diff mbox series

[01/18] apache_support: Convert to markdown

Message ID 20200825083743.6508-2-richard_c_haines@btinternet.com (mailing list archive)
State Accepted
Headers show
Series SELinux Notebook: Convert batch 1 to markdown | expand

Commit Message

Richard Haines Aug. 25, 2020, 8:37 a.m. UTC 
Add a TOC to aid navigation and convert to markdown.

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
---
 src/apache_support.md | 79 ++++++++++++++++++-------------------------
 1 file changed, 33 insertions(+), 46 deletions(-)
diff mbox series

Patch

diff --git a/src/apache_support.md b/src/apache_support.md
index 8e8df1c..5c012cf 100644
--- a/src/apache_support.md
+++ b/src/apache_support.md
@@ -1,5 +1,8 @@ 
 # Apache SELinux Support
 
+- [*mod_selinux* Overview](#mod_selinux-overview)
+- [Bounds Overview](#bounds-overview)
+
 Apache web servers are supported by SELinux using the Apache policy
 modules from the Reference Policy (*httpd* modules), however there is no
 specific Apache object manger. There is though an SELinux-aware shared
@@ -25,31 +28,20 @@  configuration details is available from:
 
 The objective of these Apache add-on services is to achieve a fully
 SELinux-aware web stack (although not there yet). For example, currently
-the LAPP<a href="#fnap1" class="footnote-ref" id="fnaph1"><strong><sup>1</sup></strong></a>
-(Linux, Apache, PostgreSQL, PHP / Perl / Python) stack has the following support:
-
-<table>
-<tbody>
-<tr>
-<td>L</td>
-<td>Linux has SELinux support.</td>
-</tr>
-<tr>
-<td>A</td>
-<td>Apache has partial SELinux support using the 'Apache SELinux Plus' module.</td>
-</tr>
-<tr>
-<td>P</td>
-<td>PostgreSQL has SELinux support using the PostgreSQL <em>sepgsql</em> extension .</td>
-</tr>
-<tr>
-<td>P</td>
-<td>PHP / Perl / Python are not currently SELinux-aware, however PHP and Python do have support for libselinux functions in packages: PHP - with the <em>php-pecl-selinux</em> package, Python - with the <em>libselinux-python</em> package.</td>
-</tr>
-</tbody>
-</table>
-
-The [A secure web application platform powered by SELinux](http://sepgsql.googlecode.com/files/LCA20090120-lapp-selinux.pdf)
+the LAPP[^fn_as_1] (Linux, Apache, PostgreSQL, PHP / Perl / Python)
+stack has the following support:
+
+**L** - Linux has SELinux support.
+
+**A** - Apache has partial SELinux support using the 'Apache SELinux Plus' module.
+
+**P** - PostgreSQL has SELinux support using the PostgreSQL *sepgsql* extension.
+
+**P** - PHP / Perl / Python are not currently SELinux-aware, however PHP
+and Python do have support for libselinux functions in packages: PHP - with
+the *php-pecl-selinux* package, Python - with the *libselinux-python* package.
+
+The "[A secure web application platform powered by SELinux](http://sepgsql.googlecode.com/files/LCA20090120-lapp-selinux.pdf)"
 document gives a good overview of the LAPP architecture.
 
 ## *mod_selinux* Overview
@@ -59,22 +51,20 @@  What the *mod_selinux* module achieves is to allow a web application
 context based on policy rather than that of the web server process
 itself, for example:
 
-1.  A user sends an HTTP request to Apache that requires the services of
-    a web application (Apache may or may not apply HTTP authentication).
-2.  Apache receives the request and launches the web application
-    instance to perform the task:
--   Without *mod_selinux* enabled the web applications security context
-    is identical to the Apache web server process, it is therefore not
-    possible to restrict it privileges.
-
--   With *mod_selinux* enabled, the web application is launched with
-    the security context defined in the *mod_selinux.conf* file
-    (*selinuxDomainVal &lt;security_context&gt;* entry). It is also
-    possible to restrict its privileges as described in the
-    [Bounds Overview](#bounds-overview) section.
-
-3.  The web application exits, handing control back to the web server
-    that replies with the HTTP response.
+1. A user sends an HTTP request to Apache that requires the services of
+   a web application (Apache may or may not apply HTTP authentication).
+2. Apache receives the request and launches the web application
+   instance to perform the task:
+   - Without *mod_selinux* enabled the web applications security context
+     is identical to the Apache web server process, it is therefore not
+     possible to restrict it privileges.
+   - With *mod_selinux* enabled, the web application is launched with
+     the security context defined in the *mod_selinux.conf* file
+     (*selinuxDomainVal \<security_context\>* entry). It is also
+     possible to restrict its privileges as described in the
+     [Bounds Overview](#bounds-overview) section.
+3. The web application exits, handing control back to the web server
+   that replies with the HTTP response.
 
 ## Bounds Overview
 
@@ -120,11 +110,8 @@  operation will be denied and an *SELINUX_ERR* entry will be added to
 the audit log stating *op=security_compute_av reason=bounds* with
 the context strings and the denied class and permissions.
 
-<section class="footnotes">
-<ol>
-<li id="fnap1"><p>This is similar to the LAMP (Linux, Apache, MySQL, PHP/Perl/Python) stack, however MySQL is not SELinux-aware.<a href="#fnaph1" class="footnote-back">↩</a></p></li>
-</ol>
-</section>
+[^fn_as_1]: This is similar to the LAMP (Linux, Apache, MySQL, PHP/Perl/Python)
+stack, however MySQL is not SELinux-aware.
 
 <!-- %CUTHERE% -->