From 9d36ace72fac74fe4ec03cfa1de3f9a0078406a5 Mon Sep 17 00:00:00 2001
From: jorton <jorton@fedoraproject.org>
Date: Nov 03 2005 16:27:11 +0000
Subject: - log notice giving SELinux context at startup if enabled

- drop SSLv2 and restrict default cipher suite in default SSL configuration

---

diff --git a/httpd-2.0.54-selinux.patch b/httpd-2.0.54-selinux.patch
new file mode 100644
index 0000000..f864c3a
--- /dev/null
+++ b/httpd-2.0.54-selinux.patch
@@ -0,0 +1,52 @@
+
+If SElinux is enabled, log the context on startup.
+
+--- httpd-2.0.54/server/core.c.selinux
++++ httpd-2.0.54/server/core.c
+@@ -50,6 +50,8 @@
+ #include "mod_proxy.h"
+ #include "ap_listen.h"
+ 
++#include <selinux/selinux.h>
++
+ /* LimitRequestBody handling */
+ #define AP_LIMIT_REQ_BODY_UNSET         ((apr_off_t) -1)
+ #define AP_DEFAULT_LIMIT_REQ_BODY       ((apr_off_t) 0)
+@@ -4337,6 +4339,26 @@
+     }
+ #endif
+ 
++    {
++        static int already_warned = 0;
++        int is_enabled = is_selinux_enabled() > 0;
++        
++        if (is_enabled) {
++            security_context_t con;
++            
++            if (getcon(&con) == 0) {
++                
++                ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL,
++                             "SELinux policy enabled; "
++                             "httpd running as context %s", con);
++                
++                already_warned = 1;
++                
++                freecon(con);
++            }
++        }
++    }
++
+     return OK;
+ }
+ 
+--- httpd-2.0.54/configure.in.selinux
++++ httpd-2.0.54/configure.in
+@@ -294,6 +294,8 @@
+ timegm \
+ )
+ 
++AC_SEARCH_LIBS(is_selinux_enabled, selinux)
++
+ dnl ## Check for the tm_gmtoff field in struct tm to get the timezone diffs
+ AC_CACHE_CHECK([for tm_gmtoff in struct tm], ac_cv_struct_tm_gmtoff,
+ [AC_TRY_COMPILE([#include <sys/types.h>
diff --git a/httpd.spec b/httpd.spec
index f2868be..fd83389 100644
--- a/httpd.spec
+++ b/httpd.spec
@@ -7,7 +7,7 @@
 Summary: Apache HTTP Server
 Name: httpd
 Version: 2.0.54
-Release: 14
+Release: 15
 URL: http://httpd.apache.org/
 Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.gz
 Source1: index.html
@@ -75,6 +75,7 @@ Patch89: httpd-2.0.49-headerssl.patch
 Patch90: httpd-2.0.49-workerstack.patch
 Patch91: httpd-2.0.46-testhook.patch
 Patch92: httpd-2.0.46-dumpcerts.patch
+Patch93: httpd-2.0.54-selinux.patch
 # Security fixes
 Patch110: httpd-2.0.52-CAN-2005-1268.patch
 Patch111: httpd-2.0.52-CAN-2005-2088.patch
@@ -85,7 +86,7 @@ Group: System Environment/Daemons
 BuildRoot: %{_tmppath}/%{name}-root
 BuildRequires: db4-devel, expat-devel, findutils, perl, pkgconfig, xmlto >= 0.0.11
 BuildRequires: apr-devel >= 0.9.4-20, apr-util-devel, pcre-devel >= 5.0, 
-BuildRequires: zlib-devel
+BuildRequires: zlib-devel, libselinux-devel
 Requires: /etc/mime.types, gawk, /usr/share/magic.mime, /usr/bin/find
 Obsoletes: httpd-suexec
 Prereq: /sbin/chkconfig, /bin/mktemp, /bin/rm, /bin/mv
@@ -192,6 +193,7 @@ Security (TLS) protocols.
 %patch90 -p1 -b .workerstack
 %patch91 -p1 -b .testhook
 %patch92 -p1 -b .dumpcerts
+%patch93 -p1 -b .selinux
 
 %patch41 -p1 -b .sslreneg
 
@@ -565,6 +567,11 @@ rm -rf $RPM_BUILD_ROOT
 %{_libdir}/httpd/build/libtool
 
 %changelog
+* Thu Nov  3 2005 Joe Orton <jorton@redhat.com> 2.0.54-15
+- log notice giving SELinux context at startup if enabled
+- drop SSLv2 and restrict default cipher suite in default
+ SSL configuration
+
 * Thu Oct 20 2005 Joe Orton <jorton@redhat.com> 2.0.54-14
 - mod_ssl: add security fix for SSLVerifyClient (CVE-2005-2700)
 - add security fix for byterange filter DoS (CVE-2005-2728)
diff --git a/ssl.conf b/ssl.conf
index f489c66..738ae3b 100644
--- a/ssl.conf
+++ b/ssl.conf
@@ -99,16 +99,21 @@ LogLevel warn
 #   Enable/Disable SSL for this virtual host.
 SSLEngine on
 
+#   SSL Protocol support:
+# List the enable protocol levels with which clients will be able to
+# connect.  Disable SSLv2 access by default:
+SSLProtocol all -SSLv2
+
 #   SSL Cipher Suite:
-#   List the ciphers that the client is permitted to negotiate.
-#   See the mod_ssl documentation for a complete list.
-SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
+# List the ciphers that the client is permitted to negotiate.
+# See the mod_ssl documentation for a complete list.
+SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
 
 #   Server Certificate:
-#   Point SSLCertificateFile at a PEM encoded certificate.  If
-#   the certificate is encrypted, then you will be prompted for a
-#   pass phrase.  Note that a kill -HUP will prompt again.  A new
-#   certificate can be generated using the genkey(1) command.
+# Point SSLCertificateFile at a PEM encoded certificate.  If
+# the certificate is encrypted, then you will be prompted for a
+# pass phrase.  Note that a kill -HUP will prompt again.  A new
+# certificate can be generated using the genkey(1) command.
 SSLCertificateFile /etc/pki/tls/certs/localhost.crt
 
 #   Server Private Key: