Crime and Order Maintenance in Celtic and Roman Britain

Cells were stripped of Civil rights, practicing a profession unable to leave ribald territory loss of status within the community. Today we have electronic tagging to keep a person within a confined space, sometime people are given community sentence which helps redeem themselves 2. * People in Roman Times were tried before a Governor for crimes as the same as a judge in modern day * They were given prison sentences to deter them for refunding by instilling fear in them, this happens today with both fine and Jail sentences. * People were condemned to the mines to work.Again in modern day times this could be seen as a harsher community service. Marc McFadden HU0022914 Diploma in Criminal Psychology â€Å"The punishment of present day offenders has elements of the Celtic and Roman approaches. † When we look at how law and punishment is upheld today in Britain we can go back thousands of years into our history to see some similarities in Celtic and Roman times. There society. The re were different levels of kinship within the community, the lowest being a person who had infringed on the law. Infractions would result in fines.As there were no prisons or police force during this time, the responsibility to punish an offender was stowed upon the Kin and extended family. If they were of modest status, a guarantor would be set in place to ensure the fine was paid. This relates in today's punishment system as a bail. If the offender was unable to pay the fine then the guarantor was eligible to seize property from the offender. If someone were of lower class, unable to obtain a guarantor or pay the fine they would suffer a loss of civil rights, the right to practice a profession or possibly be excluded from religious rites.In modern society a prison sentence removes these same rites. The threat of isolation and loss of status was an important tool in keeping people within the law. Britain was invaded by Rome in DAD and on gaining control and power it was initially content to utilize the Cells peacekeeping arrangements. Surrounding free states and British countryside kept their own laws albeit they didn't conflict with the laws of Rome. Julius Gorilla became Governor in DAD chief Justice for both civil and criminal matters.He would gain advantage over Britons by using terror in order to stop crime. He would travel the province holding session courts as well as in the capital. Listening to both citizens and Roman citizens should they wish to be tried in Rome This is similar with the likes of our Court system today. The Biggest change in comparison to The Cells way of punishment is that Roman Britain had Capital punishment where only the Governor could give such a sentence as well as the condemnation to the mines.By now there were men in the form of police, Jailers and executioners. There methods were viewed as brutal ranging from flogging, imprisonment, slavery in the mines and even death by crucifixion, however they were there for the one reas on to instill fear that people would not offend and if they did the repercussions would deter them against it a second time. Julius successfully maintained order for the 7 years he held the post. Up until the 3rd century Britain had two different law codes, native and Roman.However by DADA with an invasion to Gaul by the Germans forced General Constantine Ill out of power and the expulsion of all reaming Roman administrators in Britain. Britons had seized power of the province and wrote to the Emperor Honoring asking for legal authority for their actions and sought independence from the Emperor. In conclusion although there have been many changes to our Justice system throughout time, many of the key elements remain from both Celtic and Roman Britain.

The Battle of Vicksburg

The object of contention in the Vicksburg campaign was the Mississippi River, which bore the same relation to the seceding Southern States that the Hudson bore to the rebellious Thirteen Colonies in the Revolutionary War; it divided them into two parts (Ballard(1) 3-5). If the Union forces could get control of this river they would split the Confederacy in two, and stop the passage of supplies and men to the Confederate armies in the east from Arkansas, Louisiana, and Texas (Ballard(1) 72). This was a purely military consideration, but there was also a political and commercial consideration.The Mississippi was the great highway of trade between the Northwestern States and the outside world; so long as any part of it was controlled by Confederate batteries the highway was closed (Ballard(1) 8). The Confederates in the first year of the war controlled the middle portion of the river by the forts at Columbus, New Madrid and Island No. 10, Fort Pillow and Fort Randolph (Ballard(1) 18). C olumbus was evacuated a short while after the fall of Forts Henry and Donelson (Ballard(1) 27). General Pope, with the help of Foote's fleet, captured New Madrid and Island No. 10, in April, 1862.The victory at Shiloh (April 6 and 7, 1862) advanced the Union line southward to the Memphis and Charleston Railway, Fort Pillow was abandoned by the Confederates on the 4th of June, and Fort Randolph the next day (Ballard(1) 42-43). At this time the Federals and the Confederates both had fleets on the river. Foote's fleet, now commanded by Commodore Davis, Foote being still disabled by the wound he received at Donelson, pushed on down the river, as one Confederate post after another was evacuated or taken. On May 10, 1862, the Confederate flotilla had attacked the Union fleet at Fort Pillow and been defeated (Shea and Winschel 10).On June 7 the Union squadron attacked the Confederate fleet at Memphis, destroying three of its vessels, damaging others, and driving the fleet southward. The Ma yor of Memphis immediately surrendered the town to Davis. The river was now open southward as far as Vicksburg (Shea and Winschel 11-12). On the 25th of April, 1862, Farragut's fleet had arrived at New Orleans and taken possession of that city; in May the fleet moved up the river and took Baton Rouge and Natchez, and, with the assistance of a small detachment of land troops, tried to take Vicksburg, but failed (Shea and Winschel 35-37).The Confederate authorities, now appreciating the importance and the peril of Vicksburg, had it strongly garrisoned and provided with batteries to command the river. By direction of the authorities at Washington, Farragut, with his fleet of ships and gunboats, and General Williams, with a small force of artillery and infantry, made another unsuccessful effort against Vicksburg, toward the end of June, 1862 (Ballard(2) 16-17).Vicksburg was now the only point of the river held by the Confederates, but in August General Breckinridge garrisoned Port Hudso n, two hundred miles below Vicksburg, and began setting up heavy batteries there to command the river. Thenceforward this point, also, was occupied by the Confederates until after the fall of Vicksburg. The Confederates also regained control of the river as far northward as Helena, Arkansas. (Ballard (2) 45-47). Such was the situation along the Mississippi in September, 1862.Halleck, having captured Corinth and dispersed his army, had gone to Washington to assume the office of Generalin-Chief, leaving Grant â€Å"in command of all troops in the vicinity of Memphis and Corinth and as far back as Columbus, Ky† (Ropes 35). Buell and Bragg were in their race for Kentucky, and Grant's forces had been drawn upon to reinforce Buell's; Grant now had only about 42,000 men. With these he was required by Halleck to guard the railway from Memphis to Decatur, two hundred miles, and keep open communication with Buell. This constrained him to a passive defensive attitude for the time (Balla rd (2) 186-87).The Confederate troops in Mississippi composed two independent commands, each about 16,000 strong. One force under Van Dorn; the other under Sterling Price. On the 2nd of September Price received word from Bragg that Rosecrans, whose â€Å"Army of the Mississippi† formed the left of Grant's line, was about to march to Tennessee in order to join Buell. Bragg asked Price to prevent this movement. Accordingly, Price asked Van Dorn to join forces with him to attack Rosecrans. Van Dorn agreed to join him, but replied that he should not be able to assemble his scattered forces before the 12th of the month.Fearing that this would not be early enough to catch Rosecrans, Price moved out without waiting for Van Dorn. On the 14th he occupied Iuka. About the 18th Price and Van Dorn arranged to join their forces at Rienzi for an advance against Corinth (Shea and Hess 303-113). Meantime Grant had been watching the movements of Price and Van Dorn, and had resolved to attack P rice at Iuka, before he and Van Dorn could unite their forces. To this end he assembled Rosecrans's command and Ord's division at Corinth, and started them toward Iuka.Rosecrans took the roads by way of Rienzi and Jacinto, and was to approach Iuka from the direction of the south. Ord marched by way of the railway, and was to attack at the same time from the north and west. The combined attack was to drive Price against the Tennessee River. As usually happens with marches of concentration, this one miscarried. The upshot was, Rosecrans approached by one road only from the south, and attacked the Confederates without Ord. Darkness ended the combat, and during the night Price slipped out by the other road [the Fulton road] to the south (Ballard (1) 75-77) .Rosecrans and Ord returned to Corinth. Van Dorn and Price met at Ripley on the 28th of September, and Van Dorn took command of their combined force by virtue of his rank. Van Dorn marched the united force by way of Pocahontas and Che walla, and formed line of battle to the northwest of Rosecrans's position, near intrenchments at Corinth, on the morning of October the 3rd. The Confederates attacked, and by sunset had driven the Federals into the redoubts at the edge of the town. The next morning Van Dorn renewed the assault.The combat was ferocious; but by noon it was over, and the Confederates were retreating from the field. Rosecrans made no pursuit until the next day. Van Dorn made good his retreat to Holly Springs. Rosecrans and Hurlbut pursued to Ripley and were then recalled by Grant to Corinth and Bolivar. General Pemberton was now sent to Mississippi to take command of all the Confederate forces in the State; Rosecrans was called from Grant's army to relieve Buell of the command of the Army of the Ohio. Grant was promised by Halleck a â€Å"large body of new levies,† and he purposed taking the offensive without delay (Reed 88).Meantime McClernand was in Washington working out a secret scheme with t he President and the Secretary of War, by which he was to raise a volunteer army in Indiana, Illinois, and Iowa, and lead it down the Mississippi to capture Vicksburg. No intimation of this project was given to General Grant, but Halleck, of course, was informed of it. The result was that when Grant first wrote to Halleck (October 26) asking leave to move against Vicksburg, he received no reply to his letter. Then followed several contradictory and vague dispatches from Halleck, which kept Grant for some time guessing what he was expected to do.At last, however, it was arranged that Grant should move with the main army from Grand Junction to Holly Springs, and be joined by Sherman with the troops from Memphis, on the Tallahatchie River. A force from Helena was to move across the Mississippi and threaten the Confederate rear at Grenada (Reed 92-95). At this time Van Dorn commanded the Confederate forces about Holly Springs-some 24,000 men, formed in two divisions, under Price and Lov ell. Vicksburg was garrisoned by 6,000 Confederates, and Port Hudson by 5,500. Pemberton had his headquarters at Jackson.By the 5th of November Grant had reached Oxford with the main body, and Sherman was at College Hill, a few miles northwest of that place. The force from Helena had carried out its part of the plan and had returned to Helena. Van Dorn had fallen back, before Grant's advance, to Grenada. Up to this time Grant had advanced with no very definite plan, except to attack the enemy if he overtook him. But Van Dorn, by Pemberton's order, had kept falling back. As Grant's line of communication was now more than 200 miles long-a single-track railway back to Columbus, Kentucky,-Grant established a secondary base at Holly Springs.After considerable correspondence with Halleck, and the discussion of several plans with Sherman for the capture of Vicksburg, it was finally arranged, with Halleck's approval, that Sherman should return to Memphis with one division. There he was to p ick up all the newly arrived troops, and, with the troops under Steele from Helena, he was to organize an expedition to move by transports, under escort of Porter's fleet of gunboats, to Vicksburg, while Grant marched his army along the left bank of the Yazoo against the same objective. Sherman was back at Memphis by the 12th of December, and set out for Vicksburg on the 20th (Reed 104-106).But events occurred which prevented Grant from carrying out his part of the plan. As a consequence of raids Grant was forced to place his army on short rations, fall back to the Memphis and Charleston Railway, and open communications with Memphis. No supplies were to be had in the country; it had been stripped. Sherman, in the meanwhile, had gone down the Mississippi. He had a force of 32,000 men and sixty guns, which he organized into four divisions. His division commanders were M. L. Smith, A. J. Smith, G. W. Morgan, and Fred Steele.The expedition reached Miliken's Bend, twenty-five miles above Vicksburg, before daylight on Christmas day (Simon and Grant 98-100). Vicksburg stood 250 feet above the waters of the Mississippi, and from there a line of cliffs, known as Chickasaw Bluffs, ran northward twelve miles, to Haynes's Bluff on the Yazoo River. The space between the base of the bluffs and the rivers was a wooded swamp cut up by bayous and creeks (Ropes 71). Pemberton had learned of Sherman's expedition, and had hurried reinforcements to Vicksburg; so that 12,000 Confederates were now intrenched upon the bluffs, awaiting Sherman's attack.This expedition was also to have received the cooperation of an expedition under Banks from New Orleans. Banks, however, got no farther than Baton Rouge Sherman landed his troops, on the 26th of December, at Johnson's plantation, and his columns, on the 27th and 28th, meandered across the swamps and bayous toward the foot of the bluffs. Only one of the columns had a bridgetrain. On the 29th Sherman assaulted the Confederate position, bu t was unable to carry it. He remained in position two or three days, vainly trying to find some way by which to dislodge the Confederates.On the 2nd of January he reembarked his men, and, without opposition, returned to the mouth of the Yazoo. Here he was met by McClernand, with an order assigning that general to command the expedition. The order was dated about the 17th of December (Ropes 74-76). Thus ended in failure the project of a combined movement against Vicksburg by land and water. Works Cited Ballard, Michael B. (1) Vicksburg: The Campaign That Opened the Mississippi. University of North Carolina Press, 2004. Ballard, Michael B. (2) Civil War Mississippi: A Guide. University Press of Mississippi, 2000. Shea, William L. and Hess, Earl J.Pea Ridge: Civil War Campaign in the West. University of North Carolina Press, 1992. Shea, William L. and Winschel, Terrence J. Vicksburg Is the Key: The Struggle for the Mississippi River. University of Nebraska Press, 2003. Simon, John Y. a nd Grant, Ulysses S. The Papers of Ulysses S. Grant: April 1 – July 6, 1863 Vol. 8. Southern Illinois University Press, 1979. Reed, Samuel R. The Vicksburg Campaign, and the Battles about Chattanooga under the Command of General U. S. Grant in 1862-63; a Historical Review. Cincinnati: R. Clarke, 1882. Ropes, John Codman. The Army in the Civil War. Charles Scribner's Sons, 1881.

