diff options
-rw-r--r-- | Makefile | 4 | ||||
-rw-r--r-- | mod_selinux.conf | 92 | ||||
-rw-r--r-- | mod_selinux.spec | 170 |
3 files changed, 266 insertions, 0 deletions
diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..1e65467 --- /dev/null +++ b/Makefile @@ -0,0 +1,4 @@ +SRCDIR := $(shell pwd) +NAME := $(shell basename $(SRCDIR)) +include ../common/Makefile + diff --git a/mod_selinux.conf b/mod_selinux.conf new file mode 100644 index 0000000..a1402a5 --- /dev/null +++ b/mod_selinux.conf @@ -0,0 +1,92 @@ +# +# mod_selinux.conf +# ---------------- +# Apache/SELinux plus configuration + +LoadModule selinux_module modules/mod_selinux.so + +selinuxServerDomain *:s0 + +# +# Example for the mapfile based configuration +# ------------------------------------------- +# +# <Directory "/var/www/html"> +# # +# # HTTP Basic Authentication +# # +# AuthType Basic +# AuthName "Secret Zone" +# AuthUserFile /var/www/htpasswd +# Require valid-user +# +# # +# # SELinux domain/range mapping +# # +# SetEnvIf Remote_Addr "192.168.1.[0-9]+$" SELINUX_DOMAIN=*:s0:c1 +# SetEnvIf Remote_Addr "192.168.2.[0-9]+$" SELINUX_DOMAIN=*:s0:c2 +# selinuxDomainMap /var/www/mod_selinux.map +# selinuxDomainEnv SELINUX_DOMAIN +# selinuxDomainVal anon_webapp_t:SystemLow +# +# </Directory> + +# +# Use Case: Virtual Host based separation +# --------------------------------------- +# +# NameVirtualHost *:80 +# +# <VirtualHost *:80> +# DocumentRoot /var/www/html +# ServerName dog.example.com +# selinuxDomainVal *:s0:c1 +# </VirtualHost> +# +# <VirtualHost *:80> +# DocumentRoot /var/www/html +# ServerName cat.example.com +# selinuxDomainVal *:s0:c2 +# </VirtualHost> + +# +# Use Case: Authentication integration with RDBMS +# ----------------------------------------------- +# +# LoadModule dbd_module modules/mod_dbd.so +# LoadModule authn_dbd_module modules/mod_authn_dbd.so +# +# DBDriver pgsql +# DBDParams "dbname=web user=apache" +# # NOTE: Don't forget to install apr-util-pgsql package +# # to connect PostgreSQL via mod_dbd. +# +# <Directory "/var/www/html"> +# # Digest authentication +# # --------------------- +# # AuthType Digest +# # AuthName "Secret Zone" +# # AuthDigestProvider dbd ... (4) +# # AuthDBDUserRealmQuery \ ... (5) +# # "SELECT md5(uname || ':' || $2 || ':' || upass), udomain, \ +# # %s=%s as dummy FROM uaccount WHERE uname = $1" +# +# # SELinux context mapping +# # ----------------------- +# selinuxDomainEnv AUTHENTICATE_UDOMAIN ... (6) +# selinuxDomainVal anon_webapp_t:SystemLow +# </Directory> +# +# We assume the PostgreSQL works on local machine, and it allows +# the apache user to connect the web database without passwords. +# In addition, uaccount table should be defined as follows: +# +# CREATE TABLE uaccount ( +# uname TEXT PRIMARY KEY, +# upass TEXT NOT NULL, +# udomain TEXT +# ); +# INSERT INTO uaccount VALUES ('foo', 'xxx', 'user_webapp_t:s0:c0'); +# INSERT INTO uaccount VALUES ('var', 'yyy', 'staff_webapp_t:s0:c1'); +# INSERT INTO uaccount VALUES ('baz', 'zzz', 'anon_webapp_t:s0:c2'); +# diff --git a/mod_selinux.spec b/mod_selinux.spec new file mode 100644 index 0000000..4505e37 --- /dev/null +++ b/mod_selinux.spec @@ -0,0 +1,170 @@ +%{!?_httpd_apxs: %{expand: %%global _httpd_apxs %%{_sbindir}/apxs}} +%{!?_httpd_mmn: %{expand: %%global _httpd_mmn %%(cat %{_includedir}/httpd/.mmn || echo missing-httpd-devel)}} +# /etc/httpd/conf.d with httpd < 2.4 and defined as /etc/httpd/conf.modules.d with httpd >= 2.4 +%{!?_httpd_modconfdir: %{expand: %%global _httpd_modconfdir %%{_sysconfdir}/httpd/conf.d}} +%{!?_httpd_confdir: %{expand: %%global _httpd_confdir %%{_sysconfdir}/httpd/conf.d}} +%{!?_httpd_moddir: %{expand: %%global _httpd_moddir %%{_libdir}/httpd/modules}} + +%define selinux_policy_types targeted mls + +Name: mod_selinux +Version: 2.2.2454 +Release: 5%{?dist} +Summary: Apache/SELinux plus module +Group: System Environment/Daemons +License: ASL 2.0 +URL: http://code.google.com/p/sepgsql/ +Source0: http://sepgsql.googlecode.com/files/%{name}-%{version}.tgz +Source1: %{name}.conf +BuildRequires: httpd-devel >= 2.2.0 libselinux-devel checkpolicy >= 2.0.19 policycoreutils selinux-policy-devel +Requires: kernel >= 2.6.28 httpd >= 2.2.0 policycoreutils selinux-policy +Requires: httpd-mmn = %{_httpd_mmn} +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root + +%description +The Apache/SELinux plus is an extra module (mod_selinux.so) which enables +to launch contents-handler (it means both of references to static contents +and invocations of web applications) with individual and restrictive +privileges set, based on http authentication. +The mod_selinux.so generates a one-time worker thread for each request, +and it assigns the worker restrictive domain based on the authentication +prior to launching contents handlers. +It means we can apply valid access controls on web-applications, and +makes assurance operating system can prevent violated accesses, even if +web application contains security bugs or vulnerabilities. + +%prep +%setup -q + +%build +# mod_selinux.so +%{__make} %{?_smp_mflags} APXS=%{_httpd_apxs} + +# mod_selinux.pp +for policy in %{selinux_policy_types} +do + %{__make} NAME=${policy} -f %{?policy_devel_root}%{_datadir}/selinux/devel/Makefile + mv %{name}.pp %{name}.pp.${policy} +done + +%install +rm -rf %{buildroot} +%{__install} -d %{buildroot}%{_libdir}/httpd/modules +%{__install} -d %{buildroot}%{_datadir}/selinux + +%{__make} install DESTDIR=%{buildroot} + +%if "%{_httpd_modconfdir}" != "%{_httpd_confdir}" +# httpd 2.4.x config +sed -n /^LoadModule/p %{SOURCE1} > 10-mod_selinux.conf +sed /^LoadModule/d %{SOURCE1} > mod_selinux.conf +touch -r %{SOURCE1} *.conf +install -Dp 10-mod_selinux.conf %{buildroot}%{_httpd_modconfdir}/10-mod_selinux.conf +install -Dp mod_selinux.conf %{buildroot}%{_httpd_confdir}/mod_selinux.conf +%else +# httpd 2.2.x +install -Dp -m 644 %{SOURCE1} %{buildroot}%{_httpd_confdir}/mod_selinux.conf +%endif + +for policy in %{selinux_policy_types} +do + %{__install} -d %{buildroot}%{_datadir}/selinux/${policy} + %{__install} -p -m 644 %{name}.pp.