One of Apache's strengths is that it can differentiate sites based on the name used to connect to the server, rather than just the IP address, port, and URL. This is called virtual host support and is a very popular approach to multitenant website and web application hosting.
For instance, a web server running on a single IP address can still host the sites of multiple customers, say www.companyX.com
and www.companyY.com
. With mod_selinux
, we can change the context or security clearance of the web server request handlers based on the associated virtual host.
The following approach distinguishes virtual host confinement through mod_selinux
:
Decide on the contexts for the individual tenants. In the previous chapter, we used
s0:c100
for company X ands0:c101
for company Y.In each virtual host, set the right clearance. For instance, for company X set the clearance as follows:
<VirtualHost *:443> ServerName www.companyX.com selinuxDomainVal...