The importance of Rossi work to understanding the city Essay

The importance of Rossi work to understanding the city - Essay Example The development of a city in relation to these manmade features is what makes up the city’s nature and morphology and from this reference Rossi is able to define urbanism. The city’s nature can be examined using massive structures, engineering works, and structures that are characteristic to their own history. Failure of connecting these two shows the sophisticated reality that has to be addressed for the future of the city. The history is the very important for the city’s development. Its favorable character and good moments of life, is very necessary in the city life. The man made features is work of art while the city is viewed as a human achievement and these achievements have the biggest contribution for the overall individuality of the city. Rossi believes that only the historian can give the complete picture of a city because they are the only ones who are totally concerned with defining the urban manmade features and their gradual development in different eras. History provides to urban science making it very important. This statement is related to the theory of remaining unchanged. The city is an object that is manmade and we will always feel the past and it will give meaning to the state of being permanent. This permanence can be felt in nature’s existence and the way towards which the city is headed. Rossi defines urban manmade features as the main elements because they have provided for the cultural and morphological of the city’s evolution. A good example is the changing of the amphitheatre at Nimes was changed in a fortress to become a little functional city of inhabitants of around two thousand. Outside the wall, it grew with a shape of amphitheatre as the main element. A city is a collection of the memory of those who belong there and the same with memory, it has to be associated with places and objects. It is a point of memories that are collected. Locus and citizenry

The Difference between two Socialism Countries China and North Korea Essay

The Difference between two Socialism Countries China and North Korea - Essay Example This is different from the capitalist system of economy where goods and services are manufactured to generate profit and accumulation of profit, rather than based on their value and usage. They both advocate that the means of production be owned by people, either through government agencies or directly. Socialism also believes that income and wealth should be equally shared among the people. A socialist economy provides collective ownership, either through worker cooperative or through a state-controlled agency or might be owned by the society as a whole. It discourages private ownership. Goods and services are manufactured for their usefulness with the objective of eliminating the need for a demand based market for goods to be sold at a profit (Lee, Hy-Sang, et al. pg 77). The significant part of the Chinese economy is still government controlled, however, the number of government programs have reduced significantly. For example, universal health care is being discontinued. Foreign policy of China continues to be pro-socialist, but essentially, it has become a free market economy. In essence, it no longer remains an economy that is pure socialist. North Korea is the world’s most totalitarian state and it is a prominent socialist t economy. Just like Cuba, North Korea has an economy that is almost entirely controlled by the state. In North Korea there is no stock exchange either. Around mid-1975, North Korea was more productive and better educated than China (going by international trade per capita). However, the country has unpleasant misfortune of being the only developed and educated society in history of man to have faced mass famine – and at the time of peace at that. Interestingly, North Korea’s problem of has not been resolved. If the socialism economy that is tightly controlled in the country could have been a success, the country would probably not have worsened to this level. Mao had declared in October 1949, the People’s

Desktop Computing Assignment Example | Topics and Well Written Essays - 1000 words

Desktop Computing - Assignment Example It also helps the smooth running of software like 3D Max and Maya extensively used for animation and modeling. Jean Jones needs to upgrade her OS from Windows XP Service Pack 2 to Win XP x64. Many might suggest Vista as a good alternative, however past records show that Vista slows Max viewport speed by a huge amount. The primary reason behind this is that Win XP takes less memory to run when Vista on the other hand takes up a lot more. Here comes the second parameter that is whether to consider 32 bit or 64 bit OS. The reason why 64 bit Win XP is being recommended to Jean Jones is that it will let her use a minimum 4GB of RAM. The basic components to look for while buying a PC for processing intensive activities are the processor, motherboard, RAM, graphics card and hard disk. For any PC to be fast, it should have a perfect combination of all these 4 components. In an unbalanced combination where one or more components are slower than the rest, then the slower components act as bottlenecks in the system, and the overall processing speed is determined by the slowest component. Hence, while identifying the configuration, it is imperative that all components are matching and high performance components. High performance components are higher priced, and hence they increase the overall cost of the PC. Given that there cannot be any compromise on performance, a high end PC can be made relatively inexpensive by cutting down on the peripheral costs. For example, by using low end casing/cabinets, speakers and data output devices like DVD combo packages, the overall prices can be kept with relatively lower budget. A processor is the 'brain' of the PC, and given other components are same, a PC with faster processor will perform faster. A quadcore, 64 bit processor, coupled with a suitably fast motherboard and 4 GB 800 MHz RAM will have sufficient computing speed to seamlessly execute the heaviest designing applications. (Ciao Shopping Intelligence, 2007A) While quad core processors give enormous processing speed, they are also highly expensive. Commercially available computers generally tend have

MICRO AND MACRO ECONOMICS Case Study Example | Topics and Well Written Essays - 500 words

MICRO AND MACRO ECONOMICS - Case Study Example Since this will create an inequilibrium, market forces will push the prices downward until the equilibrium price is reached. Equilibrium price is the price where quantity demanded is equal to the quantity supplied. If prices of baseball bats are down, there will be excess demand of baseball bats in the market and quantity demanded of baseball bats will be higher than quantity supplied of baseball bats. This will again lead to inequilibrium in the market and hence the market forces will force the prices to adjust to reach equilibrium. In this case, prices will increase until the equilibrium price is reached. Changes in price of a product do not cause a shift in the demand or supply curve. Changes in price causes movement along the demand or supply curve (Investopedia). Since the supply curve slopes upwards, an increase in price will increase the supply of BMW cars whereas a decrease in price will decrease the supply of BMW cars. This is in accordance with the law of supply which states that as the price of a product increases, the quantity supplied of that product also increases and vice versa. I am assuming that the prices of shoes are relativitely elastic and has a price elasticity of demand of greater than 1. If price elasticity of demand is greater than 1, a reduction in price may lead to an increase in revenue and vice versa (Other things remaining constant) Andy, on the other hand, assumes that shoes have a low price elasticity of demand of less than 1. If the price elasticity of demand is less than 1, an increase in price results in an increase in revenue and vice versa (Other things remaining constant). Economic growth depends on the amount of capital invested, labor employed and productivity of workers (Berkeley). Higher savings rate does have a profound effect on an economy. Savings are needed to provide financing for investment in a

Communication study4-5 Essay Example | Topics and Well Written Essays - 500 words

Communication study4-5 - Essay Example In this case, a researcher might want to get information on a given topic achieved by conducting an examination of a topic. S/he is at the same time undertaking a feasibility test with regard to how one should conduct more extensive study. Thirdly, the exploration aspect of research develops methods that are likely to be employed in other subsequent studies. A research that aims at addressing such a cause is referred to as exploratory research. The second purpose of research is description – descriptive research. It involves employing scientific observation in the description of situations and events. Scientific observations are perceived as deliberate and careful. Explanation as the third purpose of research answers the â€Å"why† questions. It explains the causes of varied phenomena. The researcher at this point seeks to give varied accounts of a phenomenon. The chapter elaborates on how a researcher should design a research project. Firstly, s/he should define the p urpose; is it explanatory, exploratory or descriptive? Secondly, one should specify what each concept that is to be studied means as well as selecting a research method. In addition, the researcher should determine the means through which the results will be measured. Still on the design, whom or what to study should be determined. The other aspects of research design include the collection, process, and analysis of data and the reporting of findings. This chapter delves on the gradual process of research from the idea to the actual study. Before any research study is undertaken, the researcher has only an idea which s/he begins with. There are three stages that define the research process; conceptualization, operationalization and measurement. Conceptualization is a mental process whereby concepts (mental notions) become more precise and specific. Concepts are summed up by experiences and observations that are somehow related. At this stage, the researcher specifies what they mean with

The Importance of Branding in the Constantly Changing Market Essay

The Importance of Branding in the Constantly Changing Market Environment - Essay Example The study encompasses the role of branding, a brief overview of the products and services offered by the company, the target audience of the company and the importance of branding for the organization. Branding has been playing an important role in organization’s success for over decades. Branding is the process through which an organization differentiates its products and services from the competitors while changing the perception of customers towards the brand. The ability to create awareness regarding the brand has eventually resulted in significant increase in sales. In earlier years, the offerings of organizations to the customers were merely taken as a product. With the help of branding, organizations have provided meaning and reason for existence to their products through the use of branding. With the passage of time, branding has become more of a promise of quality and reputation. The concept of branding encompasses everything about an organization to help customers in the market to create a positive perception regarding the company as well as the products offered by it. In the today’s constantly changing competitive environment, organizations are at war with one another in terms of attracting customers to purchase their products over others. Organizations have acknowledged the importance of branding to promote recognition of the products and services offered. If an organization focuses entirely on being a quality provider, this reflects that the organization encourages repeat business. Quite frankly, customers are quite busy to earn their living due to which they tend to adhere to brands that are known to them i.e. familiarity. This means that if a customer recognizes and remembers a brand used in earlier days or months, he/she will most likely choose the product or service again. The most important thing about branding is that it helps an organization to stand out from the crowd. This clearly means that branding helps an organization to differentiate the products and services offered by the organization. By thinking outside the box, organizations have witnessed significant opportunity to attract the customers in the market, while ensuring that the customers will never forget the products and services primarily because of the utmost accomplishment of desires and needs. On the other hand, branding has helped organizations to market their businesses more efficiently. Through effective marketing, the opportunity to attract potential customers will significantly increase as they will already know about the brand along with the benefits that products and services can offer to the customers. This clearly reflects that branding can help an organization to motivate the customers and potential customers to purchase the products and services offered without taking into account other products and services in the market.

