The Subconscious Intrusion

The Subconscious Intrusion Burton FitchueThe Subconscious IntrusionWatching TV and playing computer games appear guiltless represents a kid to get engaged with, however in all actuality, they are probably the most risky. At a youthful age, kids' brains are like wipes; they assimilate everything in their reality. This trademark makes youngsters an obvious objective for the media to control and exploit. Savagery isn't really constrained on youngsters, however it sets a standard for what they see as common and middle of the road in our general public. The normal kid observes roughly twenty-eight hours of TV seven days, and over portion of all youngsters in the United States have a TV in their room. Considering the way that edits are permitting a broad measure of rough substance to be publicized, as proof by the record measure of fierce acts indicated every hour, it is alarming to imagine that youngsters are observing a bigger number of long stretches of TV than the measure of time spent in school.Jack Thompson (l awyer) talking at a discussion at C...Although brutality has consistently been common in the public eye, it is an expanding issue. It is unquestionably evident that brutality in youth is multifactorial; destitution, kid misuse, and family psychopathology all can lead a youngster down a way of savage conduct. Longitudinal, cross-sectional, and exploratory investigations have all affirmed a solid connection between's media brutality, including TV, movies, and computer games, and forceful conduct in kids. Viciousness in web-based social networking and videogames is risky on the grounds that it is viewed as just a game according to kids; since steady introduction to brutality causes desensitization; and in light of the fact that forceful conduct is advanced, at that point imitated.Children have demonstrated that they can achieve considerably more data than one gives them kudos for (Chenes 41). A multi year old youngster taken to the motion pictures by a parent will get three out...

Bloodlines Chapter Thirteen

MY CELL PHONE RANG at the break of day the following morning. I was at that point up, being a morning person, however Jill turned over in bed and put her pad over her head. â€Å"Make it stop,† she moaned. I replied and discovered Eddie on the opposite stopping point. â€Å"I'm downstairs,† he said. â€Å"Ready to rehearse some self-preservation before it gets too hot.† â€Å"You will need to do it without me,† I said. I had an inclination Eddie was taking his guarantee to Clarence about preparing us genuinely. I felt no such commitment. €Å"i have a huge amount of schoolwork to do. That, and I'm certain Ms. Terwilliger's going to cause me to do an espresso run today.† â€Å"Well, at that point send Jill down,† said Eddie. I looked over to the case of covers on her bed. â€Å"That may be simpler said than done.† Shockingly, she figured out how to awaken herself enough to brush her teeth, take anti-inflamatory medicine for a cerebral pain, and toss on some exercise garments. She say goodbye to me, and I vowed to beware of them later. Not long from that point forward, Ms. Terwilliger called with her espresso request, and I set myself up for one more day of attempting to fit in my own work with hers. I rolled over to Spencer's and didn't see Trey until I was standing directly before him. â€Å"Ms. Terwilliger's?† he asked, highlighting the caramel sauce cappuccino. â€Å"Huh?† I turned upward. Trey was my clerk. â€Å"You work here?† He gestured. â€Å"Gotta make going through cash somehow.† I gave him some money, noticing that he'd charged me marked down. â€Å"Don't misinterpret this, yet you don't look so great,† I let him know. He watched drained and exhausted around the edges. Closer examination demonstrated wounds and cuts too. â€Å"Yeah, well, I had sort of a harsh day yesterday.† I faltered. That was a main remark, yet there was nobody in line behind me. â€Å"What happened?† I asked, realizing it was normal. Trey glowered. â€Å"That butt face Greg Slade unleashed ruin in football tryouts yesterday. That is to say, the outcomes aren't up yet, however it's quite clear he will get quarterback. He resembled a machine, simply furrowing folks over.† He expanded his left hand, which had some swathe wrapped fingers. â€Å"He stepped on my hand too.† I recoiled, recollecting Slade's wild physicality in PE. The governmental issues of secondary school football and who was quarterback weren't that critical to me. Valid, I felt frustrated about Trey, however it was the source behind the tattoos that captivated me. Keith's admonitions about not raising a ruckus rang back to me, yet I couldn't stop myself. â€Å"I think about the tattoos,† I said. â€Å"Julia and Kristin educated me concerning them. Furthermore, I get now why you were dubious of mine †yet it's not what you think. Really.