Chinaunix首页 | 论坛 | 博客

ELM's Blogwenzk.blog.chinaunix.net

首页 |  博文目录 |  关于我

wenzk

  • 博客访问: 7755084
  • 博文数量: 637
  • 博客积分: 10265
  • 博客等级: 上将
  • 技术积分: 6165
  • 用 户 组: 普通用户
  • 注册时间: 2004-12-12 22:00
文章分类

全部博文(637)

文章存档

2011年(1)

2010年(1)

2009年(3)

2008年(12)

2007年(44)

2006年(156)

2005年(419)

2004年(1)

我的朋友
最近访客
推荐博文
相关博文
Fedora Core 3 Server Setup (SELinux Enable MySQL)

分类: LINUX

2006-02-26 11:50:33


Table of Contents
  •  
  •  
  •  
  •  


My Fedora Core 3 Webserver Setup
1. Download and burn disk one of Fedora Core 3.

2. During the install, select custom, minimum install. Check the services needed in the firewall config. Check System time uses UTC.

3. Turn off IPv6 by adding "alias net-pf-10 off" and "alias ipv6 off" by using nano /etc/modprobe.conf and reboot.

4. Setup yum. (See Yum Setup.)

5. yum --exclude=php-snmp install php*, then install mysql-server, elinks, lynx, bind*, dovecot, vsftpd, spamassassin, sendmail-cf, perl-Crypt-SSLeay, openssl, openssl-perl, openssl-devel, gcc, gcc-c++.

6. Using lynx install webmin from and add it to the firewall.

7. Using lynx install clamav from

8. Turn off these services - cups, isdn, netfs, nfslock, portmap, pcmcia, rhsnd (unless you have a Redhat account), rpc*, and smartd (if running SCSI).

9. Turn on these services - clamd, dovecot, httpd, mysqld, named, and spamassassin.

10. Run a yum update and reboot.

11. Setup mysql and httpd in SELinux. (See httpd/mysql/SELinux setup.)

12. Setup procmail, spamassassin, clamav. (See Clean Email.)

13. Edit /etc/ssh/sshd_conifg set #PermitRootLogin no and #MaxAuthTries 2

14. Edit /etc/log.d/conf/logwatch.conf replacing "root" with a real email address.

15. Thats all for now - more to come.
Yum Setup
Yum can do waaaay more than what I got here. I may or may not cover the other stuff later.

Run:

rpm --import /usr/share/rhn/RPM-GPG-KEY-fedora
yum update
httpd/mysql/SELinux Setup
Give apache permission to user directories if needed. If your are running your site from /var/html skip to MySQL:
chcon -R -h -t httpd_sys_content_t /home/www/site1
ls -Z /home/www/site1/


It should show somthing like:
drwxr-xr-x username username user_u:object_r:httpd_sys_content_t

MySQL:
yum install selinux-policy-targeted-sources
cd /etc/selinux/targeted/src/policy/domains/program/


Edit or replace your mysqld.te file with the one below It adds the "# connect to mysql" section. Also make sure you do the "make load" from /etc/selinux/targeted/src/policy directory.

#DESC Mysqld - Database server
#
# Author: Russell Coker 
# X-Debian-Packages: mysql-server
#

#################################
#
# Rules for the mysqld_t domain.
#
# mysqld_exec_t is the type of the mysqld executable.
#
daemon_domain(mysqld)

type mysqld_port_t, port_type;
allow mysqld_t mysqld_port_t:tcp_socket name_bind;

allow mysqld_t mysqld_var_run_t:sock_file create_file_perms;

etcdir_domain(mysqld)
typealias mysqld_etc_t alias etc_mysqld_t;
type mysqld_db_t, file_type, sysadmfile;

log_domain(mysqld)

# for temporary tables
tmp_domain(mysqld)

allow mysqld_t usr_t:file { getattr read };

allow mysqld_t self:fifo_file { read write };
allow mysqld_t self:unix_stream_socket create_stream_socket_perms;
allow initrc_t mysqld_t:unix_stream_socket { connectto };
allow initrc_t mysqld_var_run_t:sock_file write;

allow initrc_t mysqld_log_t:file { write append setattr ioctl };

allow mysqld_t self:capability { dac_override setgid setuid net_bind_service };
allow mysqld_t self:process getsched;

allow mysqld_t proc_t:file { getattr read };


# connect to mysql
ifdef(`mysqld.te', `
allow httpd_t mysqld_var_run_t:dir { search };
allow httpd_t mysqld_var_run_t:sock_file { write };
can_unix_connect(httpd_t, mysqld_t)
')