An Inconvenient Truth Essay Example | Topics and Well Written Essays - 500 words

An Inconvenient Truth - Essay Example The author of the paper tells that in the video â€Å"An Inconvenient Truth†, it shows how the world’s temperature has skyrocketed in the last decade, 2005 being the hottest. The dramatic rise in temperature in several places in the world has caused numerous devastating environmental disasters and catastrophes. Places all over the world have desiccated and dried up, such as Patagonia and Mt. Kilimanjaro. Multiple storms have exacerbated and have gotten worse and worse. The Arctic’s ice and snow have melted significantly, causing an increase in the sea level. When the height of the seawater increases, a great number of lives will be affected. States such as Florida and major cities such as Shanghai in China, Kolkata in India and Manhattan in New York will drown and be buried by underwater. The community of scientists has collectively given their opinion and judgment on global warming and they believe that we are the main cause of global warming. Through Al Goreâ⠂¬â„¢s presentation, he persuades and tells us that if the immediate course of action will be taken by citizens globally, then we might all still have a chance in saving the Earth from global warming, and saving ourselves. From the trailer of this documentary film, it definitely concerns me regarding the future of the Earth and the future of the people.

Restaurant Management Essay Example for Free

Restaurant Management Essay Staff developing is vital for restaurants to run smoothly. A restaurant is composed of two sectors; a Front of House (FOH) and theirs a Back of House (BOH). The front of the house is what is visible to the customers? eye. Customers can not see the back of the house. Back of the house is where cooks prepare the food and where the dishwasher is located. Manager Brian Aycock explained that if a manager develops his staff, it makes the restaurant run smooth. The store will profit, the employees and the guest will be satisfied (Aycock). If the staff is not getting along, a lot of tension will grow inside the restaurant and co-workers will not work with one another as a team. In return the customers will not be happy and the profit will not be as desirable. When customers are not happy with the visit they had at the restaurant, they will then spread the word to all their friends. Each staff member of the restaurant should have nice and clean hygien

Ion Drive Propulsion: An Overview

Ion Drive Propulsion: An Overview TANG,YOUHENG Ion Drive propulsion, also called ion engine, which is a technology that involves gas ionization and can be used instead of standard chemicals. Give an electrical charge or ionize the gas xenon, which is like neon or helium, but heavier, the ionized gas can be electrically accelerated a speed of about 30km/s by the electric field force. When xenon ions are emitted at such high speed as exhaust from a spaceship, the spacecraft can be pushed in the opposite direction. The ion engine was firstly demonstrated by Emst Stuhliger, the German-born NASA scientist. Then at NASA Lewis Research Center (now called Glenn research center) from 1957 to the early 1960s IDP was developed in form by Harold R.Kaufman. Moreover, the ion drive propulsion was first demonstrated in space in â€Å"Space Electric Rocket Test (SERT)† I and II by NASA Lewis Research Center. The SERT-1, which is the first test was launched in July 20, 1964, proved the technology operated as predicted in space successfully. Furthermore, the second test SERT-II, which was launched on February 3rd 1970, verified the thousands of running hours operation of two mercury ion drive propulsions, though IDP were seldom used before the late 1990s. â€Å"Electric propulsion works by using electrical energy to accelerate a propellant to much higher velocities than is possible using chemical reactions. The most common propellant used in ion engines is xenon. Early ion engines used mercury and cesium, but they proved hard to work with. At room temperature, mercury is liquid and cesium is solid; they both must be heated to turn them into gases. Also, as mercury or cesium exhaust cooled, many of their atoms would condense on the exterior of the spacecraft, contaminating solar cells and instruments. Eventually researchers turned to xenon as a cleaner, simpler fuel for ion engines.† (De Felice, 1999). For IDP’s operation system, it uses an electric field to accelerate charged atoms or molecules to a high velocity. Ion thrusters generally use a cathode to generate a stream of electrons, which form an electric circuit with a positively charged ring the anode. A small magnetic field is used to aid this process (electrons spiral around the magnetic field lines, increasing the chance of electron-atom collisions). The ionized gas is accelerated out of the thruster and drifts towards an extraction grid system, so it can produce thrust. A neutraliser similar to the cathode is used to generate free electrons and balance the overall space charge of the outgoing beam so that the spacecraft does not charge itself up. To deal with this problem NASAs Deep Space 1 probe is testing a new type of ion thruster. The following description of DS-1s ion thrusters is from the official DS-1 Website: â€Å"Its ion propulsion system (IPS) utilizes a hollow cathode to produce electrons, used to ionize xenon. The Xe+ is electrostatically accelerated through a potential of up to 1280 V and emitted from the 30-cm thruster through a molybdenum grid. A separate electron beam is emitted to produce a neutral plasma beam. The power-processing unit (PPU) of the IPS can accept as much as 2.5 kW, corresponding to a peak thruster operating power of 2.3 kW and a thrust of 92 m N. Throttling is achieved by balancing thruster and Xe feed system parameters at lower power levels, and at the lowest thruster power, 500 W, the thrust is 20 m N. The specific impulse decreases from 3100 s at high power to 1900 s at the minimum throttle level. (De Felice, 1999)† Mostly, IDP is being used in aerospace application. Here are a couple of simple examples. Deep Space 1 which is a spacecraft of the NASA New Millennium Program dedicated to testing a payload of advanced, high risk technologies.Also it is the first spacecraft which used ion drive propulsion. Hayabusa which is an unmanned spacecraft developed by the Japan Aerospace Exploration Agency (JAXA) to return a sample of material from a small near-Earth asteroid named 25143 Itokawa to Earth for further analysis and used xenon ion engines Dawm which is a space probe launched by NASA on September 27, 2007, to study the two most massive objects of the asteroid belt–the protoplanet Vesta and the dwarf planet Ceres. It is the first NASA exploratory mission to use ion propulsion to enter orbits. There are three advantages of Ion Drive Propulsion which can probably explain why IDP is being used. First, it uses much less propellant than chemical rocketry so it may promise better reliability and simplicity than chemical rocketry or, from another perspective, it gets much more mileage out of a given quantity of propellant. Third, it could use 100% lunar or asteroid derived propellant. IDP can push a spacecraft up to about ten times as fast as chemical propulsion comparing IDP with chemical propulsion under the circumstances which ion propulsion is appropriate for. To sum up, the ion propulsion systems efficient use of electrical power and fuel enables modern spacecraft to travel farther, and it is cheaper than any other propulsion technology currently available. Ion drive propulsion is currently used for main propulsion on deep space probes and for station keeping on communication satellites. Ion thrusters expel ions to create thrust and can provide higher spacecraft top speeds than any other rocket which is available currently. In addition, the top speed of ion drive propulsion is startling. By using the principle of relativity, a physical situation could be analyzed from any reference frame as long as it moves with some constant speed relative to a known inertial frame. As a function of the proper time Ï„ experienced on the rocket, the acceleration of the rocket is a (Ï„),in Newtonian mechanics there is a quantity which increases the way velocity called the rapidity of the rocket . The rapidity ÃŽ ¸ will be ÃŽ ¸(Ï„)=∠« Ï„ 0 a(Ï„)dÏ„ The velocity is then v(Ï„)=tanhÃŽ ¸ . If a=g ,v(Ï„)=tanh(gÏ„) So if one year has passed on the rocket, the time on Earth will be tanh(1.05)=0.78C which means 78% of light. Since the limit of tanh is one as τ→∞, so the velocity of rocket will never get light speed. A more important limiting factor is the fuel. Fusion isnt a way around this because of E=mc^2 there is a limited energy can be calculate from a given mass of fuel. If a fraction (f) of the rocket is fuel, if all the fuel are burned, the momentum of the rocket will be ÃŽ ³m(1−f)ÃŽ ², with m the original mass. The conservation of momentum and energy give m=ÃŽ ³m(1−f)+E fuel 0=ÃŽ ³mÃŽ ²(1−f)+p fuel ÃŽ ²=−p fuel m−E fuel According the formulas and result shows that the fuel and rocket go opposite directions. To maximize ÃŽ ², make p fuel as large as possible and subject to a fixed E fuel so assume the fuel is massless with ÃŽ ² fuel =1 p fuel =−E fuel . ÃŽ ²=1−(1−f) 2 1+(1−f) 2 à £Ã¢â€š ¬Ã¢â€š ¬Ãƒ £Ã¢â€š ¬Ã¢â€š ¬ To sum up, even the fuel has 50% of the rockets original mass it just can get 3/5C. Researching in the area of ion propulsion is pushing the envelope of propulsion technology. To achieve higher power levels and speeds, longer durations advancements are being made. As new power sources become available, higher power thrusters will be developed that provide greater speed and more thrust. Nowadays, PPU and PMS technologies are being developed that will allow NASA to build lighter and more compact systems while increasing reliability. These technologies will allow humankind to explore the farthest reaches of our solar system also it will allow humankind to explore the farthest reaches which is out of our solar system. Work Cited List NASA:â€Å"New Millennium Program† http://nmp.jpl.nasa.gov/ds1/tech/ionpropfaq.html Lucian Dorneanu : â€Å"How Does Ion Drive Propulsion Work?† May 10th, 2007, 21:06 GMT http://news.softpedia.com/news/How-Does-Ion-Drive-Propulsion-Work-54439.shtml Permanent.com: â€Å"Electric Propulsion for Inter-Orbital Vehicles†Ã‚  http://www.permanent.com/space-transportation-electric.html Dennis Ward:â€Å"Electric(Ion)Propulsion†Ã‚  http://eo.ucar.edu/staff/dward/sao/fit/electric.htm

Marshall McLuhans Understanding Media Essay -- McLuhan Understanding

Marshall McLuhan's Understanding Media In his groundbreaking work, Understanding Media, Marshall McLuhan posits that technologies in the â€Å"electric age† rendered it impossible for the individual to remain â€Å"aloof† anymore . Over the course of the late 19th to early 20th centuries, while an increasing presence of electric machines in daily life irrefutably signaled our nation’s arrival into the electric age, society’s â€Å"central nervous system [was] technologically extended to involve [each individual] in the whole of mankind,† McLuhan states (20). Previously disconnected, isolated individuals and groups suddenly became compressed, involved in each others’ lives, and unified into a network. As opposed to the preceding mechanical age, this was an age that sought â€Å"wholeness†-- an aspiration that McLuhan refers to as a â€Å"natural adjunct of electric technology† (21). McLuhan believes that great progress was made in the electric age; that wholeness was sought and worked towards eagerly. However, at the turn of the century, three individuals—the philosopher, historian, and writer Henry Adams, the author Henry James, and the escape artist Harry Houdini—seemed to believe society was falling short of the goals that McLuhan claims it held. To these artists, the dreams of making everything seem attainable and everyone reachable were unrealistic; complete global unification, involvement, and wholeness served as a foil for disintegrating interpersonal relations. These American artists saw technology not so much as a device that brings individuals together, but rather as a means of escaping each other, individual social lives, as well as the constraints of the natural world. The Autobiography of Henry Adams, first printed privately in 19... ... not yield wholeness, grant individual freedom, and give Americans the infinite mobility they dream of. On the contrary, technology may cause separation, destruction, and confinement. The question of whether future technologies will unite individuals peacefully or destroy civilizations ruthlessly is just as relevant, if not in fact more pressing today, at the turn of the 21st century, with a global presence of weapons of mass destruction haunting America, than it was at the turn of the 20th century. Based on his law of acceleration and increased danger, Adams might be surprised that America withstood two world wars and even entered the 21st century. But since we have, there is reason to hope that individuals and fellow nations may continue to defy Adams’ fears; that we may continue to â€Å"jump† headfirst into the future, and in doing so, eventually make progress.

Analysis of The Abstract Wild by Jack Turner :: The Abstract Wild Jack Turner Essays

Analysis of The Abstract Wild by Jack Turner Jack Turner's The Abstract Wild is a complex argument that discusses many issues and ultimately defends the wild in all of its forms. He opens the novel with a narrative story about a time when he explored the Maze in Utah and stumbled across ancient pictographs. Turner tells this story to describe what a truly wild and unmediated experience is. The ideas of the aura, magic, and wildness that places contain is introduced in this story. Turner had a spiritual connection with the pictographs because of the power, beauty, and awe that they created within him upon their first mysterious contact. Turner ruined this unmediated experience by taking photographs of the pictographs and talking about them to several people. His second visit to the pictographs was extremely different- he had removed the wild connection with the ancient mural and himself by publicizing and talking about them. This is Turner's main point within the first chapter. He believes that when we take a wild place and photograph it, talk about it, advertise it, make maps of it, and place it in a national park that we ruin the magic, the aura, and the wildness of that place. Nature magazines, photographs, and films all contribute to the removal of our wild experience with nature. It is the difference between visiting the Grand Canyon after you have seen it on TV and read about it in magazines, or never having heard of the place and stumbling across it on your own during a hike. Unfortunately, almost every wild experience between nature and the public has been ruined by the media. Through Turner's story he begins to explain the idea of the wild and its importance and necessity of human interaction with the wild.   Ã‚  Ã‚  Ã‚  Ã‚  The second chapter contains two major ideas. The first is Turner's defense and explanation of the appropriateness of anger. Turner thinks that society wrongly taught the people to repress and fear their emotions. Turner finds primal emotions to be necessary to our survival, as well as the survival of the wild. He explains that anger occurs when we defend something we love or something we feel is sacred. He reminds us to cherish our anger and use it to fuel rebellion. Turner criticizes the cowardice of modern environmentalists in the following passage: "The courage and resistance shown by the Navajos at Big Mountain, by Polish workers, by blacks in South Africa, and, most extraordinarily, by Chinese students in Tiananmen Square makes much of the environmental protest in America seem shallow and ineffective in

Is Weed As Bad As They Say? Essay -- essays research papers

  Ã‚  Ã‚  Ã‚  Ã‚  Is Weed As Bad As They Say?   Ã‚  Ã‚  Ã‚  Ã‚  Illegal drug use is a major problem in the world today. Millions of dollars are spent every year to prevent the distribution of drugs. All drugs is smuggled into the United States concealed in false compartments, fuel tanks, seats, tires of private and commercial vehicles, pickup trucks, vans, mobile homes, and horse trailers (Pierson. 12-8-01) Large shipments is usually smuggled in tractor-trailer trucks in false compartments and in bulk shipments, such as agricultural products. The government has created ways to cut down on drugs. Yet the drug crisis is greater today then ever. Marijuana is one the most widely used illegal drug. Over the past thirty years the government has condemned Marijuana. So in this paper, I will be describing the pros and some cons about the use of Marijuana. Marijuana use should be legalized because of the beneficial uses that our economy can gain from weed.   Ã‚  Ã‚  Ã‚  Ã‚  Marijuana, also spelled Marihuana comes from the Indian hemp plant, cannabis sativa (Gwinn. Pg.764). It is a crude tobacco like substance produced by drying the leaves and flowery top of the cannabis plant. It is put into pipes or formed into joints, similar to a cigarette, for smoking. Recently, it has appeared in cigars called blunts. The drug is a mild hallucinogen meaning that it distorts sensory perceptions. Marijuana has a wide variety of street names including pot, tea, grass and weed (Dudley. pg. 21) Marijuana can also be added to foods such as brownies and beverages.   Ã‚  Ã‚  Ã‚  Ã‚  The intoxication part of the plant is mostly in its strong-smelling, sticky, golden resin. The hemp flowers, especially those of the female plant, gives the strong smell off. Many users describe two phases of marijuana effects as initial stimulation, giddiness, and euphoria, followed by sedation and pleasant tranquility. Mood changes can often accompany altered perceptions of time and space of one's bodily dimension (Gwinn. pg.765). The hemp plant can be found growing as a weed or as a cultivated plants in peoples homes. Marijuana can survive in almost any soils and climates. And the more potent varieties grow in dry, hot, and wasteland type environments (Pierson. 12-8-01)   Ã‚  Ã‚  Ã‚  Ã‚  Marijuana varies in potency, depending on where and how... ...nbsp;  Ã‚  Ã‚  Ã‚  Although it is true that there has been no proven studies that marijuana is indeed a life threatening drug (O’Brien pg. 70) But it has been proven that marijuana is a safe, versatile, and inexpensive medicine (Nahas. pg. 58-59) And what makes it even better is that it has been proven that marijuana is less toxic and dangerous than most of the prescriptions drugs given to you by your doctors which you trust (Nahas. pg. 111)   Ã‚  Ã‚  Ã‚  Ã‚  Marijuana is a useful and misunderstood substance. If more studies are done, it can be a helpful assistance to the economy (Skidmore. 12-7-01) Marijuana was legal for many years and we didn't have a big drug problem like today. Marijuana laws, the threat of jail and fines will not stop drug use. All they do is make it harder to help people (Skidmore. 12-7-01) As to me, I respect the right of people to control their own bodies. I believe we should legalize weed, and help those who need it, and let the police spend their time protecting us from real crime. I also believe our society should have a more opened mind on the hemp plant and really see the up side uses of marijuana.   Ã‚  Ã‚  Ã‚  Ã‚   Is Weed As Bad As They Say? Essay -- essays research papers   Ã‚  Ã‚  Ã‚  Ã‚  Is Weed As Bad As They Say?   Ã‚  Ã‚  Ã‚  Ã‚  Illegal drug use is a major problem in the world today. Millions of dollars are spent every year to prevent the distribution of drugs. All drugs is smuggled into the United States concealed in false compartments, fuel tanks, seats, tires of private and commercial vehicles, pickup trucks, vans, mobile homes, and horse trailers (Pierson. 12-8-01) Large shipments is usually smuggled in tractor-trailer trucks in false compartments and in bulk shipments, such as agricultural products. The government has created ways to cut down on drugs. Yet the drug crisis is greater today then ever. Marijuana is one the most widely used illegal drug. Over the past thirty years the government has condemned Marijuana. So in this paper, I will be describing the pros and some cons about the use of Marijuana. Marijuana use should be legalized because of the beneficial uses that our economy can gain from weed.   Ã‚  Ã‚  Ã‚  Ã‚  Marijuana, also spelled Marihuana comes from the Indian hemp plant, cannabis sativa (Gwinn. Pg.764). It is a crude tobacco like substance produced by drying the leaves and flowery top of the cannabis plant. It is put into pipes or formed into joints, similar to a cigarette, for smoking. Recently, it has appeared in cigars called blunts. The drug is a mild hallucinogen meaning that it distorts sensory perceptions. Marijuana has a wide variety of street names including pot, tea, grass and weed (Dudley. pg. 21) Marijuana can also be added to foods such as brownies and beverages.   Ã‚  Ã‚  Ã‚  Ã‚  The intoxication part of the plant is mostly in its strong-smelling, sticky, golden resin. The hemp flowers, especially those of the female plant, gives the strong smell off. Many users describe two phases of marijuana effects as initial stimulation, giddiness, and euphoria, followed by sedation and pleasant tranquility. Mood changes can often accompany altered perceptions of time and space of one's bodily dimension (Gwinn. pg.765). The hemp plant can be found growing as a weed or as a cultivated plants in peoples homes. Marijuana can survive in almost any soils and climates. And the more potent varieties grow in dry, hot, and wasteland type environments (Pierson. 12-8-01)   Ã‚  Ã‚  Ã‚  Ã‚  Marijuana varies in potency, depending on where and how... ...nbsp;  Ã‚  Ã‚  Ã‚  Although it is true that there has been no proven studies that marijuana is indeed a life threatening drug (O’Brien pg. 70) But it has been proven that marijuana is a safe, versatile, and inexpensive medicine (Nahas. pg. 58-59) And what makes it even better is that it has been proven that marijuana is less toxic and dangerous than most of the prescriptions drugs given to you by your doctors which you trust (Nahas. pg. 111)   Ã‚  Ã‚  Ã‚  Ã‚  Marijuana is a useful and misunderstood substance. If more studies are done, it can be a helpful assistance to the economy (Skidmore. 12-7-01) Marijuana was legal for many years and we didn't have a big drug problem like today. Marijuana laws, the threat of jail and fines will not stop drug use. All they do is make it harder to help people (Skidmore. 12-7-01) As to me, I respect the right of people to control their own bodies. I believe we should legalize weed, and help those who need it, and let the police spend their time protecting us from real crime. I also believe our society should have a more opened mind on the hemp plant and really see the up side uses of marijuana.   Ã‚  Ã‚  Ã‚  Ã‚  