† â€Å"That's not what I've heard. The vast majority believe you're trying to say that since you would prefer not to tell where you got it.† I was somewhat shocked by that. I was almost certain Julia and Kristin had trusted me. Is it safe to say that they were really spreading around the inverse? â€Å"I had no idea.† He shrugged, a little grin all the rage. â€Å"Don't stress. I trust you. There's something sort of gullibly enchanting about you. You don't appear the cheating type.† â€Å"Hey,† I chided. â€Å"I'm not naive.† â€Å"It was a compliment.† â€Å"How long have these tattoos been around?† I asked, concluding it was ideal to move in. â€Å"I heard since last year.† He gave me my espresso, thinking. â€Å"Yeah, yet it was the finish of a year ago. School year, I mean.† â€Å"And they originate from a set called Nevermore?† â€Å"As far as I know.† Trey peered toward me dubiously. â€Å"Why?† â€Å"Just curious,† I said pleasantly. A few school kids dressed like rich homeless people got in line behind me and respected us eagerly. â€Å"Can we get some assistance here?† Trey gave them a hardened grin and afterward feigned exacerbation at me as I moved away. â€Å"See you around, Melbourne.† I went to Amberwood and conveyed Ms. Terwilliger's espresso. I wasn't in the mind-set to remain chained to her throughout the day, so I inquired as to whether I could go somewhere else on the off chance that I kept my mobile phone convenient. She concurred. The library had an excessive amount of action and †incidentally †clamor for me today. I needed the isolation of my room. As I was slicing over the yard to get the bus, I recognized some natural figures behind a group of trees. I altered course and discovered Jill and Eddie getting down to business in a little clearing. Micah sat with folded legs on the ground, observing energetically. He waved at me as I drew closer. â€Å"I didn't understand your sibling was a kung-fu master,† he commented. â€Å"It's not kung fu,† said Eddie abruptly, never taking his eyes off Jill. â€Å"Same difference,† said Micah. â€Å"It's still pretty badass.† Eddie bluffed, similar to he was going to strike next to Jill. She reacted decently fast with a square, however not exactly quick enough to coordinate him. Had he been not kidding, he would have hit her. In any case, he appeared to be satisfied with her reaction time. â€Å"Good. That would avoid some portion of a hit, however you'd in any case feel it. Best is in the event that you can dodge and avoid inside and out, however that takes somewhat more work.† Jill gestured faithfully. â€Å"When would we be able to take a shot at that?† Eddie respected her with satisfaction. That articulation mellowed after a couple of seconds of study. â€Å"Not today. A lot of sun.† Jill began to dissent and afterward halted herself. She had that exhausted from-the-light look again and was perspiring vigorously. She looked up at the sky for a second, as if imploring it to give us some overcast spread. It stayed lethargic, so she gestured at Eddie. â€Å"All right. Yet, we're doing this tomorrow simultaneously? Or then again prior possibly. Or on the other hand possibly today around evening time! Might we be able to do both? Practice today around evening time when the sun's going down and afterward again toward the beginning of the day? Would you mind?† Eddie smiled, delighted at her energy. â€Å"Whatever you want.† Grinning back, Jill plunked down close to me, getting into however much shade as could reasonably be expected. Eddie respected me hopefully. â€Å"What?† I inquired. â€Å"Aren't you expected to figure out how to toss a punch?† I jeered. â€Å"No. When might I ever need to do that?† Jill bumped me. â€Å"Do it, Sydney!† Hesitantly, I permitted Eddie to give me a snappy exercise on throwing a right hook without harming my deliver the procedure. I scarcely focused and felt like I was for the most part giving diversion to the others. When Eddie got done with me, Micah asked, â€Å"Hey, would you mind giving me some ninja moves too?† â€Å"They have nothing to do with ninjas,† fought Eddie, as yet grinning. â€Å"Come on up.† Micah jumped to his feet, and Eddie strolled him through some simple advances. More than anything, it appeared as though Eddie was evaluating Micah and his capacities. Inevitably, Eddie became agreeable and let Micah practice some hostile moves to dispose of an aggressor. â€Å"Hey,† fought Jill when Eddie handled a kick on Micah. Micah disregarded it in a person sort of way. â€Å"No reasonable. You wouldn't hit me when we were practicing.† Eddie was found napping enough that Micah really got a hit in. Eddie gave him a look of hesitant regard and afterward said to Jill, â€Å"That was different.† â€Å"Because I'm a girl?† she requested. â€Å"You never kept down with Rose.† â€Å"Who's Rose?† asked Micah. â€Å"Another friend,† clarified Eddie. To Jill, he stated: â€Å"And Rose has had years more experience than you.† â€Å"She's had more than Micah as well. You were backing off of me.† Eddie flushed and kept his eyes on Micah. â€Å"Was not,† he said. â€Å"Were too,† she murmured. As the young men fought again, she said discreetly to me, â€Å"How am I ever going to learn if he's anxious about breaking me?† I watched the folks, investigating what I was aware of Eddie up until now. â€Å"I believe it's more confounded than that. I think he additionally just trusts you shouldn't need to face the challenge †that if he's doing a sufficient activity, you shouldn't need to guard yourself.† â€Å"He's working admirably. You ought to have seen him at the attack.† Her face got that spooky look it did at whatever point the assault that had driven her into stowing away was referenced. â€Å"But I despite everything need to learn.† She brought down her voice significantly more. â€Å"I truly need to figure out how to utilize my enchantment to battle as well, not that I'll get a lot of training in this desert.† I shivered, reviewing her showcase from the prior night. â€Å"There'll be time,† I said ambiguously. I stood up, saying I needed to go complete some work. Micah inquired as to whether they needed to eat. Eddie said yes right away. Jill sought me for help. â€Å"It's simply lunch,† said Eddie genuinely. I realized he despite everything thought Micah was innocuous. I didn't have the foggiest idea, yet subsequent to perceiving how captivated Jill was with Lee, I figured Micah would need to make some really forceful moves to go anyplace. â€Å"I'm sure it's fine,† I said. Jill looked diminished, and the gathering took off. I went through the day polishing off that hopeless book for Ms. Terwilliger. I despite everything thought replicating the ancient spells and ceremonies verbatim was an exercise in futility. The main point I could see for it was that in the event that she could possibly do need to reference them for her examination, she would have a simple PC document to check and not hazard harm to the old book. It was evening when I completed that and my other schoolwork. Jill still wasn't back, and I chose to utilize the chance to keep an eye on something that had been pestering me. Prior in the day, Jill had referenced Eddie protecting her in the assault. I'd felt from the earliest starting point that there was something odd about that underlying assault, somethin

SAT Chinese Subject Test

Ni hao Magooshers! Mr. B here. In the past few years, Chinese (Mandarin) has become one of the most popular languages for American students to learn in high school. China is certainly an exciting country, something I got to discover for myself in the summer of 2013. If you’re a high school student studying Chinese, I sincerely hope that you get to put your Chinese skills to use in a study abroad or work opportunity. In China, you, too, can eat Sichuan hot pot. Its face-meltingly delicious! Chinese is a tough language, for sure, but if you know your stuff, you need to flaunt it. It’s time to take the SAT Chinese Subject Test! In this article I’ll go over the SAT Chinese Subject Test, making sure that you know everything about this important test before you sit down to take it. If you get to the end of the article and still have questions, make sure to check out the official College Board website to learn more! Should I take it? Even if you’ve taken Chinese all throughout high school, it’s not likely that youre fluent. The College Board understands this. That’s why the test is geared to students who have taken 2-4 of years of Chinese in high school. It’s still going to be tough, but it’s not an impossible undertaking. Also, it’s worth mentioning that one of the hardest parts of Chinese for Americans is speaking Chinese. Fortunately for you, there is no part of the test where you have to speak. Yet there is a listening section. We’ll get to that in a second. So, in summary, if you’ve been taking Chinese for a few years, and done well in class, the SAT Chinese Subject Test is good idea. What’s on the test? As already mentioned, ‘all the Chinese’ is not on the test. But you still need to know your stuff. Let’s take a look at what you’ll encounter on this 60-minute, 75-question test. Listening Comprehension (Weighted 33%): Yep, you need to bring your CD player. Expect to listen to two different narratives. One will ask you to participate by choosing responses that continue the conversation. The second narrative will have questions in English asking you about what was said. Usage (Weighted 33%): It’s time to complete some sentences! Fortunately for you, there are four ways for you (someone still learning Chinese) to answer: traditional Chinese, simplified Chinese, Pinyin, and the phonetic alphabet. The College Board has provided these options to cater to both native Chinese speakers and those (like you) who might have learned the written language in a variety of ways. Reading Comprehension (Weighted 33%): Expect passages presented in both traditional and simplified Chinese, along with questions in English. A great deal of these questions are ‘you know it or you don’t’ type questions, though expect one or two inference questions for each passage you encounter. When should I take it? Basically, you have two options. Feel confident in your skills and want the results to be used in college admissions decisions? If so, take the test early on in your senior year of high school. Yet if your goal is to get into a higher level Chinese class in college, take the test at the end of your senior year. This way your Chinese skills will be at their peak. Final Thoughts Though there is a lot to know for the SAT Chinese Subject Test, the test itself is rather straightforward. Even so, get out there and take a few practice tests between now and test day. And don’t forget to enjoy yourself. It is summer, after all. 🙂

The Power Of Good And Evil in Flannery OConnors A Good...

The Power Of Good And Evil in Flannery OConnors A Good Man is Hard to Find Good and bad. Right and wrong. Guilty and Innocent. These are just a few of the many themes that surround everyones life. Everyone has their own opinion about certain issues, and they depend on their values, judgment, and beliefs to see them through their difficulties. Flannery OConnor was quoted as saying I see from the standpoint of Christian orthodoxy. This means the meaning of life is centered in our Redemption by Christ and that what I see in the world I see in relation to that (Contemporary Authors 402). These themes are present in OConnors story A Good Man is Hard to Find. The story is about a grandmother, a good woman who goes on†¦show more content†¦. . . Her writing is about the existential struggle with the principle of destruction traditionally called the Devil (Contemporary Authors 403). The day of the trip Grandma is the first packed and ready to go. She does not want to leave the cat because as she says, he would miss her too much (O?Connor 907). This comment would suggest that the grandmother thinks highly of herself and is believes she is the most important person in the family. While everyone else is in comfortable travel clothes, Grandma is dressed formally. She had on a navy blue straw sailor hat with a bunch of white violets on the brim and a navy dress with a small white dot in the print (O?Connor 907). Both incidents are prime examples that show the grandmother?s behavior. We see that the grandmother is selfish and uncaring. She claims that she is a good person, yet she criticizes everyone and always wants to get her way. She hides the cat and lies about it to her son; she did not consider how anyone would feel about her bringing the cat. Yet, on the other hand she is very concerned with social opinion. She is dressed nicely, her excuse is that in case of an accident anyone seeing her dead on the highway would know that she was a lady (O?Connor 907). This shows that the grandmother was very concerned with people?s opinion. She acted proper, had strong virtues, values; a good woman in her view. But she was a self- centered person who judged others harshly, so that she would look good.Show MoreRelated Flannery OConnors A Good Man is Hard To Find Essay1144 Words   |  5 PagesFlannery O’Connor’s A Good Man Is Hard to Find is one of the most well-known short stories in American history. A Good Man Is Hard to Find is a disturbing short story that exemplifies grace in extremity as well as the threat of an intruder. The story tells of an elderly grandmother and her family who embark on a road trip to Florida. The grandmother is a stubborn old woman with a low sense of morality. While on the trip, the grandmother convinces her son to take a detour which results in a brokenRead MoreFlannery O Connor s A Good Man1493 Words   |  6 PagesFlannery O’Connor’s background had a dramatic impact on her writing. Born in Savannah, Georgia, she utilized her familiarity