# Allow access to the mysqld databases
create_dir_file(mysqld_t, mysqld_db_t)
allow mysqld_t var_lib_t:dir { getattr search };

can_network(mysqld_t)
can_ypbind(mysqld_t)

# read config files
r_dir_file(initrc_t, mysqld_etc_t)
allow mysqld_t { etc_t etc_runtime_t }:{ file lnk_file } { read getattr };

allow mysqld_t etc_t:dir search;

allow mysqld_t sysctl_kernel_t:dir search;
allow mysqld_t sysctl_kernel_t:file read;

can_unix_connect(sysadm_t, mysqld_t)

# for /root/.my.cnf - should not be needed
allow mysqld_t sysadm_home_dir_t:dir search;
allow mysqld_t sysadm_home_t:file { read getattr };

ifdef(`logrotate.te', `
r_dir_file(logrotate_t, mysqld_etc_t)
allow logrotate_t mysqld_db_t:dir search;
allow logrotate_t mysqld_var_run_t:dir search;
allow logrotate_t mysqld_var_run_t:sock_file write;
can_unix_connect(logrotate_t, mysqld_t)
')

ifdef(`user_db_connect', `
allow userdomain mysqld_var_run_t:dir search;
allow userdomain mysqld_var_run_t:sock_file write;
')

ifdef(`daemontools.te', `
domain_auto_trans( svc_run_t, mysqld_exec_t, mysqld_t)
allow svc_start_t mysqld_t:process signal;
svc_ipc_domain(mysqld_t)
')dnl end ifdef daemontools

ifdef(`distro_redhat', `
allow initrc_t mysqld_db_t:dir create_dir_perms;

# because Fedora has the sock_file in the database directory
file_type_auto_trans(mysqld_t, mysqld_db_t, mysqld_var_run_t, sock_file)
')


Then do:
cp mysqld.te /etc/selinux/targeted/src/policy
cd /etc/selinux/targeted/src/policy
make load 
rpm -q -l mysql-server | /sbin/restorecon -R -f -
/sbin/service mysqld restart


_________________________________________
This FC3 fix was pieced together with info from:
Clean Email
1. Get clamassassin from

2. tar -xvzf it and go into the directory.

3. "./configure --enable-clamdscan --enable-subject-rewrite=[VIRUS]"

4. "make install"

5. From webmin >> spamassassin >> Miscellaneous Options >> Can SpamAssassin do DNS lookups? to yes.

6. Setup up procmail. (After looking at this I wondered how out of date it is. Does procmail still drop the "F" from "From:"? It works, but I will look in to it.)

#MAILDIR=$HOME/mail
#DEFAULT=$HOME/mail/Inbox
#LOGFILE=$HOME/mail/proc.log
# SpamAssassin sample procmailrc
#
# The condition line ensures that only messages smaller than 250 kB
# (250 * 1024 = 256000 bytes) are processed by SpamAssassin. Most spam
# isn't bigger than a few k and working with big messages can bring
# SpamAssassin to its knees.
#
# The lock file ensures that only 1 spamassassin invocation happens
# at 1 time, to keep the load down.
#
:0fw: spamassassin.lock
* < 256000
| spamassassin

:0fw
| /usr/local/bin/clamassassin

:0:
* ^X-Virus-Status: Yes
$HOME/mail/SPAM

# Mails with a score of 8 or higher are almost certainly spam.
# Let's put these spams where they belong.
# I LOVE THIS RULE!
:0:
* ^X-Spam-Level: \*\*\*\*\*\*\*\*
/dev/null

:0:
* ^X-Spam-Level: \*\*\*\*
$HOME/mail/SPAM

# Work around procmail bug: any output on stderr will cause the "F" in "From"
# to be dropped.  This will re-add it.
:0
* ^^rom[ ]
{
  LOG="*** Dropped F off From_ header! Fixing up. "
  
  :0 fhw
  | sed -e '1s/^/F/'
}
阅读(5035) | 评论(0) | 转发(0) |
0

上一篇:PHP cannot connect to mysql server (FC3 SELinux)

下一篇:PlanetLab PXE启动制作过程

给主人留下些什么吧!~~
关于我们 | 关于IT168 | 联系方式 | 广告合作 | 法律声明 | 免费注册

Copyright 2001-2010 ChinaUnix.net All Rights Reserved 北京皓辰网域网络信息技术有限公司. 版权所有

感谢所有关心和支持过ChinaUnix的朋友们

16024965号-6