An Inconvenient Truth Summary 3 – Essay – Deng1993

Director Davis Guggenheim eloquently weaves the science of  global warming  with Mr. Gore's personal history and lifelong commitment to reversing the effects of global climate change. A longtime advocate for the environment, Gore presents a wide array of facts and information in a thoughtful and compelling way. â€Å"Al Gore strips his presentations of politics, laying out the facts for the audience to draw their own conclusions in a charming, funny and engaging style, and by the end has everyone on the edge of their seats, gripped by his haunting message,† said Guggenheim.An Inconvenient Truth is not a story of despair but rather a rallying cry to protect the one earth we all share. â€Å"It is now clear that we face a deepening global climate crisis that requires us to act boldly, quickly, and wisely,† said Gore. Written by  Plantation Productions e host, was the vice president of the USA in the Clinton administration. He has been interested in climate change is sues since grade school and has continued to take  interest  in this subject as a politician. In this documentary, he highlights some very important points regarding global warming in his discussion.We will take a look at some of these. Some very important effects include illustrations of the impact ofglobal warming. He does this by first pointing out the relationship between the amount of carbon in the atmosphere and the corresponding temperature over a 650,000 years period. For example, he indicated some pictures of the ice melted in big Mountain in Africa called Kilimanjaro. He also talked about the increase of the ocean Temperature that guided to many Hurricanes and Tornadoes. To clarify, Florida in US got a very bad hurricane in September 2004 and that called Ivan.Then he focused on the Sea levels which are rising because of the amount of ice melting in the Arctic Sea and ice shelves by 1. 5 million km2 during the last forty years. For instance, Ice caps melts as the the te mperature of water raise and these can destroyed the ice species. Finally, He also mentioned that many people have died in different parts of the world because of high temperatures and heat waves. For example, the temperature in India raised and about 1400 people died in 2003.The extinction rate of many species is increasing and more than 30 diseases have appeared To sum up, Al Gore says that although the situation regarding global warming appears dire, he does speak fervently looking forward to the future with hope. His presentation concludes with parting nuggets of practical advice as to how man can play a role in curbing climate change. Posted by  J Al Gore, the one who was going to be the next president of the United States of America has dedicated his life to let the people around the world to be aware of the problem which threat life on the earth.In the next lines I’m going to outline a brief summary about his movie â€Å"An inconvenient truth†. Global warmingà ‚  is the catastrophe which threats life on earth. Al Gore explained how the atmosphere works; sun ray comes from the sun everyday then some of the rays stay inside the earth with the help of ozone layer to keep it warm. The crazy increase of carbon dioxide ratio has made the layer thicker so more rays are trapped more than we normally need. As a result, a lot of temperature changing can be seen around the world such as heat wave.Another problem the global warming is causing is that the ice is melting which is a very serious danger. The level of the sea, constructions and the weather itself all can be affected if the ice or permafrost starts to melt down because of the increasing of heat. At the end of his discussion, Al Gore confirmed that most of the scientists around the world agree that we are the main reason for the global warming. What will the future generation think of their parents if this problem gets more and more serious? Posted by  Khalid