with the region as a reference to implement a richly descriptive southern setting in her short stories. She was raised by devout Roman Catholics; her faith was deeply intertwined with the overall theme and character development in her writings. O’Connor portrays moments of grace for her main characters at a time of utter shock and devastation. In â€Å"A Good Man Is Har d to Find†Read MoreA good man is hard to find2182 Words   |  9 PagesThe Use of Religion in Flannery O’Connor’s â€Å"A Good Man is Hard to Find† Flannery O Connor is a Christian writer, and her work shows Christian themes of good and evil, grace, and salvation. O’Connor has challenged the theme of religion into all of her works largely because of her Roman Catholic upbringing. O’Connor wrote in such a way that the characters and settings of her stories are unforgettable, revealing deep insights into the human existence. In O’Connor’s Introduction to a â€Å"Memoir of MaryRead MoreThe Grotesque Of Grace And Its Implications On Morality1695 Words   |  7 Pagesand its Implications on Morality Flannery O’Connor has been claimed an important figure and a social critic of the South for many years before and after her death. Her prose deals with questions of morality through reflections of her Roman Catholic faith. Correspondingly, her short stories and novels put the protagonists in shocking trials of God through characters or conflicts portrayed as, according to Davis J. Leigh, â€Å"distorted or exaggerated,† and are O’Connor’s way of revealing the â€Å"human conditionRead MoreEssay about Religious Symbolism in A Good Man Is Hard to Find1243 Words   |  5 PagesGrandmother and the Misfit Flannery O’Connor has long been criticized for her blatant incorporation of religious symbols into sinister, dark stories. In the short story â€Å"A Good Man Is Hard To Find,† the dark and apathetic Misfit is said to portray, in an allegorical sense, a Christ-like figure. However, through the interpretation of the inversions of divine characteristics, his repulsion of Christ’s very existence, and the denial of any powers beyond the observable realm, we find that the Misfit is actuallyRead More Innocence Is Bliss in OConnors Short Stories1393 Words   |  6 PagesThere’s is no freedom from the post-lapsarian world. The attributes of this fallen world are very prominent in O’Connor’s short stories. However, she chooses not to include all of her characters into this nutshell. Instead, she gives her female characters innocence and monist ideals. Ironically, O’Connor isolates them from the rest and gives them a pitiful image as she goes on to mock their ways. The obliviousness and innocence of the characters is effortlessly destroyed in the post-lapsarian worldRead More Flannery OConnors A Good Man is Hard to Find Essay example1357 Words   |  6 Pages Flannery OConnors A Good Man is Hard to Find A Good Man is Hard to Find presents a masterful portrait of a woman who creates a self and a world through language. At least that is what Mary Jane Shenck thinks of the Flannery OConnor story. Several different people have several different views of this controversial and climatic work of OConnors. In this paper I will take a look at these different views of different situations and characters in this book. First we will take a look atRead MoreA Good Man is Hard to Find by Flannery OConnor Essay1959 Words   |  8 Pages Who is the Misfit? In the short story, â€Å"A Good Man Is Hard to Find† a family comprising of a grandmother, a father, three children, and a wife is headed on vacation has the misfortune of meeting a murderous band of serial killers. The Misfit and his band of serial killers are recently escapees of a federal prison. In the following paragraphs this paper looks into the issues of, what one would do in a situation such as that and the background of the the family and murderers as well. The MisfitRead MoreEssay on A Good Man Is Hard to Find by Flannery Oconnor1150 Words   |  5 Pagesmany of Flannery O’Connor’s short stories. In many of her short stories, O’Connor exposes the dark side of human nature and implements violent and brutal elements in order to emphasize her religious viewpoints. In the short stores â€Å"A Good Man Is Hard to Find† and â€Å"Revelation†, O’Connor explicitly depicts this violence to highlight the presence and action of holy grace that is given to a protagonist who exudes hypocritical qualities. During the family trip in â€Å"A Good Man Is Hard to Find† to GeorgiaRead More Flannery OConnors A Good Man is Hard to Find and Good Country People2686 Words   |  11 Pages â€Å"A Good Man Is Hard To Find† and â€Å"Good Country People† are two short stories written by Flannery O’Connor during her short lived writing career. Despite the literary achievements of O’Connor’s works, she is often criticized for the grotesqueness of her characters and endings of her short stories and novels. Her writings have been described as â€Å"understated, orderly, unexperimental fiction, with a Southern backdrop and a Roman Catholic vision, in defiance, it would seem, of those restless innovators

