The best way to acheive this level of seperation is to not use type transitions but category / MCS transitions. This acts a little like the svirt
implementation in the libvirt KVM stuff.
OK, the first thing you're going to need to do is download a httpd module called mod_selinux
. Its been floating around in the fedora repos for quite some time, but has never really made it into the EL6 systems unfortunately.
In any case, you can rebuild the package from fedora sources. I did this on a fedora machine but you can just download the same package from a mirror.
I used F16 as a base as it runs httpd-2.2
.
yumdownloader --source mod_selinux --releaserver=16
...
mod_selinux-2.2.2454-3.fc15.src.rpm | 23 kB 00:00
Then when downloaded, rebuild on your EL6 box.
rpmbuild --rebuild mod_selinux-2.2.2454-3.fc15.src.rpm
...
Wrote: /home/build/rpmbuild/RPMS/x86_64/mod_selinux-2.2.2454-3.el6.x86_64.rpm
Finally install the module.
rpm -i /home/build/rpmbuild/RPMS/x86_64/mod_selinux-2.2.2454-3.el6.x86_64.rpm
The RPM installs a module for httpd
which you'll need and also a policy for httpd
which is also necessary for this to run.
The file for this module is installed in /etc/httpd/conf.d/mod_selinux.conf
.
The first stage in this process is to increase the number of categories that the main httpd process runs as, so that it can produce child threads that span the correct range. In the file change:
selinuxServerDomain *:s0
To
selinuxServerDomain *:s0-s0:c0.c1023
Now, you must assign each virtual host in apache a category. This is done by adding a line such as in the example below called selinuxDomainVal
.
<VirtualHost *:80>
DocumentRoot /var/www/vhosts/host1
ServerName host1.virtual
selinuxDomainVal *:s0:c0
</VirtualHost>
<VirtualHost *:80>
DocumentRoot /var/www/vhosts/host2
ServerName host2.virtual
selinuxDomainVal *:s0:c1
</VirtualHost>
Next, in the document root for each host, relabel their document roots to the same category as the ones labelled in the httpd config.
chcon -R -l s0:c0 /var/www/vhosts/host1
chcon -R -l s0:c1 /var/www/vhosts/host2
If you want to make the labelling get honoured if you do a system relabel, you'd better update the local policy too!
semanage fcontext -a -t httpd_sys_content_t -r s0-s0:c0 '/var/www/vhosts/host1(/.*)?'
semanage fcontext -a -t httpd_sys_content_t -r s0-s0:c1 '/var/www/vhosts/host2(/.*)?'
And thats it! Its impossible to leave your document root and go exploring in others now.
Best Answer
Well, I reached out to RedHat support and this was the answer I got.
He had me do the same steps, except for in the first semanage command, he has me do
"/modevasive(/.*)?"
instead of just"/modevasive"
. I haven't got an explanation why, but that solved the problem for me.