Selinux

Blueprints First Steps with Security-Enhanced Linux (SELinux): Hardening the Apache Web Server Blueprints First Steps with Security-Enhanced Linux (SELinux): Hardening the Apache Web Server Note Before using this information and the product it supports, read the information in â€Å"Notices† on page 17. First Edition (August 2009)  © Copyright IBM Corporation 2009. US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Introduction . . . . . . . . . . . . . v First Steps with Security-Enhanced Linux (SELinux): Hardening the Apache Web Server . . . . . . . . . . . . 1 Scope, requirements, and support Security-Enhanced Linux overview Access control: MAC and DAC SELinux basics. . . . . . SELinux and Apache . . . . Installing and running HTTPD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1 1 2 5 5 HTTPD and context types . . . . . . . . . 5 HTTPD and SE Linux Booleans . . . . . . . 8 Configuring HTTPD security using SELinux . . . . 9 Securing Apache (static content only) . . . . . 9 Hardening CGI scripts with SELinux . . . . . 12 Appendix. Related information and downloads . . . . . . . . . . . . . 15 Notices . . . . . . . . . . . . . . 17 Trademarks . . . . . . . . . . . . . 18  © Copyright IBM Corp. 2009 iii iv Blueprints: First Steps with Security-Enhanced Linux (SELinux): Hardening the Apache Web Server Introduction This blueprint provides a brief introduction to basic Security-Enhanced Linux (SELinux) commands and concepts, including Boolean variables. In addition, the paper shows you how to increase the security of the Apache Web server with SELinux by using these concepts. Key tools and technologies discussed in this demonstration include security-enhanced Linux (SELinux), mandatory access control (MAC), getenforce, sestatus, getsebool, and setsebool. Intended audienceThis blueprint is intended for Linux system or network administrators who want to learn more about securing their systems with SELinux. You should be familiar with installing and configuring Linux distributions, networks, and the Apache Web server. Scope and purpose This paper provides a basic overview of SELinux, SELinux Boolean variables, and hardening Apache on Red Hat Enterprise Linux (RHEL) 5. 3. For more information about configuring RHEL 5. 3, see the documentation supplied with your installation media or the distribution Web site. For more information about SELinux, see â€Å"Related information and downloads,† on page 15.Software requirements This blueprint is written and tested using Red Hat Enterprise Linux (RHEL) 5. 3. Hardware requirements The information contained in this blueprint is tested on different models of IBM System x and System p hardware. For a list of hardware supported by RHEL 5. 3, see the documentation supplied with your Linux distribution. Author names Robert Sisk Other contributors Monza Lui Kersten Richter Robb Romans IBM Services Linux offers flexibility, options, and competitive total cost of ownership with a world class enterprise operating system.Community innovation integrates leading-edge technologies and best practices into Linux. IBM ® is a leader in the Linux community with over 600 developers in the IBM Linux Technology Center working on over 100 open source projects in the community. IBM supports Linux on all IBM servers, storage, and middleware, offering the broadest flexibility to match your business needs.  © Copyright IBM Corp. 2009 v For more information about IBM and Linux, go to ibm. com/linux (https://www. ibm. com/linux) IBM Support Questions and comments regarding this documentation can be posted on the developerWorks Security Blueprint Community Forum: http://www. bm. com/developerworks/forums/forum. jspa? forumID=1271 The IBM developerWorks ® discussion forums let you ask questions, share knowledge, ideas, and opinions about technologies and progr amming techniques with other developerWorks users. Use the forum content at your own risk. While IBM will attempt to provide a timely response to all postings, the use of this developerWorks forum does not guarantee a response to every question that is posted, nor do we validate the answers or the code that are offered. Typographic conventionsThe following typographic conventions are used in this Blueprint: Bold Identifies commands, subroutines, keywords, files, structures, directories, and other items whose names are predefined by the system. Also identifies graphical objects such as buttons, labels, and icons that the user selects. Identifies parameters whose actual names or values are to be supplied by the user. Identifies examples of specific data values, examples of text like what you might see displayed, examples of portions of program code like what you might write as a programmer, messages from the system, or information you should actually type.Italics Monospace Related ref erence: â€Å"Scope, requirements, and support† on page 1 This blueprint applies to System x ® running Linux and PowerLinux. You can learn more about the systems to which this information applies. vi Blueprints: First Steps with Security-Enhanced Linux (SELinux): Hardening the Apache Web Server First Steps with Security-Enhanced Linux (SELinux): Hardening the Apache Web Server Scope, requirements, and support This blueprint applies to System x running Linux and PowerLinux. You can learn more about the systems to which this information applies.Systems to which this information applies System x running Linux and PowerLinux Security-Enhanced Linux overview Security-Enhanced Linux (SELinux) is a component of the Linux operating system developed primarily by the United States National Security Agency. SELinux provides a method for creation and enforcement of mandatory access control (MAC) policies. These policies confine users and processes to the minimal amount of privilege req uired to perform assigned tasks. For more information about the history of SELinux, see http://en. wikipedia. org/wiki/Selinux.Since its release to the open source community in December 2000, the SELinux project has gained improvements such as predefined Boolean variables that make it easier to use. This paper helps you understand how to use these variables to configure SELinux policies on your system and to secure the Apache httpd daemon. Related reference: â€Å"Scope, requirements, and support† This blueprint applies to System x running Linux and PowerLinux. You can learn more about the systems to which this information applies. Access control: MAC and DAC Access level is important to computer system security.To compromise a system, attackers try to gain any possible level of access and then try to escalate that level until they are able to obtain restricted data or make unapproved system modifications. Because each user has some level of system access, every user account on your system increases the potential for abuse. System security has historically relied on trusting users not to abuse their access, but this trust has proven to be problematic. Today, server consolidation leads to more users per system. Outsourcing of Systems Management gives legitimate access, often at the system administrator level, to unknown users.Because server consolidation and outsourcing can be financially advantageous, what can you do to prevent abuse on Linux systems? To begin to answer that question, let's take a look at discretionary access control (DAC) and mandatory access control (MAC) and their differences. Discretionary access control (DAC), commonly known as file permissions, is the predominant access control mechanism in traditional UNIX and Linux systems. You may recognize the drwxr-xr-x or the ugo abbreviations for owner, group, and other permissions seen in a directory listing. In DAC, generally the resource owner (a user) controls who has access to a resour ce.For convenience, some users commonly set dangerous DAC file permissions that allow every user on the system to read, write, and execute many files that they own. In addition, a process started by a user can modify or delete any file to which the user has access. Processes that elevate their privileges high enough could therefore modify or delete system files. These instances are some of the disadvantages of DAC.  © Copyright IBM Corp. 2009 1 In contrast to DAC, mandatory access control (MAC) regulates user and process access to resources based upon an organizational (higher-level) security policy.This policy is a collection of rules that specify what types of access are allowed on a system. System policy is related to MAC in the same way that firewall rules are related to firewalls. SELinux is a Linux kernel implementation of a flexible MAC mechanism called type enforcement. In type enforcement, a type identifier is assigned to every user and object. An object can be a file or a process. To access an object, a user must be authorized for that object type. These authorizations are defined in a SELinux policy. Let's work through some examples and you will develop a better understanding of MAC and how it relates to SELinux.Related reference: â€Å"Scope, requirements, and support† on page 1 This blueprint applies to System x running Linux and PowerLinux. You can learn more about the systems to which this information applies. SELinux basics It is a good practice not to use the root user unless necessary. However for demonstrating how to use SELinux, the root user is used in the examples in this blueprint. Some of the commands shown require root privileges to run them; for example, running getenforce and editing the /etc/selinux/config file. Related reference: â€Å"Scope, requirements, and support† on page 1 This blueprint applies to System x running Linux and PowerLinux.You can learn more about the systems to which this information applies. Run modes You can enable or disable SELinux policy enforcement on a Red Hat Enterprise Linux system during or after operating system installation. When disabled, SELinux has no effect on the system. When enabled, SELinux runs in one of two modes: v Enforcing: SELinux is enabled and SELinux policy is enforced v Permissive: SELinux is enabled but it only logs warnings instead of enforcing the policy When prompted during operating system installation, if you choose to enable SELinux, it is installed with a default security policy and set to run in the enforcing mode.Confirm the status of SELinux on your system. Like in many UNIX or Linux operating systems, there is more than one way to perform a task. To check the current mode, run one of the following commands: getenforce, sestatus, or cat /etc/selinux/config. v The getenorce command returns the current SELinux run mode, or Disabled if SELinux is not enabled. In the following example, getenforce shows that SELinux is enabled and enforcin g the current SELinux policy: [[email  protected] ~]$ getenforce EnforcingIf your system is displaying Permissive or Disabled and you want to follow along with the instructions, change the /etc/selinux/config file to run in Enforcing mode before continuing with the demonstration. Remember that if you are in Disabled mode, you should change first to Permissive and then to Enforcing. v The setstatus command returns the current run mode, along with information about the SELinux policy if SELinux is enabled. In the following example, setstatus shows that SELinux is enabled and enforcing the current SELinux policy: [[email  protected] ~]$ sestatus SELinux status: SELinuxfs mount: enabled /selinux Blueprints: First Steps with Security-Enhanced Linux (SELinux): Hardening the Apache Web Server Current mode: Mode from config file: Policy version: Policy from config file: enforcing enforcing 21 targeted v The /etc/selinux/config file configures SELinux and controls the mode as well as the active policy. Changes to the /etc/selinux/config file become effective only after you reboot the system. In the following example, the file shows that the mode is set to enforcing and the current policy type is targeted. [[email  protected] ~]$ cat /etc/selinux/config # This file controls the state of SELinux on the system. SELINUX= can take one of these three values: # enforcing – SELinux security policy is enforced. # permissive – SELinux prints warnings instead of enforcing. # disabled – SELinux is fully disabled. SELINUX=enforcing # SELINUXTYPE= type of policy in use. Possible values are: # targeted – Only targeted network daemons are protected. # strict – Full SELinux protection. SELINUXTYPE=targeted To enable SELinux, you need to set the value of the SELINUX parameter in the /etc/selinux/config file to either enforcing or permissive. If you enable SELinux in the config file, you must reboot your system to start SELinux.We recommend that y ou set SELINUX=permissive if the file system has never been labeled, has not been labeled recently, or you are not sure when it was last labeled. Note that file system labeling is the process of assigning a label containing security-relevant information to each file. In SELinux a file label is composed of the user, role, and type such as system_u:object_r:httpd_sys_content_t. Permissive mode ensures that SELinux does not interfere with the boot sequence if a command in the sequence occurs before the file system relabel is completed. Once the system is up and running, you can change the SELinux mode to enforcing.If you want to change the mode of SELinux on a running system, use the setenforce command. Entering setenforce enforcing changes the mode to enforcing and setenforce permissive changes the mode to permissive. To disable SELinux, edit the /etc/selinux/config file as described previously and reboot. You cannot disable or enable SELinux on a running system from the command line; you can only switch between enforcing and permissive when SELinux is enabled. Change the mode of SELinux to permissive by entering the following command: [[email  protected] ~]$ setenforce permissiveRecheck the output from getenforce, sestatus, and cat /etc/selinux/config. v The getenforce command returns Permissive, confirming the mode change: [[email  protected] ~]$ getenforce Permissive v The sestatus command also returns a Permissive mode value: [[email  protected] ~]$sestatus SELinux status: SELinuxfs mount: Current mode: Mode from config file: Policy version: Policy from config file: enabled /selinux permissive enforcing 21 targeted v After changing the mode to permissive, both the getenforce and sestatus commands return the correct permissive mode.However, look carefully at the output from the sestatus command: [[email  protected] ~]$ cat /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enfo rcing – SELinux security policy is enforced. # permissive – SELinux prints warnings instead of enforcing. First Steps with Security-Enhanced Linux (SELinux) 3 # disabled – SELinux is fully disabled. SELINUX=enforcing # SELINUXTYPE= type of policy in use. Possible values are: # targeted – Only targeted network daemons are protected. # strict – Full SELinux protection.SELINUXTYPE=targeted [[email  protected] ~]$ The Mode from config file parameter is enforcing. This setting is consistent with the cat /etc/selinux/config output because the config file was not changed. This status implies that the changes made by the setenforce command does not carry over to the next boot. If you reboot, SELinux returns to run state as configured in /etc/selinux/conf in enforcing mode. Change the running mode back to enforcing by entering the following command: [[email  protected] ~]$ setenforce enforcing The following output confirms the mode change: [[email  pr otected] ~]$ getenforce EnforcingRelated reference: â€Å"Scope, requirements, and support† on page 1 This blueprint applies to System x running Linux and PowerLinux. You can learn more about the systems to which this information applies. Security contexts The concept of type enforcement and