1 files changed, 92 insertions, 0 deletions
diff --git a/mod_selinux.conf b/mod_selinux.conf
new file mode 100644
index 0000000..a1402a5
--- /dev/null
+++ b/mod_selinux.conf
@@ -0,0 +1,92 @@
+#
+# mod_selinux.conf
+# ----------------
+# Apache/SELinux plus configuration
+
+LoadModule selinux_module modules/mod_selinux.so
+
+selinuxServerDomain	*:s0
+
+#
+# Example for the mapfile based configuration
+# -------------------------------------------
+#
+# <Directory "/var/www/html">
+# #
+# # HTTP Basic Authentication
+# #
+# AuthType	Basic
+# AuthName	"Secret Zone"
+# AuthUserFile	/var/www/htpasswd
+# Require	valid-user
+#
+# #
+# # SELinux domain/range mapping
+# #
+# SetEnvIf Remote_Addr "192.168.1.[0-9]+$" SELINUX_DOMAIN=*:s0:c1
+# SetEnvIf Remote_Addr "192.168.2.[0-9]+$" SELINUX_DOMAIN=*:s0:c2
+# selinuxDomainMap	/var/www/mod_selinux.map
+# selinuxDomainEnv	SELINUX_DOMAIN
+# selinuxDomainVal	anon_webapp_t:SystemLow
+#
+# </Directory>
+
+#
+# Use Case: Virtual Host based separation
+# ---------------------------------------
+#
+# NameVirtualHost *:80
+#
+# <VirtualHost *:80>
+# DocumentRoot          /var/www/html
+# ServerName            dog.example.com
+# selinuxDomainVal      *:s0:c1
+# </VirtualHost>
+#
+# <VirtualHost *:80>
+# DocumentRoot          /var/www/html
+# ServerName            cat.example.com
+# selinuxDomainVal      *:s0:c2
+# </VirtualHost>
+
+#
+# Use Case: Authentication integration with RDBMS
+# -----------------------------------------------
+#
+# LoadModule dbd_module        modules/mod_dbd.so
+# LoadModule authn_dbd_module  modules/mod_authn_dbd.so
+#
+# DBDriver    pgsql
+# DBDParams  "dbname=web user=apache"
+# # NOTE: Don't forget to install apr-util-pgsql package
+# #       to connect PostgreSQL via mod_dbd.
+#
+# <Directory "/var/www/html">
+# # Digest authentication
+# # ---------------------
+# # AuthType               Digest
+# # AuthName               "Secret Zone"
+# # AuthDigestProvider     dbd                  ... (4)
+# # AuthDBDUserRealmQuery  \                    ... (5)
+# #     "SELECT md5(uname || ':' || $2 || ':' || upass), udomain, \
+# #             %s=%s as dummy FROM uaccount WHERE uname = $1"
+#
+# # SELinux context mapping
+# # -----------------------
+# selinuxDomainEnv         AUTHENTICATE_UDOMAIN ... (6)
+# selinuxDomainVal         anon_webapp_t:SystemLow
+# </Directory>
+#
+# We assume the PostgreSQL works on local machine, and it allows
+# the apache user to connect the web database without passwords.
+# In addition, uaccount table should be defined as follows:
+#
+#  CREATE TABLE uaccount (
+#      uname     TEXT PRIMARY KEY,
+#      upass     TEXT NOT NULL,
+#      udomain   TEXT
+#  );
+#  INSERT INTO uaccount VALUES ('foo', 'xxx', 'user_webapp_t:s0:c0');
+#  INSERT INTO uaccount VALUES ('var', 'yyy', 'staff_webapp_t:s0:c1');
+#  INSERT INTO uaccount VALUES ('baz', 'zzz', 'anon_webapp_t:s0:c2');
+#