- log notice giving SELinux context at startup if enabled
- drop SSLv2 and restrict default cipher suite in default SSL configuration
This commit is contained in:
parent
2a6347c8db
commit
9d36ace72f
52
httpd-2.0.54-selinux.patch
Normal file
52
httpd-2.0.54-selinux.patch
Normal file
@ -0,0 +1,52 @@
|
||||
|
||||
If SElinux is enabled, log the context on startup.
|
||||
|
||||
--- httpd-2.0.54/server/core.c.selinux
|
||||
+++ httpd-2.0.54/server/core.c
|
||||
@@ -50,6 +50,8 @@
|
||||
#include "mod_proxy.h"
|
||||
#include "ap_listen.h"
|
||||
|
||||
+#include <selinux/selinux.h>
|
||||
+
|
||||
/* LimitRequestBody handling */
|
||||
#define AP_LIMIT_REQ_BODY_UNSET ((apr_off_t) -1)
|
||||
#define AP_DEFAULT_LIMIT_REQ_BODY ((apr_off_t) 0)
|
||||
@@ -4337,6 +4339,26 @@
|
||||
}
|
||||
#endif
|
||||
|
||||
+ {
|
||||
+ static int already_warned = 0;
|
||||
+ int is_enabled = is_selinux_enabled() > 0;
|
||||
+
|
||||
+ if (is_enabled) {
|
||||
+ security_context_t con;
|
||||
+
|
||||
+ if (getcon(&con) == 0) {
|
||||
+
|
||||
+ ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL,
|
||||
+ "SELinux policy enabled; "
|
||||
+ "httpd running as context %s", con);
|
||||
+
|
||||
+ already_warned = 1;
|
||||
+
|
||||
+ freecon(con);
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
return OK;
|
||||
}
|
||||
|
||||
--- httpd-2.0.54/configure.in.selinux
|
||||
+++ httpd-2.0.54/configure.in
|
||||
@@ -294,6 +294,8 @@
|
||||
timegm \
|
||||
)
|
||||
|
||||
+AC_SEARCH_LIBS(is_selinux_enabled, selinux)
|
||||
+
|
||||
dnl ## Check for the tm_gmtoff field in struct tm to get the timezone diffs
|
||||
AC_CACHE_CHECK([for tm_gmtoff in struct tm], ac_cv_struct_tm_gmtoff,
|
||||
[AC_TRY_COMPILE([#include <sys/types.h>
|
11
httpd.spec
11
httpd.spec
@ -7,7 +7,7 @@
|
||||
Summary: Apache HTTP Server
|
||||
Name: httpd
|
||||
Version: 2.0.54
|
||||
Release: 14
|
||||
Release: 15
|
||||
URL: http://httpd.apache.org/
|
||||
Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.gz
|
||||
Source1: index.html
|
||||
@ -75,6 +75,7 @@ Patch89: httpd-2.0.49-headerssl.patch
|
||||
Patch90: httpd-2.0.49-workerstack.patch
|
||||
Patch91: httpd-2.0.46-testhook.patch
|
||||
Patch92: httpd-2.0.46-dumpcerts.patch
|
||||
Patch93: httpd-2.0.54-selinux.patch
|
||||
# Security fixes
|
||||
Patch110: httpd-2.0.52-CAN-2005-1268.patch
|
||||
Patch111: httpd-2.0.52-CAN-2005-2088.patch
|
||||
@ -85,7 +86,7 @@ Group: System Environment/Daemons
|
||||
BuildRoot: %{_tmppath}/%{name}-root
|
||||
BuildRequires: db4-devel, expat-devel, findutils, perl, pkgconfig, xmlto >= 0.0.11
|
||||
BuildRequires: apr-devel >= 0.9.4-20, apr-util-devel, pcre-devel >= 5.0,
|
||||
BuildRequires: zlib-devel
|
||||
BuildRequires: zlib-devel, libselinux-devel
|
||||
Requires: /etc/mime.types, gawk, /usr/share/magic.mime, /usr/bin/find
|
||||
Obsoletes: httpd-suexec
|
||||
Prereq: /sbin/chkconfig, /bin/mktemp, /bin/rm, /bin/mv
|
||||
@ -192,6 +193,7 @@ Security (TLS) protocols.
|
||||
%patch90 -p1 -b .workerstack
|
||||
%patch91 -p1 -b .testhook
|
||||
%patch92 -p1 -b .dumpcerts
|
||||
%patch93 -p1 -b .selinux
|
||||
|
||||
%patch41 -p1 -b .sslreneg
|
||||
|
||||
@ -565,6 +567,11 @@ rm -rf $RPM_BUILD_ROOT
|
||||
%{_libdir}/httpd/build/libtool
|
||||
|
||||
%changelog
|
||||
* Thu Nov 3 2005 Joe Orton <jorton@redhat.com> 2.0.54-15
|
||||
- log notice giving SELinux context at startup if enabled
|
||||
- drop SSLv2 and restrict default cipher suite in default
|
||||
SSL configuration
|
||||
|
||||
* Thu Oct 20 2005 Joe Orton <jorton@redhat.com> 2.0.54-14
|
||||
- mod_ssl: add security fix for SSLVerifyClient (CVE-2005-2700)
|
||||
- add security fix for byterange filter DoS (CVE-2005-2728)
|
||||
|
19
ssl.conf
19
ssl.conf
@ -99,16 +99,21 @@ LogLevel warn
|
||||
# Enable/Disable SSL for this virtual host.
|
||||
SSLEngine on
|
||||
|
||||
# SSL Protocol support:
|
||||
# List the enable protocol levels with which clients will be able to
|
||||
# connect. Disable SSLv2 access by default:
|
||||
SSLProtocol all -SSLv2
|
||||
|
||||
# SSL Cipher Suite:
|
||||
# List the ciphers that the client is permitted to negotiate.
|
||||
# See the mod_ssl documentation for a complete list.
|
||||
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
|
||||
# List the ciphers that the client is permitted to negotiate.
|
||||
# See the mod_ssl documentation for a complete list.
|
||||
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
|
||||
|
||||
# Server Certificate:
|
||||
# Point SSLCertificateFile at a PEM encoded certificate. If
|
||||
# the certificate is encrypted, then you will be prompted for a
|
||||
# pass phrase. Note that a kill -HUP will prompt again. A new
|
||||
# certificate can be generated using the genkey(1) command.
|
||||
# Point SSLCertificateFile at a PEM encoded certificate. If
|
||||
# the certificate is encrypted, then you will be prompted for a
|
||||
# pass phrase. Note that a kill -HUP will prompt again. A new
|
||||
# certificate can be generated using the genkey(1) command.
|
||||
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
|
||||
|
||||
# Server Private Key:
|
||||
|
Loading…
Reference in New Issue
Block a user