the SELinux type identifier were discussed in the Overview. Let's explore these concepts in more detail. The SELinux implementation of MAC employs a type enforcement mechanism that requires every subject and object to be assigned a type identifier. The terms subject and object are defined in the Bell-La Padula multilevel security model (see http://en. wikipedia. rg/wiki/Bell-La_Padula_model for more information). Think of the subject as a user or a process and the object as a file or a process. Typically, a subject accesses an object; for example, a user modifies a file. When SELinux runs in enforcing mode, a subject cannot access an object unless the type identifier assigned to the subje ct is authorized to access the object. The default policy is to deny all access not specifically allowed. Authorization is determined by rules defined in the SELinux policy. An example of a rule granting access may be as simple as: allow httpd_t httpd_sys_content_t : file {ioctol read getattr lock};In this rule, the subject http daemon, assigned the type identifier of httpd_t, is given the permissions ioctol, read, getattr, and lock for any file object assigned the type identifier httpd_sys_content_t. In simple terms, the http daemon is allowed to read a file that is assigned the type identifier httpd_sys_content_t. This is a basic example of an allow rule type. There are many types of allow rules and some are very complex. There are also many type identifiers for use with subjects and objects. For more information about rule definitions, see: SELinux by Example in the â€Å"Related information and downloads,† on page 15 section.SELinux adds type enforcement to standard Linux distributions. To access an object, the user must have both the appropriate file permissions (DAC) and the correct SELinux access. An SELinux security context contains three parts: the user, the role, and the type identifier. Running the ls command with the –Z switch displays the typical file information as well as the security context for each item in the subdirectory. In the following example, the security context for the index. html file is composed of user_u as the user, object_r as the role, and httpd_sys_content_t as the type identifier [[email  protected] html]$ ls -Z index. tml -rw-r–r– web_admin web_admin user_u:object_r:httpd_sys_content_t index. html 4 Blueprints: First Steps with Security-Enhanced Linux (SELinux): Hardening the Apache Web Server Related reference: â€Å"Scope, requirements, and support† on page 1 This blueprint applies to System x running Linux and PowerLinux. You can learn more about the systems to which this information a pplies. SELinux and Apache Related reference: â€Å"Scope, requirements, and support† on page 1 This blueprint applies to System x running Linux and PowerLinux. You can learn more about the systems to which this information applies.Installing and running HTTPD Now that you have a general understanding of the SELinux security context, you can secure an Apache Web server using SELinux. To follow along, you must have Apache installed on your system. You can install Apache on Red Hat Linux by entering the following command: [[email  protected] html]$ yum install httpd Next, start the Apache http daemon by entering service httpd start, as follows: [[email  protected] html]$ service httpd start Starting httpd: Related reference: â€Å"Scope, requirements, and support† on page 1 This blueprint applies to System x running Linux and PowerLinux.You can learn more about the systems to which this information applies. HTTPD and context types Red Hat Enterprise Linux 5. 3, at th e time of this writing, uses selinux-policy-2. 4. 6-203. el5. This policy defines the security context for the http daemon object as httpd_t. Because SELinux is running in enforcing mode, entering /bin/ps axZ | grep httpd produces the following output: [[email  protected] html]$ ps axZ | grep http rootroot:system_r:httpd_t 2555 ? Ss 0:00 /usr/sbin/httpd rootroot:system_r:httpd_t 2593 ? S 0:00 /usr/sbin/httpd rootroot:system_r:httpd_t 2594 ? S 0:00 /usr/sbin/httpd root:system_r:httpd_t 2595 ?S 0:00 /usr/sbin/httpd root:system_r:httpd_t 2596 ? S 0:00 /usr/sbin/httpd root:system_r:httpd_t 2597 ? S 0:00 /usr/sbin/httpd root:system_r:httpd_t 2598 ? S 0:00 /usr/sbin/httpd root:system_r:httpd_t 2599 ? S 0:00 /usr/sbin/httpd root:system_r:httpd_t 2600 ? S 0:00 /usr/sbin/httpd The Z option to ps shows the security context for the httpd processes as root:system_r:httpd_t, confirming that httpd is running as the security type httpd_t. The selinux-policy-2. 4. 6-203. el5 also defines several file security context types to be used with the http daemon. For a listing, see the man page for httpd_selinux.The httpd_sys_content_t context type is used for files and subdirectories containing content to be accessible by the http daemon and all httpd scripts. Entering ls –Z displays the security context for items in the default http directory (/var/www/), as follows: [[email  protected] ~]$ ls -Z /var/www/ | grep html drwxr-xr-x root root system_u:object_r:httpd_sys_content_t html First Steps with Security-Enhanced Linux (SELinux) 5 The /var/www/html directory is the default location for all Web server content (defined by the variable setting of DocumentRoot /var/www/html in the /etc/httpd/conf/httpd. conf http configuration file).This directory is assigned the type httpd_sys_content_t as part of its security context which allows the http daemon to access its contents. Any file or subdirectory inherits the security context of the directory in which it is created; therefo re a file created in the html subdirectory inherits the httpd_sys_content_t type. In the following example, the root user creates the index. html file in the /root directory. The index. html inherits the security root:object_r:user_home_t context which is the expected security context for root in RHEL 5. 3. [[email  protected] ~]$ touch /root/index. html [[email  protected] ~]$ ls -Z /root/index. tml -rw-r–r– root root root:object_r:user_home_t /root/index. html If the root user copies the newly created index. html file to the /var/www/html/ directory, the file inherits the security context (httpd_sys_content_t) of the html subdirectory because a new copy of the file is created in the html subdirectory: [[email  protected] ~]$ cp /root/index. html /var/www/html [[email  protected] ~]$ ls -Z /var/www/html/index. html -rw-r–r– root root user_u:object_r:httpd_sys_content_t /var/www/html/index. html If you move the index. html file instead of copying it, a new file is not created in the html subdirectory and index. tml retains the user_home_t type: [[email  protected] ~]$ mv -f /root/index. html /var/www/html [[email  protected] ~]$ ls -Z /var/www/html/index. html -rw-r–r– root root user_u:object_r:user_home_t /var/www/html/index. html When a Web browser or network download agent like wget makes a request to the http daemon for the moved index. html file, with user_home_t context, the browser is denied access because SELinux is running in enforcing mode. [[email  protected] ~]# wget localhost/index. html –21:10:00– http://localhost/index. html Resolving localhost†¦ 127. 0. 0. 1 Connecting to localhost|127. 0. 0. 1|:80†¦ onnected. HTTP request sent, awaiting response†¦ 403 Forbidden 21:10:00 ERROR 403: Forbidden. SELinux generates error messages in both /var/log/messages and /var/log/httpd/error_log. The following message in /var/log/httpd/error_log is not very helpful because it t ells you only that access is being denied: [Wed May 20 12:47:57 2009] [error] [client 172. 16. 1. 100] (13) Permission denied: access to /index. html denied The following error message in /var/log/messages is more helpful because it tells you why SELinux is preventing access to the /var/www/html/index. html file – a potentially mislabeled file.Furthermore, it provides a command that you can use to produce a detailed summary of the issue. May 20 12:22:48 localhost setroubleshoot: SELinux is preventing the httpd from using potentially mislabeled files (/var/www/html/index. html). For complete SELinux messages. run sealert -l 9e568d42-4b20-471c-9214-b98020c4d97a Entering sealert –l 9e568d42-4b20-471c-9214-b98020c4d97 as suggested in the previous error message returns the following detailed error message: [[email  protected] ~]$ sealert –l 9e568d42-4b20-471c-9214-b98020c4d97 Summary: SELinux is preventing the httpd from using potentially mislabeled files (/var/www /html/index. html).Detailed Description: SELinux has denied httpd access to potentially mislabeled file(s) (/var/www/html/index. html). This means that SELinux will not allow httpd to use these files. It is common for users to edit files in their home directory or tmp directories and then 6 Blueprints: First Steps with Security-Enhanced Linux (SELinux): Hardening the Apache Web Server move (mv) them to system directories. The problem is that the files end up with the wrong file context which confined applications are not allowed to access. Allowing Access: If you want httpd to access this files, you need to relabel them using restorecon -v ’/var/www/html/index. tml’. You might want to relabel the entire directory using restorecon -R -v ’/var/www/html’. Additional Information: Source Context root:system_r:httpd_t Target Context root:object_r:user_home_t Target Objects /var/www/html/index. html [ file ] Source httpd Source Path /usr/sbin/httpd Port Host loc alhost. localdomain Source RPM Packages httpd-2. 2. 3-22. el5 Target RPM Packages Policy RPM selinux-policy-2. 4. 6-203. el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name home_tmp_bad_labels Host Name localhost. localdomain Platform Linux localhost. ocaldomain 2. 6. 18-128. 1. 10. el5 #1 SMP Wed Apr 29 13:55:17 EDT 2009 i686 i686 Alert Count 24 First Seen Fri May 15 13:36:32 2009 Last Seen Wed May 20 12:47:56 2009 Local ID 9e568d42-4b20-471c-9214-b98020c4d97a Line Numbers Raw Audit Messages host=localhost. localdomain type=AVC msg=audit(1242838076. 937:1141): avc: denied { getattr } for pid=3197 comm=†httpd† path=†/var/www/html/index. html† dev=dm-0 ino=3827354 scontext=root:system_r:httpd_t:s0 context=root:object_r:user_home_t:s0 tclass=file host=localhost. localdomain type=SYSCALL msg=audit(1242838076. 37:1141): arch=40000003 syscall=196 success=no exit=-13 a0=8eaa788 a1=bfc8d49c a2=419ff4 a3=2008171 items=0 ppid=3273 pid=3197 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4 comm=†httpd† exe=†/usr/sbin/httpd† subj=root:system_r:httpd_t:s0 key=(null) Although called a summary, this output is a very detailed report that provides the necessary commands to resolve the issue. As shown below, entering /sbin/restorecon -v ’/var/www/html/index. html as suggested not only resolves the problem, but also explains how you should change the security context for the /var/www/html/index. tml file. [[email  protected] ~]$ restorecon -v ’/var/www/html/index. html’ /sbin/restorecon reset /var/www/html/index. html context root:object_r:user_home_t:s0-; root:object_r:httpd_sys_content_t:s0 The previous restorecon -v command changed the security context of /var/www/html/index. html from root:object_r:user_home_t to root:object_r:httpd_sys_content_t. With a root:object_r:httpd_sys_content_t security context, the http dae mon can now access /var/www/html/index. html. Use a Web browser or wget to make another request to the httpd daemon for the index. html file with a restored security context.This time, the request is permitted: [[email  protected] ~]# wget localhost/index. html –21:09:21– http://localhost/index. html Resolving localhost†¦ 127. 0. 0. 1 Connecting to localhost|127. 0. 0. 1|:80†¦ connected. HTTP request sent, awaiting response†¦ 200 OK Length: 0 [text/html] Saving to: ’index. html’ First Steps with Security-Enhanced Linux (SELinux) 7 [ ] 0 –. -K/s in 0s 21:09:21 (0. 00 B/s) – ’index. html’ saved [0/0] Related reference: â€Å"Scope, requirements, and support† on page 1 This blueprint applies to System x running Linux and PowerLinux. You can learn more about the systems to which this information applies.HTTPD and SELinux Booleans SELinux has a set of built-in switches named Booleans or conditional policies t hat you can use to turn specific SELinux features on or off. Entering the getsebool -a | grep http command lists the 23 Booleans related to the http daemon, which are a subset of the 234 Booleans currently defined in the selinux-policy-2. 4. 6-203. el5 policy. These 23 Booleans allow you to customize SELinux policy for the http daemon during runtime without modifying, compiling, or loading a new policy. You can customize the level of http security by setting the relevant Boolean values or toggling between on and off values. [email  protected] ~]$ getsebool -a | grep http allow_httpd_anon_write –> off allow_httpd_bugzilla_script_anon_write –> off allow_httpd_mod_auth_pam –> off allow_httpd_nagios_script_anon_write –> off allow_httpd_prewikka_script_anon_write –> off allow_httpd_squid_script_anon_write –> off allow_httpd_sys_script_anon_write –> off httpd_builtin_scripting –> on httpd_can_network_connect –> off httpd_can _network_connect_db –> off httpd_can_network_relay –> off httpd_can_sendmail –> on httpd_disable_trans –> off httpd_enable_cgi –> on httpd_enable_ftp_server –> off httpd_enable_homedirs –> on httpd_rotatelogs_disable_trans –> off httpd_ssi_exec –> off httpd_suexec_disable_trans –> off httpd_tty_comm –> on httpd_unified –> on httpd_use_cifs –> off httpd_use_nfs –> off SELinux provides three command-line tools for working with Booleans: getsebool, setsebool, and togglesebool. The getsebool –a command returns the current state of all the SELinux Booleans defined by the policy.You can also use the command without the –a option to return settings for one or more specific Booleans entered on the command line, as follows: [[email  protected] ~]$ getsebool httpd_enable_cgi httpd_enable_cgi –> on Use setsebool to set the current state of one or more Booleans by specifying the Boolean and its value. Acceptable values to enable a Boolean are 1, true, and on. Acceptable values to disable a Boolean are 0, false, and off. See the following cases for examples. You can use the -P option with the setsebool command to write the specified changes to the SELinux policy file. These changes are persistent across reboots; unwritten changes remain in effect until you change them or the system is rebooted. Use setsebool to change status of the httpd_enable_cgi Boolean to off: [[email  protected] ~]$ setsebool httpd_enable_cgi 0 8Blueprints: First Steps with Security-Enhanced Linux (SELinux): Hardening the Apache Web Server Confirm status change of the httpd_enable_cgi Boolean: [[email  protected] ~]$ getsebool httpd_enable_cgi httpd_enable_cgi –> off The togglesebool tool flips the current value of one or more Booleans. This tool does not have an option that writes the changes to the policy file. Changes remain in effect until changed or the system is reb ooted. Use the togglesebool tool to switch the status of the httpd_enable_cgi Boolean, as follows: [[email  protected] ~]$ togglesebool httpd_enable_cgi httpd_enable_cgi: active Confirm the status change of the httpd_enable_cgi Boolean: [[email  protected] ~]$ getsebool httpd_enable_cgi httpd_enable_cgi –> onRelated reference: â€Å"Scope, requirements, and support† on page 1 This blueprint applies to System x running Linux and PowerLinux. You can learn more about the systems to which this information applies. Configuring HTTPD security using SELinux Related reference: â€Å"Scope, requirements, and support† on page 1 This blueprint applies to System x running Linux and PowerLinux. You can learn more about the systems to which this information applies. Securing Apache (static content only) The default Red Hat Enterprise Linux 5. 