Selinux
Blueprints
First Steps with Security-Enhanced Linux (SELinux): Hardening the Apache Web Server
Blueprints
First Steps with Security-Enhanced Linux (SELinux): Hardening the Apache Web Server
Note Before using this information and the product it supports, read the information in “Notices” on page 17.
First Edition (August 2009) © Copyright IBM Corporation 2009. US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
Contents
Introduction . . . . . . . . . . . . . v First Steps with Security-Enhanced Linux (SELinux): Hardening the Apache Web Server . . . . . . . . . . . . . 1
Scope, requirements, and support Security-Enhanced Linux overview Access control: MAC and DAC SELinux basics. . . . . . SELinux and Apache . . . . Installing and running HTTPD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1 1 2 5 5 HTTPD and context types . . . . . . . . . 5 HTTPD and SELinux Booleans . . . . . . . 8 Configuring HTTPD security using SELinux . . . . 9 Securing Apache (static content only) . . . . . 9 Hardening CGI scripts with SELinux . . . . . 12
Appendix. Related information and downloads . . . . . . . . . . . . . 15 Notices . . . . . . . . . . . . . . 17
Trademarks . . . . . . . . . . . . . . 18
© Copyright IBM Corp. 2009
iii
iv
Blueprints: First Steps with Security-Enhanced Linux (SELinux): Hardening the Apache Web Server
Introduction
This blueprint provides a brief introduction to basic Security-Enhanced Linux (SELinux) commands and concepts, including Boolean variables. In addition, the paper shows you how to increase the security of the Apache Web server with SELinux by using these concepts. Key tools and technologies discussed in this demonstration include security-enhanced Linux (SELinux), mandatory access control (MAC), getenforce, sestatus, getsebool, and setsebool.
Intended audience
This blueprint is intended
First Steps with Security-Enhanced Linux (SELinux): Hardening the Apache Web Server
Blueprints
First Steps with Security-Enhanced Linux (SELinux): Hardening the Apache Web Server
Note Before using this information and the product it supports, read the information in “Notices” on page 17.
First Edition (August 2009) © Copyright IBM Corporation 2009. US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
Contents
Introduction . . . . . . . . . . . . . v First Steps with Security-Enhanced Linux (SELinux): Hardening the Apache Web Server . . . . . . . . . . . . . 1
Scope, requirements, and support Security-Enhanced Linux overview Access control: MAC and DAC SELinux basics. . . . . . SELinux and Apache . . . . Installing and running HTTPD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1 1 2 5 5 HTTPD and context types . . . . . . . . . 5 HTTPD and SELinux Booleans . . . . . . . 8 Configuring HTTPD security using SELinux . . . . 9 Securing Apache (static content only) . . . . . 9 Hardening CGI scripts with SELinux . . . . . 12
Appendix. Related information and downloads . . . . . . . . . . . . . 15 Notices . . . . . . . . . . . . . . 17
Trademarks . . . . . . . . . . . . . . 18
© Copyright IBM Corp. 2009
iii
iv
Blueprints: First Steps with Security-Enhanced Linux (SELinux): Hardening the Apache Web Server
Introduction
This blueprint provides a brief introduction to basic Security-Enhanced Linux (SELinux) commands and concepts, including Boolean variables. In addition, the paper shows you how to increase the security of the Apache Web server with SELinux by using these concepts. Key tools and technologies discussed in this demonstration include security-enhanced Linux (SELinux), mandatory access control (MAC), getenforce, sestatus, getsebool, and setsebool.
Intended audience
This blueprint is intended