Installing and Configuring Apache Toolkit for Serviceguard for Linux
Access to the newly created directory or file is denied to Apache as the default Apache's security
policy does not allow access to the file with the above set security context user_home_t.
To make these new directories and files accessible to Apache processes, modify the security
context of the directory /home/www/site1 to Apache's default security context using chcon
utility, as shown below.
The following example defines the steps to change the context for the Document Root. Similar
method has to be adopted to set context to other directories or files of Apache.
1. Determine the default security context of the Document Root, /var/www/html as follows:
#ls -aZ /var/www/html
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t .
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t .
2. Change the security context of /home/www/site1 and its subdirectories and files to the same
security context of the default, using the chcon utility as follows:
#chcon -R ssystem_u:object_r:httpd_sys_content_t /home/www/site1
You must set the right security context for all directories and files accessed by the Apache
processes.
When you copy Apache files from the default location to any other shared location, you must
use the cp –c to preserve the security context. In this case, you need not change the security
context for the files, because these files inherit the security context from the source.
Note: You must set the appropriate security contexts for a package to be up and running. You must
the right contexts related to SELinux to bring up the package successfully. View the SELinux audit
log, /var/log/messages, and ensure that there are no avc denial messages. These denial
messages are sometimes triggered by changes in the application. To fix these messages, you may
have to change the security policy apache.te, located at its default location.
For more information on security related topics while setting up the package, see the Red Hat
documentation website.
AppArmor
Novell AppArmor is an access control system that enables you to specify per program, which files
the program may read, write, and execute. AppArmor achieves mandatory access control by
assigning a profile per application, that is, a security policy that completely defines what system
resources an application can access, and with what privileges. Novell AppArmor is an integral part
of SLES10.
AppArmor profiles are human-readable text files that mediate access to files and directories as well
as determine what POSIX capabilities an application is allowed to have. Profiles are traditionally
stored in files in /etc/apparmor.d/ under filenames with the convention of replacing the / in
pathnames with (except for the root /) so profiles are easier to manage (for example the
/usr/sbin/httpd2-prefork profile would be named usr.sbin.httpd2-prefork). For more
information on using profiles, see the Novell documentation site.
AppArmor profile for Apache is shipped with the SLES. By default, the AppArmor profile for Apache
has permissions for accessing only the default file locations of Apache. If any change is made, such
as moving the DocumentRoot or ServerRoot of Apache from local to a non-default location, then
Apache AppArmor profile needs to be updated with permissions for accessing these new directories
and all of the files in the directory.
For Example:
To place the ServerRoot directory on a shared file system /shared/apache_1, copy all the files
from /etc/apache2/* to /shared/apache_1.