3 installation with SELinux running in enforcing mode provides a basic level of Web server security. You can increase that security level with a little effort.Because security is related to the function of the system, let's start with a Web server that only serves static content from the /var/www/html directory. 1. Ensure that SELinux is enabled and running in enforcing mode: [[email  protected] ~]$ sestatus SELinux status: SELinuxfs mount: Current mode: Mode from config file: Policy version: Policy from config file: enabled /selinux enforcing enforcing 21 2. Confirm that httpd is running as type httpd_t: [[email  protected] html]$ /bin/ps axZ root:system_r:httpd_t 2555 ? root:system_r:httpd_t 2593 ? root:system_r:httpd_t 2594 ? root:system_r:httpd_t 2595 ? root:system_r:httpd_t 2596 ? root:system_r:httpd_t 2597 ? root:system_r:httpd_t 2598 ? root:system_r:httpd_t 2599 ? root:system_r:httpd_t 2600 ? grep http Ss 0:00 httpd S 0:00 httpd S 0:00 httpd S 0:00 httpd S 0:00 httpd S 0:00 httpd S 0:00 httpd S 0:00 httpd S 0:00 httpd 3. Confirm that the /var/www/html directory is assigned the httpd_sys_content_t con text type: [[email  protected] ~]$ ls -Z /var/www/ drwxr-xr-x root root root:object_r:httpd_sys_script_exec_t cgi-bin drwxr-xr-x root root root:object_r:httpd_sys_content_t error drwxr-xr-x root root root:object_r:httpd_sys_content_t html First Steps with Security-Enhanced Linux (SELinux) 9 drwxr-xr-x drwxr-xr-x drwxr-xr-x root root root:object_r:httpd_sys_content_t icons root root root:object_r:httpd_sys_content_t manual webalizer root root:object_r:httpd_sys_content_t usage 4.Confirm that the content to be served is assigned the httpd_sys_content_t context type. For example: [[email  protected] ~]$ ls -Z /var/www/html/index. html -rw-r–r– root root root:object_r:httpd_sys_content_t /var/www/html/index. html Use a Web browser or wget to make a request to the httpd daemon for the index. html file and you should see that permission is granted. To increase the level of protection provided by SELinux, disable any httpd-related features that you do not want by turning off their corresponding Boolean. By default, the following six Boolean are set to on. If you do not need these features, turn them off by setting their Boolean variables to off. [email  protected] ~]# getsebool -a|grep http|grep â€Å"–> on† httpd_builtin_scripting –> on httpd_can_sendmail –> on httpd_enable_cgi –> on httpd_enable_homedirs –> on httpd_tty_comm –> on httpd_unified –> on httpd_can_sendmail If the Web server does not use Sendmail, turn this Boolean to off. This action prevents unauthorized users from sending e-mail spam from this system. httpd_enable_homedirs When this Boolean is set to on, it allows httpd to read content from subdirectories located under user home directories. If the Web server is not configured to serve content from user home directories, set this Boolean to off. httpd_tty_comm By default, httpd is allowed to access the controlling terminal.This action is necessary in certain situations where httpd must prompt the user for a password. If the Web server does not require this feature, set the Boolean to off. httpd_unified This Boolean affects the transition of the http daemon to security domains defined in SELinux policy. Enabling this Boolean creates a single security domain for all http-labeled content. For more information, see SELinux by Example listed under the â€Å"Related information and downloads,† on page 15 section. httpd_enable_cgi If your content does not use the Common Gateway Interface (CGI) protocol, set this Boolean to off. If you are unsure about using CGI in the Web server, try setting it to off and examine the log entries in the /var/log/messages file.The following example shows an error message from /var/log/messages resulting from SELinux blocking httpd execution of a CGI script: May 28 15:48:37 localhost setroubleshoot: SELinux is preventing the http daemon from executing cgi scripts. For complete SELinux messages. run sealert -l 0fdf4649-60df -47b5-bfd5-a72772207adc Entering sealert -l 0fdf4649-60df-47b5-bfd5-a72772207adc produces the following output: Summary: SELinux is preventing the http daemon from executing cgi scripts. Detailed Description: SELinux has denied the http daemon from executing a cgi script. httpd can be setup in a locked down mode where cgi scripts are not allowed to be executed. If the httpd server has been setup to not execute cgi scripts, this could signal a intrusion attempt.Allowing Access: If you want httpd to be able to run cgi scripts, you need to turn on the httpd_enable_cgi Boolean: â€Å"setsebool -P httpd_enable_cgi=1†³ 10 Blueprints: First Steps with Security-Enhanced Linux (SELinux): Hardening the Apache Web Server The following command will allow this access: setsebool -P httpd_enable_cgi=1 Additional Information: Source Context root:system_r:httpd_t Target Context root:object_r:httpd_sys_script_exec_t Target Objects /var/www/cgi-bin [ dir ] Source httpd Source Path httpd Port Hos t localhost. localdomain Source RPM Packages httpd-2. 2. 3-22. el5 Target RPM Packages httpd-2. 2. 3-22. el5 Policy RPM selinux-policy-2. 4. 6-203. l5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name httpd_enable_cgi Host Name localhost. localdomain Platform Linux localhost. localdomain 2. 6. 18-128. 1. 10. el5 #1 SMP Wed Apr 29 13:55:17 EDT 2009 i686 i686 Alert Count 1 First Seen Thu May 28 15:48:36 2009 Last Seen Thu May 28 15:48:36 2009 Local ID 0fdf4649-60df-47b5-bfd5-a72772207adc Line Numbers Raw Audit Messages host=localhost. localdomain type=AVC msg=audit(1243540116. 963:248): avc: denied { getattr } for pid=2595 comm=†httpd† path=†/var/www/cgi-bin† dev=dm-0 ino=5527166 scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:httpd_sys_script_exec_t:s0 tclass=dir host=localhost. localdomain type=SYSCALL msg=audit(1243540116. 63:248): arch=40000003 syscall=196 success=no exit=-13 a0=8bd0a88 a1=bfc790bc a2=4 d0ff4 a3=2008171 items=0 ppid=2555 pid=2595 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=†httpd† exe=†httpd† subj=root:system_r:httpd_t:s0 key=(null) At the end of the previous output, listed under the Raw Audit Messages are these lines: â€Å"scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:httpd_sys_script_exec_t:s0 tclass=dir† This output shows you that httpd attempted to access a subdirectory with the httpd_sys_script_exec_t context type. This type is the context type of /var/www/cgi-bin, the directory where httpd looks for CGI scripts. The httpd daemon, with a httpd_t context type, was unable to access this subdirectory because the httpd_enable_cgi variable is set to off.With this configuration, SELinux does not allow a user or process of type httpd_t to access a directory, file, or process of type httpd_sys_script_exec_t. Therefore, the http daemon was denied access to the CGI script located in /var/www/cgi-bin. If you find similar messages in your log file, set the httpd_enable_cgi Boolean to on. httpd_builtin_scripting If you did not configure Apache to load scripting modules by changing the /etc/httpd/conf/ httpd. conf configuration file, set this Boolean to off. If you are unsure, turn httpd_builtin_scripting to off and check the /var/log/messages file for any httpd-related SELinux warnings. See the description of httpd_enable_cgi for an example. PHP and other scripting modules run with the same level of access as the http daemon.Therefore, turning httpd_builtin_scripting to off reduces the amount of access available if the Web server is compromised. To turn off all six of these Booleans and write the values to the policy file by using the setsebool -P command follow these steps: 1. Enter the setsebool -P command: First Steps with Security-Enhanced Linux (SELinux) 11 [[email  protected] ~]# setsebool -P httpd_can_sendmail=0 httpd_enable_homedirs =0 httpd_tty_comm=0 httpd_unified=0 httpd_enable_cgi=0 httpd_builtin_scripting=0 2. Check all the Boolean settings related to httpd by entering getsebool –a | grep httpd. The following output shows that all Boolean are set to off, including the six previously described variables which default to on. [email  protected] ~]$ getsebool -a | grep httpd allow_httpd_anon_write –> off allow_httpd_bugzilla_script_anon_write –> off allow_httpd_mod_auth_pam –> off allow_httpd_nagios_script_anon_write –> off allow_httpd_prewikka_script_anon_write –> off allow_httpd_squid_script_anon_write –> off allow_httpd_sys_script_anon_write –> off httpd_builtin_scripting –> off httpd_can_network_connect –> off httpd_can_network_connect_db –> off httpd_can_network_relay –> off httpd_can_sendmail –> off httpd_disable_trans –> off httpd_enable_cgi –> off httpd_enable_ftp_server –> off httpd_enable _homedirs –> off httpd_rotatelogs_disable_trans –> off httpd_ssi_exec –> off httpd_suexec_disable_trans –> off httpd_tty_comm –> off httpd_unified –> off httpd_use_cifs –> off httpd_use_nfs –> off 3. Use a Web browser or wget to make another request to the httpd daemon for the index. html file and you should succeed. Rebooting your machine does not change this configuration. This completes the necessary basic SELinux settings for hardening a Web server with static content. Next, look at hardening scripts accessed by the http daemon. Related reference: â€Å"Scope, requirements, and support† on page 1 This blueprint applies to System x running Linux and PowerLinux. You can learn more about the systems to which this information applies.Hardening CGI scripts with SELinux In the previous section, you used SELinux Booleans to disable scripting because the Web server used only static content. Beginning with that configuration, you can enable CGI scripting and use SELinux to secure the scripts. 1. Confirm that your Web server is configured as described in section â€Å"Securing Apache (static content only)† on page 9. 2. Red Hat Enterprise Linux provides a CGI script that you can use for testing. You can find the script at /usr/lib/perl5/5. 8. 8/CGI/eg/tryit. cgi. Copy this script to the /var/www/cgi-bin/ directory, as follows: [[email  protected] ~]$ cp /usr/lib/perl5/5. 8. 8/CGI/eg/tryit. gi /var/www/cgi-bin/ 3. Make sure that the first line of the tryit. cgi script contains the correct path to the perl binary. From the which perl output shown below, the path should be changed to ! #/usr/bin/perl. [[email  protected] ~]# which perl /usr/bin/perl [[email  protected] ~]# head -1 /var/www/cgi-bin/tryit. cgi #! /usr/local/bin/perl 4. Confirm that /var/www/cgi-bin is assigned the httpd_sys_script_exec_t context type as follows: [[email  protected] ~]$ ls -Z /var/www/ | grep cgi-bin drwxr-xr-x root root root:object_r:httpd_sys_script_exec_t cgi-bin 12 Blueprints: First Steps with Security-Enhanced Linux (SELinux): Hardening the Apache Web Server 5.Allow and confirm read and execute permission for the tryit. cgi script to all users: [[email  protected] cgi-bin]# chmod 555 /var/www/cgi-bin/tryit. cgi [[email  protected] cgi-bin]# ls -Z -r-xr-xr-x root root root:object_r:httpd_sys_script_exec_t tryit. cgi 6. Confirm that /var/www/cgi-bin/tryit. cgi is assigned the httpd_sys_script_exec_t context type: [[email  protected] ~]$ ls -Z /var/www/cgi-bin/tryit. cgi -r-xr-xr-x root root root:object_r:httpd_sys_script_exec_t /var/www/cgi-bin/tryit. cgi 7. Enable CGI scripting in SELinux and confirm that it is enabled: [[email  protected] cgi-bin]$ setsebool httpd_enable_cgi=1 [[email  protected] cgi-bin]$ getsebool httpd_enable_cgi httpd_enable_cgi –> on 8.Open a Web browser and type the Web server address into the location bar. Include the /cgi-bin/tryit. cgi in the URL. For example, type http://192. 168. 1. 100/cgi-bin/tryit. cgi. The tryit. cgi script should return output similar to Figure 1: Figure 1. Figure 1: A Simple Example 9. Provide test answers to the form fields and click Submit Query. The tryit. cgi script should return output similar to Figure 2: First Steps with Security-Enhanced Linux (SELinux) 13 Figure 2. Figure 2: A Simple Example with results Related reference: â€Å"Scope, requirements, and support† on page 1 This blueprint applies to System x running Linux and PowerLinux. You can learn more about the systems to which this information applies. 14Blueprints: First Steps with Security-Enhanced Linux (SELinux): Hardening the Apache Web Server Appendix. Related information and downloads Related information v Wikipedia: Security-Enhanced Linux http://en. wikipedia. org/wiki/Selinux v Bell-La Padula model http://en. wikipedia. org/wiki/Bell-La_Padula_model v NSA Security-Enhanced Linux http://www. nsa. gov/research/selinux /index. shtml v Managing Red Hat Enterprise Linux 5 presentation http://people. redhat. com/dwalsh/SELinux/Presentations/ManageRHEL5. pdf v developerWorks Security Blueprint Community Forum http://www. ibm. com/developerworks/forums/forum. jspa? forumID=1271 v Red Hat Enterprise Linux 4: Red Hat SELinux Guide http://www. linuxtopia. rg/online_books/redhat_selinux_guide/rhlcommon-section-0055. html v F. Mayer, K. MacMillan, D. Caplan, â€Å"SELinux By Example – Using Security Enhanced Linux† Prentice Hall, 2007 Related reference: â€Å"Scope, requirements, and support† on page 1 This blueprint applies to System x running Linux and PowerLinux. You can learn more about the systems to which this information applies.  © Copyright IBM Corp. 2009 15 16 Blueprints: First Steps with Security-Enhanced Linux (SELinux): Hardening the Apache Web Server Notices This information was developed for products and services offered in the U. S. A. IBM may not offer the products, s ervices, or features discussed in this document in other countries.Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not grant you any license to these patents.You can send license inquiries, in writing, to: IBM Director of Licensing IBM Corporation North Castle Drive Armonk, NY 10504-1785 U. S. A. The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION â€Å"AS IS† WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors.Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other progr ams (including this one) and (ii) the mutual use of the information which has been exchanged, should contact: IBM Corporation Dept. LRAS/Bldg. 903 11501 Burnet Road Austin, TX 78758-3400 U. S. A. Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee.The licensed program described in this document and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement or any equivalent agreement between us.  © Copyright IBM Corp. 2009 17 For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to: IBM World Trade Asia Corporation Licensing 2-31 Roppongi 3-chome, Minato-ku Tokyo 106-0032, Japan IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you. Informatio n concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources.IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk. This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products.All of these names are fictitious and any similarity to the names and addresses used by an ac tual business enterprise is entirely coincidental. Trademarks IBM, the IBM logo, and ibm. com ® are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol ( ® and â„ ¢), these symbols indicate U. S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at Copyright and trademark information at www. ibm. com/legal/copytrade. html Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other countries. Java and all Java-based trademarks and logos are registered trademarks of Sun Microsystems, Inc. in the United States, other countries, or both. Linux is a trademark of Linus Torvalds in the United States, other countries, or both. UNIX is a registered trademark of The Open Group in the United States and other countries. Other company, product, or service names may be trademarks or service marks of others. 18 Blueprints: First Steps with Security-Enhanced Linux (SELinux): Hardening the Apache Web Server Printed in USA