Poetry Appreciation Of Earle Birneys David Essay Example For Students

Poetry Appreciation Of Earle Birneys David Essay Earl Barneys ballet, David, is a very emotional piece of literature. The poem is narrative as told through the eyes of Bob, Davits friend. The theme that follows throughout this poem Is the onset of maturity and all the barriers that must be overcome as one moves through this period in their lives. Bob and David live a carefree life filled with adventures in the mountains until a tragedy strikes their very existence. Bob must make the most difficult decision of whether to end his friends misery. He loses his innocence or as Bob says, the last of y youth through this experience. Bob makes the decision to do what his friend wants by pushing him over the calf instead of doing what he flirts thought was right in trying to save his friend by going for help. The environment, character development and imagery play a key role in setting the cynical tone. The choice of descriptive words in this poem makes it easier for the reader to understand and accept the decisions that are made and which capture the readers emotions on different levels. David, written by Earl Barney displays two distinct and different characters. The woo characters are David and Bobbie. They are both avid climbers who love their Jobs in the mountains. They seek the thrill of new adventures and challenges. Though, both characters are very unique. David is older and wiser. He Is more mature and patient. He teaches new things to Bob and has the skills to survive In the mountains. It is David who saves Bob from falling and In doing so, slips and falls himself. Even then he accepts his fate by stating that he had not checked his footing well enough. Davits attitude toward mercy killing is, he feels that when an animal or human is buffering because of an injury or illness it should be taken out of its misery. Bob does not feel that this is right In the beginning when he finds a robin and wants to tame it. David quickly took the robin and killed It because It could never fly. Later Bob has to make the same decision concerning his friend when he Is lying on the ledge asking to be rolled over the side of the mountain. In the end, Bob realizes that it is right to end the suffering which is shown when he pushes his friend off the cliff put an end to his pain. Bob is less experienced and younger than David. He Is Innocent though he learns many valuable lessons throughout the poem. Bob Is crucial to the story for he represents the theme which Is of his loss of innocence. He learns to make difficult decisions and to live with them through their shared experiences. Setting in Earl Barneys poem, David is important in creating the mood and displaying the theme. It shows the true characters by showing them In an environment which they love. David Is patient and wise which Is shown In the ways storm in the mountains. Both characters loved nature and the mountains which they limbed. They learned many lessons from their experiences and the environment for example, patience in waiting out the storm and letting the ice melt. The setting is described in great detail and it aids in foreshadowing the end with the description of the talon which David named the finger. David dies in the environment in which he loved. Imagery and foreshadowing are evident in this poem and help reflect the theme. When David and Bob come across a injured robin, Bob wishes to keep it but David kills it for he wanted to put it out of its misery. .uaf2e288e27eb02314272927d07d26205 , .uaf2e288e27eb02314272927d07d26205 .postImageUrl , .uaf2e288e27eb02314272927d07d26205 .centered-text-area { min-height: 80px; position: relative; } .uaf2e288e27eb02314272927d07d26205 , .uaf2e288e27eb02314272927d07d26205:hover , .uaf2e288e27eb02314272927d07d26205:visited , .uaf2e288e27eb02314272927d07d26205:active { border:0!important; } .uaf2e288e27eb02314272927d07d26205 .clearfix:after { content: ""; display: table; clear: both; } .uaf2e288e27eb02314272927d07d26205 { display: block; transition: background-color 250ms; webkit-transition: background-color 250ms; width: 100%; opacity: 1; transition: opacity 250ms; webkit-transition: opacity 