- log notice giving SELinux context at startup if enabled

- drop SSLv2 and restrict default cipher suite in default SSL configuration
This commit is contained in:
jorton 2005-11-03 16:27:11 +00:00
parent 2a6347c8db
commit 9d36ace72f
3 changed files with 73 additions and 9 deletions

View File

@ -0,0 +1,52 @@
If SElinux is enabled, log the context on startup.
--- httpd-2.0.54/server/core.c.selinux
+++ httpd-2.0.54/server/core.c
@@ -50,6 +50,8 @@
#include "mod_proxy.h"
#include "ap_listen.h"
+#include <selinux/selinux.h>
+
/* LimitRequestBody handling */
#define AP_LIMIT_REQ_BODY_UNSET ((apr_off_t) -1)
#define AP_DEFAULT_LIMIT_REQ_BODY ((apr_off_t) 0)
@@ -4337,6 +4339,26 @@
}
#endif
+ {
+ static int already_warned = 0;
+ int is_enabled = is_selinux_enabled() > 0;
+
+ if (is_enabled) {
+ security_context_t con;
+
+ if (getcon(&con) == 0) {
+
+ ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL,
+ "SELinux policy enabled; "
+ "httpd running as context %s", con);
+
+ already_warned = 1;
+
+ freecon(con);
+ }
+ }
+ }
+
return OK;
}
--- httpd-2.0.54/configure.in.selinux
+++ httpd-2.0.54/configure.in
@@ -294,6 +294,8 @@
timegm \
)
+AC_SEARCH_LIBS(is_selinux_enabled, selinux)
+
dnl ## Check for the tm_gmtoff field in struct tm to get the timezone diffs
AC_CACHE_CHECK([for tm_gmtoff in struct tm], ac_cv_struct_tm_gmtoff,
[AC_TRY_COMPILE([#include <sys/types.h>

View File

@ -7,7 +7,7 @@
Summary: Apache HTTP Server
Name: httpd
Version: 2.0.54
Release: 14
Release: 15
URL: http://httpd.apache.org/
Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.gz
Source1: index.html
@ -75,6 +75,7 @@ Patch89: httpd-2.0.49-headerssl.patch
Patch90: httpd-2.0.49-workerstack.patch
Patch91: httpd-2.0.46-testhook.patch
Patch92: httpd-2.0.46-dumpcerts.patch
Patch93: httpd-2.0.54-selinux.patch
# Security fixes
Patch110: httpd-2.0.52-CAN-2005-1268.patch
Patch111: httpd-2.0.52-CAN-2005-2088.patch
@ -85,7 +86,7 @@ Group: System Environment/Daemons
BuildRoot: %{_tmppath}/%{name}-root
BuildRequires: db4-devel, expat-devel, findutils, perl, pkgconfig, xmlto >= 0.0.11
BuildRequires: apr-devel >= 0.9.4-20, apr-util-devel, pcre-devel >= 5.0,
BuildRequires: zlib-devel
BuildRequires: zlib-devel, libselinux-devel
Requires: /etc/mime.types, gawk, /usr/share/magic.mime, /usr/bin/find
Obsoletes: httpd-suexec
Prereq: /sbin/chkconfig, /bin/mktemp, /bin/rm, /bin/mv
@ -192,6 +193,7 @@ Security (TLS) protocols.
%patch90 -p1 -b .workerstack
%patch91 -p1 -b .testhook
%patch92 -p1 -b .dumpcerts
%patch93 -p1 -b .selinux
%patch41 -p1 -b .sslreneg
@ -565,6 +567,11 @@ rm -rf $RPM_BUILD_ROOT
%{_libdir}/httpd/build/libtool
%changelog
* Thu Nov 3 2005 Joe Orton <jorton@redhat.com> 2.0.54-15
- log notice giving SELinux context at startup if enabled
- drop SSLv2 and restrict default cipher suite in default
SSL configuration
* Thu Oct 20 2005 Joe Orton <jorton@redhat.com> 2.0.54-14
- mod_ssl: add security fix for SSLVerifyClient (CVE-2005-2700)
- add security fix for byterange filter DoS (CVE-2005-2728)

View File

@ -99,16 +99,21 @@ LogLevel warn
# Enable/Disable SSL for this virtual host.
SSLEngine on
# SSL Protocol support:
# List the enable protocol levels with which clients will be able to
# connect. Disable SSLv2 access by default:
SSLProtocol all -SSLv2
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A new
# certificate can be generated using the genkey(1) command.
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A new
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
# Server Private Key: