Add a TOC to aid navigation and convert to markdown. Signed-off-by: Richard Haines <richard_c_haines@xxxxxxxxxxxxxx> --- src/apache_support.md | 79 ++++++++++++++++++------------------------- 1 file changed, 33 insertions(+), 46 deletions(-) diff --git a/src/apache_support.md b/src/apache_support.md index 8e8df1c..5c012cf 100644 --- a/src/apache_support.md +++ b/src/apache_support.md @@ -1,5 +1,8 @@ # Apache SELinux Support +- [*mod_selinux* Overview](#mod_selinux-overview) +- [Bounds Overview](#bounds-overview) + Apache web servers are supported by SELinux using the Apache policy modules from the Reference Policy (*httpd* modules), however there is no specific Apache object manger. There is though an SELinux-aware shared @@ -25,31 +28,20 @@ configuration details is available from: The objective of these Apache add-on services is to achieve a fully SELinux-aware web stack (although not there yet). For example, currently -the LAPP<a href="#fnap1" class="footnote-ref" id="fnaph1"><strong><sup>1</sup></strong></a> -(Linux, Apache, PostgreSQL, PHP / Perl / Python) stack has the following support: - -<table> -<tbody> -<tr> -<td>L</td> -<td>Linux has SELinux support.</td> -</tr> -<tr> -<td>A</td> -<td>Apache has partial SELinux support using the 'Apache SELinux Plus' module.</td> -</tr> -<tr> -<td>P</td> -<td>PostgreSQL has SELinux support using the PostgreSQL <em>sepgsql</em> extension .</td> -</tr> -<tr> -<td>P</td> -<td>PHP / Perl / Python are not currently SELinux-aware, however PHP and Python do have support for libselinux functions in packages: PHP - with the <em>php-pecl-selinux</em> package, Python - with the <em>libselinux-python</em> package.</td> -</tr> -</tbody> -</table> - -The [A secure web application platform powered by SELinux](http://sepgsql.googlecode.com/files/LCA20090120-lapp-selinux.pdf) +the LAPP[^fn_as_1] (Linux, Apache, PostgreSQL, PHP / Perl / Python) +stack has the following support: + +**L** - Linux has SELinux support. + +**A** - Apache has partial SELinux support using the 'Apache SELinux Plus' module. + +**P** - PostgreSQL has SELinux support using the PostgreSQL *sepgsql* extension. + +**P** - PHP / Perl / Python are not currently SELinux-aware, however PHP +and Python do have support for libselinux functions in packages: PHP - with +the *php-pecl-selinux* package, Python - with the *libselinux-python* package. + +The "[A secure web application platform powered by SELinux](http://sepgsql.googlecode.com/files/LCA20090120-lapp-selinux.pdf)" document gives a good overview of the LAPP architecture. ## *mod_selinux* Overview @@ -59,22 +51,20 @@ What the *mod_selinux* module achieves is to allow a web application context based on policy rather than that of the web server process itself, for example: -1. A user sends an HTTP request to Apache that requires the services of - a web application (Apache may or may not apply HTTP authentication). -2. Apache receives the request and launches the web application - instance to perform the task: -- Without *mod_selinux* enabled the web applications security context - is identical to the Apache web server process, it is therefore not - possible to restrict it privileges. - -- With *mod_selinux* enabled, the web application is launched with - the security context defined in the *mod_selinux.conf* file - (*selinuxDomainVal <security_context>* entry). It is also - possible to restrict its privileges as described in the - [Bounds Overview](#bounds-overview) section. - -3. The web application exits, handing control back to the web server - that replies with the HTTP response. +1. A user sends an HTTP request to Apache that requires the services of + a web application (Apache may or may not apply HTTP authentication). +2. Apache receives the request and launches the web application + instance to perform the task: + - Without *mod_selinux* enabled the web applications security context + is identical to the Apache web server process, it is therefore not + possible to restrict it privileges. + - With *mod_selinux* enabled, the web application is launched with + the security context defined in the *mod_selinux.conf* file + (*selinuxDomainVal \<security_context\>* entry). It is also + possible to restrict its privileges as described in the + [Bounds Overview](#bounds-overview) section. +3. The web application exits, handing control back to the web server + that replies with the HTTP response. ## Bounds Overview @@ -120,11 +110,8 @@ operation will be denied and an *SELINUX_ERR* entry will be added to the audit log stating *op=security_compute_av reason=bounds* with the context strings and the denied class and permissions. -<section class="footnotes"> -<ol> -<li id="fnap1"><p>This is similar to the LAMP (Linux, Apache, MySQL, PHP/Perl/Python) stack, however MySQL is not SELinux-aware.<a href="#fnaph1" class="footnote-back">↩</a></p></li> -</ol> -</section> +[^fn_as_1]: This is similar to the LAMP (Linux, Apache, MySQL, PHP/Perl/Python) +stack, however MySQL is not SELinux-aware. <!-- %CUTHERE% --> -- 2.26.2
