I have an IBM x342 server running CentOS 5. In this machine, I have configured SELinux running in "enforcing" mode along with a "targeted" policy type. And I am using SELinux to manage the security around the httpd process. I am using Apache HTTPd 2.2 as the entry point for all SVN (subversion), tomcat and static page requests.
Here are my configurations for httpd + svn (over SSL):
1) SVN repository: /var/svn/repository.
2) Changed the user/group ownership of the repository directory to "apache" (which is the user/group that owns the 'httpd' daemon)
3) Changed the security context of the svn repository as follows:
$ chcon -v -R -h -t public_content_rw_t /var/svn/repository/
$ ls -Z /var/svn/repository/
drwxr-xr-x apache apache system_u:object_r:public_content_rw_t:DefaultCategory conf
-- DefaultCategory is just an alias I gave to the s0 category.
4) Configure mod_ssl as follows:
LoadModule ssl_module modules/mod_ssl.so
Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
SSLOptions +StdEnvVars
SSLOptions +StdEnvVars
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
5) Configured dav_svn.conf as follows:
LoadModule dav_svn_module /usr/lib/httpd/modules/mod_dav_svn.so
LoadModule authz_svn_module /usr/lib/httpd/modules/mod_authz_svn.so
# BASIC htpasswd authentication over SSL
DAV svn
SVNPath /var/svn/repository
SSLRequireSSL
AuthType Basic
AuthName "Subversion repository"
AuthUserFile /etc/svn-auth-file
Require valid-user
I found SELinux to be a very interesting technology. I would strongly advise you to read the SELinux docs on RedHat before you jump into configuring security contexts, policies and categories. Also, you should enable the "setroubleshootd" service - this service along with the X SELinux Troubleshooter is a *must* to help you debug avc denies errors.
I will add further information on how to configure httpd with the tomcat module (mod_jk) later on.
No comments:
Post a Comment