Create Private Directory
Here we will make things a little more difficult, we are going to create our new directory outside the apache default document root, which means, we will need to manually handle SELinux policy. We will get into detail how to do that soon, but first lets create our new private directory.
$ mkdir /private
$ echo "<h1>Hello Private</h1>" > /private/index.html
Set file permissions.
$ chown root:root -R /private
$ chmod 755 /private
$ chmod 644 /private/index.html
Ok, here is where things get a little more complicated. Lets first have a look of the SELinux file context of the default document root.
$ ll -Zd /var/www/
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/
$ ll -Zd /var/www/html/
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/
$ ll -Z /var/www/html/index.html
-rw-r--r--. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/index.html
Ok, now we knew how things should look like. Now lets look how things currently look in our new directory.
$ ll -Zd /private/
drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 /private/
The thing you always should try first, is to try to restore default SELinux policy. Lets do that.
$ restorecon -RFv /private/
$ ll -Zd /private/
drwxr-xr-x. root root system_u:object_r:default_t:s0 /private/
$ ll -Z /private/index.html
-rw-r--r--. root root system_u:object_r:default_t:s0 /private/index.html
Ok, so the last part that is missing is the file context. We can set that with semanage (policycoreutils-python package).
$ semanage fcontext -a -t httpd_sys_content_t '/private(/.*)?'
And to verify.
$ semanage fcontext -l | grep /private
/private(/.*)? all files system_u:object_r:httpd_sys_content_t:s0
Now we only need to restorecon on our new private directory.
$ restorecon -RFv /private
$ restorecon reset /private context system_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
$ restorecon reset /private/index.html context system_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
Configure Private Directory
Now lets begin to add our new private directory as public and test.
$ vi /etc/httpd/conf/httpd.conf
...
Alias /private/ "/private/"
<Directory "/private">
Order deny,allow
Deny from all
Allow from all
</Directory>
...
Restart apache and test our new private directory. If things are not working go back and fix it.
Now we are going to add user authentication, but before that you might want to install apache manual.
$ yum install httpd-manual
We will here configure a basic authentication with file containing our user credential.
LoadModule authn_file_module modules/mod_authn_file.so
<Directory "/private">
AuthType Basic
AuthName "Restricted Resource"
AuthUserFile /etc/httpd/.htpasswd
Require valid-user
Order deny,allow
Deny from all
Allow from all
</Directory>
To create the user credential
$ htpasswd -cm /etc/httpd/.htpasswd bob
New password: <redhat>
Re-type new password: <redhat>
Adding password for user bob
And now finally restart and test your new private directory.
No comments:
Post a Comment