${policy} \ + %{buildroot}%{_datadir}/selinux/${policy}/%{name}.pp +done + +%clean +rm -rf %{buildroot} + +%post +/sbin/fixfiles -R %{name} restore || : + +for policy in %{selinux_policy_types} +do + %{_sbindir}/semodule -s ${policy} \ + -i %{_datadir}/selinux/${policy}/%{name}.pp 2>/dev/null || : +done + +%postun +# unload policy, if rpm -e +if [ $1 -eq 0 ]; then + for policy in %{selinux_policy_types} + do + %{_sbindir}/semodule -s ${policy} -r %{name} 2>/dev/null || : + done +fi + +%files +%defattr(-,root,root,-) +%doc LICENSE README +%if "%{_httpd_modconfdir}" != "%{_httpd_confdir}" +%config(noreplace) %{_httpd_modconfdir}/*.conf +%endif +%config(noreplace) %{_httpd_confdir}/*.conf +%{_libdir}/httpd/modules/%{name}.so +%{_datadir}/selinux/*/%{name}.pp + +%changelog +* Tue May 1 2012 Joe Orton <jorton@redhat.com> - 2.2.2454-5 +- packaging fixes (#803075) + +* Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.2.2454-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.2.2454-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Fri Dec 4 2009 KaiGai Kohei <kaigai@ak.jp.nec.com> - 2.2.2454-2 +- rebuild for the base policy of F-13 + +* Sat Jul 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.2.2015-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Thu Jun 11 2009 KaiGai Kohei <kaigai@ak.jp.nec.com> - 2.2.2015-1 +- update: add support to use translated format in MLS-range + +* Wed May 27 2009 KaiGai Kohei <kaigai@ak.jp.nec.com> - 2.2.1938-1 +- bugfix: it may returns OK, instead of HTTP_INTERNAL_SERVER_ERROR, + when the contents handler crashed. + +* Fri May 22 2009 KaiGai Kohei <kaigai@ak.jp.nec.com> - 2.2.1930-1 +- rework: libselinux was dropped from explicit dependencies due to + http://fedoraproject.org/wiki/Packaging/Guidelines#Explicit_Requires + +* Tue May 19 2009 KaiGai Kohei <kaigai@ak.jp.nec.com> - 2.2.1904-1 +- bugfix: update Makefile to allow to build for 64bit architecture + +* Mon May 18 2009 KaiGai Kohei <kaigai@ak.jp.nec.com> - 2.2.1903-1 +- rework: add selinux_merge_conf() +- rework: remove mod_authn_sepgsql, instead of documentation + to use mod_authn_dbd with pgsql driver. + +* Fri May 15 2009 KaiGai Kohei <kaigai@ak.jp.nec.com> - 2.2.1898-1 +- rework: mod_authn_sepgsql cleanups +- update: README updates. + +* Wed May 13 2009 KaiGai Kohei <kaigai@ak.jp.nec.com> - 2.2.1884-1 +- rework: add mod_authn_sepgsql module +- rework: directives were reorganized +- rework: simultaneous usage with keep-alive + +* Fri Apr 17 2009 KaiGai Kohei <kaigai@ak.jp.nec.com> - 2.2.1817-1 +- bugfix: add kernel >= 2.6.28 because of typebounds feature + +* Thu Apr 16 2009 KaiGai Kohei <kaigai@ak.jp.nec.com> - 2.2.1803-1 +- rework: reverted to multi-threading design +- bugfix: security policy didn't allow prosess:{setcurrent} + +* Wed Apr 15 2009 KaiGai Kohei <kaigai@ak.jp.nec.com> - 2.2.1800-1 +- rework: worker was redesigned to use a process, instead of thread, + on process_connection hook. +- rework: "selinuxAllowCaches" and "selinuxAllowKeepAlive" were added. +- rework: README was revised + +* Tue Apr 14 2009 KaiGai Kohei <kaigai@ak.jp.nec.com> - 2.2.1795-1 +- bugfix: install script didn't work correctly. +- update: add some of inline source comments. +- update: specfile improvement. + +* Sun Apr 12 2009 KaiGai Kohei <kaigai@ak.jp.nec.com> - 2.2.1792-1 +- Initial build |