In the previous chapter, we manipulated the /etc/rc.d/init.d/httpd init
script to use runcon
in order for the web server to run with a limited clearance. But with the help of mod_selinux
, this can be made configurable.
In order to start Apache with limited security clearance, follow the given steps:
Edit the Apache web server configuration file (
httpd.conf
) and add in the following code:<IfModule mod_selinux.c> selinuxServerDomain *:s0-s0:c0.c10 </IfModule>
Undo the changes made to the service script in the previous chapter.
Restart the web server and confirm that it is running with the
s0-s0:c0.c10
clearance by issuing the following commands:~# /etc/rc.d/init.d/httpd restart ~# ps -efZ | grep httpd system_u:system_r:httpd_t:s0-s0:c0.c10 root 2838 1 0 13:14 ? 00:00:00 /usr/sbin/httpd system_u:system_r:httpd_t:s0-s0:c0.c10 apache 2840 2838 0 13:14 ? 00:00:00 /usr/sbin/httpd