Tag Archives: apache

SELinux && Ganglia / Multicast && Apache && RRDs

SELinuxWhile setting up test server with Ganglia triad (gmetad, gmond, gweb over Apache) I had only 2 SELinux alerts to solve. First one regarding to denial of /var/lib/ganglia/rrd access by httpd process (while accessing ganglia-web interface):

In order to resolve that I just added SELinux contexts to rrdtool binary and /var/lib/ganglia/rrds dir:

The last SELinux alert was regarding to Apache trying to access port 8652 by socket connection (on ganglia-web I saw error like “fsockopen 8652 access denied”):

So I had to create local policy for this particular occasion as there is no ganglia modules for SELinux (maybe I should create one…?). Firstly let’s check that there’s no even one module:

So let’s create this policy:

After this everything should work like a charm. To confirm that We have this new policy working:

Apache SSL cipher / protocol hardening

While preparing to the RHCE exam I rechecked my standard SSL configurations and came to conclusion, that I should probably update my SSLCipherSuite value. I also updated SSLProtocol and switched SSLHonorCipherOrder in the way that the server’s preference of SSLCipherSuite is used instead of the browser’s:

As You can see I also disabled SSLv3 in the SSLProtocol. Why? Because even IE8 on Windows XP uses TLSv1 :) You could also enter +TLSv1.1 or even +TLSv1.2 when using appropriate version of OpenSSL.

Read more at http://httpd.apache.org/docs/trunk/mod/mod_ssl.html

After applying changes make sure that new config will pass SSL tests https://www.ssllabs.com/ssltest/index.html