Apache is configured by placing directives in plain text configuration
files. The main configuration file is usually
httpd.conf
. When you compile Apache, you can
indicate the location of this file. Directives can be placed in any of
these configuration files to alter the way Apache behaves. When you make
changes to the main configuration files, you need to start or restart
Apache so the changes are recognized.
Virtual host directives control whether requests that contain trailing pathname information following an actual filename or that refer to a nonexistent file in an existing directory are accepted or rejected. For Apache documentation on virtual host directives, refer to http://httpd.apache.org/docs-2.2/mod/core.html#virtualhost.
The ChangeHat-specific configuration keyword is
AADefaultHatName
. It is used similarly to
AAHatName
, for example, AADefaultHatName
My_Funky_Default_Hat
.
The configuration option is actually based on a server directive, which enables you to use the keyword outside of other options, setting it for the default server. Virtual hosts are considered internally within Apache to be separate “servers,” so you can set a default hat name for the default server as well as one for each virtual host, if desired.
When a request comes in, the following steps reflect the sequence in
which mod_apparmor
attempts to apply hats.
A location or directory hat as specified by the
AAHatName
keyword
A hat named by the entire URI path
A default server hat as specified by the
AADefaultHatName
keyword
DEFAULT_URI
(if none of those exist, it goes back
to the “parent” Apache hat)
Location and directory directives specify hat names in the program configuration file so the program calls the hat regarding its security. For Apache, you can find documentation about the location and directory directives at http://httpd.apache.org/docs-2.2/sections.html.
The location directive example below specifies that, for a given
location, mod_apparmor
should use a specific hat:
<Location /foo/> AAHatName MY_HAT_NAME </Location>
This tries to use MY_HAT_NAME
for any URI beginning
with /foo/
(/foo/
,
/foo/bar
,
/foo/cgi/path/blah_blah/blah
, etc.).
The directory directive works similarly to the location directive, except it refers to a path in the file system as in the following example:
<Directory "/srv/www/www.immunix.com/docs"> # Note lack of trailing slash AAHatName immunix.com </Directory>
Example: The program phpsysinfo is used to illustrate a location directive in the following example. The tarball can be downloaded from http://phpsysinfo.sourceforge.com.
After downloading the tarball, install it into
/srv/www/htdocs/phpsysinfo
.
Create /etc/apache2/conf.d/phpsysinfo.conf
and
add the following text to it:
<Location "/phpsysinfo"> AAHatName phpsysinfo </Location>
The following hat should then work for phpsysinfo:
/usr/sbin/httpd2-prefork { ... ^phpsysinfo { #include <abstractions/bash> #include <abstractions/nameservice> /bin/basename ixr, /bin/bash ixr, /bin/df ixr, /bin/grep ixr, /bin/mount Ux, /bin/sed ixr, /dev/bus/usb/ r, /dev/bus/usb/** r, /dev/null w, /dev/tty rw, /dev/urandom r, /etc/SuSE-release r, /etc/ld.so.cache r, /etc/lsb-release r, /etc/lsb-release.d/ r, /lib/ld-2.6.1.so ixr, /proc/** r, /sbin/lspci ixr, /srv/www/htdocs/phpsysinfo/** r, /sys/bus/pci/** r, /sys/bus/scsi/devices/ r, /sys/devices/** r, /usr/bin/cut ixr, /usr/bin/getopt ixr, /usr/bin/head ixr, /usr/bin/lsb_release ixr, /usr/bin/lsscsi ixr, /usr/bin/tr ixr, /usr/bin/who ixr, /usr/lib/lib*so* mr, /usr/lib/locale/** r, /usr/sbin/lsusb ixr, /usr/share/locale/** r, /usr/share/pci.ids r, /usr/share/usb.ids r, /var/log/apache2/access_log w, /var/run/utmp kr, } }
Reload Novell AppArmor profiles by entering rcapparmor
restart at a terminal window as root
.
Restart Apache by entering rcapache2 restart at a
terminal window as root
.
Enter http://hostname/phpsysinfo/
into a browser
to receive the system information that phpsysinfo delivers.
Locate configuration errors by going to
/var/log/audit/audit.log
or running
dmesg and looking for any rejections in the output.