The mod_selinux
Apache module has access to other information than just the username (in case of authenticated users). It can access environment variables (which are used in the Apache web configuration through the SetEnvIf
directives), allowing a very flexible approach on SELinux context handling within the application.
In this recipe, we will use this to change the context of request handlers based on the remote IP address of the client.
Alongside web users, we can also use source address information to decide on the context. This is done by completing the following steps:
First, we define the
TARGETDOMAIN
environment variable based on the remote IP address in the web server configuration (httpd.conf
):SetEnvIf Remote_Addr "10\.0\.[0-9]+\.[0-9]+$" TARGETDOMAIN=user_webapp_t:s0 SetEnvIf Remote_Addr "10\.1\.[0-9]+\.[0-9]+$" TARGETDOMAIN=anon_webapp_t:s0 SetEnvIf TARGETDOMAIN ^$ TARGETDOMAIN=*:s0
Then, in the same web server configuration...