setsebool -P allow_ftpd_anon_write on (allow ftpd to write to /srv/ftpr=
> oot
> > > setsebool -P allow_httpd_anon_write on (allow httpd to write to /srv/ft=
> proo=3D
> > > t) (for php/httpd unified)
> > > setsebool -P allow_httpd_sys_script_anon_write on (allow httpd system c=
> gi s=3D
> > > cripts to write to /srv/ftproot (other cgi)
> > >=20
> > > # logs
> > > /srv/www/logs(/.*)? httpd_sys_content_ra_t=3D20
> > >=20
> > > # static content
> > > /srv/www/html(/.*)? httpd_sys_content_t
> > >=20
> > > # cgi
> > > /srv/www/cgi-bin(/.*)? httpd_sys_script_exec_t
> > >=20
> > > The above is just an example. It may or may not be what you would want.
> > >=20
> > > >=3D20
> > > > --
> > > > fedora-selinux-list mailing list
> > > > fedora-selinux-list@xxxxxxxxxx
> > > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> > >=20
> > > --Fig2xvG2VGoz8o/s
> > > Content-Type: application/pgp-signature
> > > Content-Disposition: inline
> > >=20
> > > -----BEGIN PGP SIGNATURE-----
> > > Version: GnuPG v1.4.10 (GNU/Linux)
> > >=20
> > > iEYEARECAAYFAksY2X4ACgkQMlxVo39jgT84SgCffFYU9S9JDB05qOuelRkKZgxR
> > > PO8AoKssSIRvpVYEuZXCZOYZUXd9SZ0r
> > > =3DnF/1
> > > -----END PGP SIGNATURE-----
> > >=20
> > > --Fig2xvG2VGoz8o/s--
> > >=20
> > >=20
> > > --=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D0256136332=3D=3D
> > > Content-Type: text/plain; charset=3D"us-ascii"
> > > MIME-Version: 1.0
> > > Content-Transfer-Encoding: 7bit
> > > Content-Disposition: inline
> > >=20
> > > --
> > > fedora-selinux-list mailing list
> > > fedora-selinux-list@xxxxxxxxxx
> > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> > > --=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D0256136332=3D=3D--
> > >=20
> >=20
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list@xxxxxxxxxx
> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> 
> --llIrKcgUOe3dCx0c
> Content-Type: application/pgp-signature
> Content-Disposition: inline
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
> 
> iEYEARECAAYFAksZI14ACgkQMlxVo39jgT9eaACgyrpSQQw1T+mq+YBpylkmK46G
> sTcAoJk0a7npKP8NHG5/ZkKzhXUp40WV
> =5+Ix
> -----END PGP SIGNATURE-----
> 
> --llIrKcgUOe3dCx0c--
> 
> 
> --===============1080715742==
> Content-Type: text/plain; charset="us-ascii"
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> --===============1080715742==--
> 

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux