1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
|
#
# mod_selinux.conf
# ----------------
# Apache/SELinux plus configuration
LoadModule selinux_module modules/mod_selinux.so
selinuxServerDomain *:s0
#
# Example for the mapfile based configuration
# -------------------------------------------
#
# <Directory "/var/www/html">
# #
# # HTTP Basic Authentication
# #
# AuthType Basic
# AuthName "Secret Zone"
# AuthUserFile /var/www/htpasswd
# Require valid-user
#
# #
# # SELinux domain/range mapping
# #
# SetEnvIf Remote_Addr "192.168.1.[0-9]+$" SELINUX_DOMAIN=*:s0:c1
# SetEnvIf Remote_Addr "192.168.2.[0-9]+$" SELINUX_DOMAIN=*:s0:c2
# selinuxDomainMap /var/www/mod_selinux.map
# selinuxDomainEnv SELINUX_DOMAIN
# selinuxDomainVal anon_webapp_t:SystemLow
#
# </Directory>
#
# Use Case: Virtual Host based separation
# ---------------------------------------
#
# NameVirtualHost *:80
#
# <VirtualHost *:80>
# DocumentRoot /var/www/html
# ServerName dog.example.com
# selinuxDomainVal *:s0:c1
# </VirtualHost>
#
# <VirtualHost *:80>
# DocumentRoot /var/www/html
# ServerName cat.example.com
# selinuxDomainVal *:s0:c2
# </VirtualHost>
#
# Use Case: Authentication integration with RDBMS
# -----------------------------------------------
#
# LoadModule dbd_module modules/mod_dbd.so
# LoadModule authn_dbd_module modules/mod_authn_dbd.so
#
# DBDriver pgsql
# DBDParams "dbname=web user=apache"
# # NOTE: Don't forget to install apr-util-pgsql package
# # to connect PostgreSQL via mod_dbd.
#
# <Directory "/var/www/html">
# # Digest authentication
# # ---------------------
# # AuthType Digest
# # AuthName "Secret Zone"
# # AuthDigestProvider dbd ... (4)
# # AuthDBDUserRealmQuery \ ... (5)
# # "SELECT md5(uname || ':' || $2 || ':' || upass), udomain, \
# # %s=%s as dummy FROM uaccount WHERE uname = $1"
#
# # SELinux context mapping
# # -----------------------
# selinuxDomainEnv AUTHENTICATE_UDOMAIN ... (6)
# selinuxDomainVal anon_webapp_t:SystemLow
# </Directory>
#
# We assume the PostgreSQL works on local machine, and it allows
# the apache user to connect the web database without passwords.
# In addition, uaccount table should be defined as follows:
#
# CREATE TABLE uaccount (
# uname TEXT PRIMARY KEY,
# upass TEXT NOT NULL,
# udomain TEXT
# );
# INSERT INTO uaccount VALUES ('foo', 'xxx', 'user_webapp_t:s0:c0');
# INSERT INTO uaccount VALUES ('var', 'yyy', 'staff_webapp_t:s0:c1');
# INSERT INTO uaccount VALUES ('baz', 'zzz', 'anon_webapp_t:s0:c2');
#
|