250ms; background-color: #95A5A6; } .uaf2e288e27eb02314272927d07d26205:active , .uaf2e288e27eb02314272927d07d26205:hover { opacity: 1; transition: opacity 250ms; webkit-transition: opacity 250ms; background-color: #2C3E50; } .uaf2e288e27eb02314272927d07d26205 .centered-text-area { width: 100%; position: relative ; } .uaf2e288e27eb02314272927d07d26205 .ctaText { border-bottom: 0 solid #fff; color: #2980B9; font-size: 16px; font-weight: bold; margin: 0; padding: 0; text-decoration: underline; } .uaf2e288e27eb02314272927d07d26205 .postTitle { color: #FFFFFF; font-size: 16px; font-weight: 600; margin: 0; padding: 0; width: 100%; } .uaf2e288e27eb02314272927d07d26205 .ctaButton { background-color: #7F8C8D!important; color: #2980B9; border: none; border-radius: 3px; box-shadow: none; font-size: 14px; font-weight: bold; line-height: 26px; moz-border-radius: 3px; text-align: center; text-decoration: none; text-shadow: none; width: 80px; min-height: 80px; background: url(https://artscolumbia.org/wp-content/plugins/intelly-related-posts/assets/images/simple-arrow.png)no-repeat; position: absolute; right: 0; top: 0; } .uaf2e288e27eb02314272927d07d26205:hover .ctaButton { background-color: #34495E!important; } .uaf2e288e27eb02314272927d07d26205 .centered-text { display: table; height: 80px; padding-left : 18px; top: 0; } .uaf2e288e27eb02314272927d07d26205 .uaf2e288e27eb02314272927d07d26205-content { display: table-cell; margin: 0; padding: 0; padding-right: 108px; position: relative; vertical-align: middle; width: 100%; } .uaf2e288e27eb02314272927d07d26205:after { content: ""; display: block; clear: both; } READ: A Reflection on the Movie "Dead Poet's Society" EssayDavid displays compassion by committing this act and it foreshadows on the decision that Bob will soon have to face. Also, when they find a goats skull it foreshadows danger and perhaps a fatal fall. Even though they are skilled climbers, even a goat can fall to its death on the dangerous mountains. Earl Barneys David contains a rich collection of important values, choices and qualities that exist in everyones life. It is a story about life and death, of sacrifice and love. The strong friendship between David and Bob is demonstrated throughout the memo. The willingness to live with the consequences of ones decisions and the changes that happen because of these decisions. The shared love for nature and the mountains, its beauty and its dangers each contribute to the choices everyone has to make at different times in their lives. The strength, endurance, challenges, risks and obstacles that everyone encounters in our lives are represented in this poem. David brings out the best in everyone and challenges each of us to examine our place and our decisions in this world in a new way.

This Study Guide Is A Suggestion On Which Areas To Focus On For The Es

this study guide is a suggestion on which areas to focus on for the midterm; ask your TA if you have questions or need clarification! terms that are *ed are those which require knowing the definition of the term only, unless otherwise noted items not listed on the study guide will NOT be covered on the exam Chapters 1 & 2 material psychoactive drug* Having effects on thoughts, emotions or behavior the four pharmacological revolutions 1. Vaccines ? Pasteur, Jenner, and Koch ? Convince public that medicine is very powerful in benefiting people 2. Antibiotics ? curing or preventing diseases, penicillin 3. Psychopharmacology ? the study of the behavioral effects of drugs, on mind, emotions, and perceptions such as schizophrenia 4. Oral contraceptive ? drugs used by healthy people to gain chemical control over their own bodies the four types of drug-induced toxicity 1. Acute ? short term effects of a single dose 2. Chronic ? long term effects of repeated use 3. Behavioral ? resulting from the behavioral effects of a drug 4. Physiological ? physical effects on body DAWN - what it is and what it measures, the limitations of DAWN as a reporting system, and the top three drugs on the DAWN lists - total deaths from illicit drugs compared with those from alcohol alone and cigarettes alone Drug Abuse Warning Network ? Collects data on drug related crises from hospital emergency rooms around the country **ASK** DAWN does not correct for frequency of use DAWN TOP 3 1. Alcohol-in-combination 2. Cocaine 3. Heroin/Morphine Alcohol deaths = 100,000 Cigarette deaths = 400,000 Illicit deaths = 15,000 relationships between crime and drug use - what are they 1. Drug causes crime 2. Drug use might cause criminal behavior when the person in under the influence 3. Crimes carried out for the purpose of obtaining $ to purchase illicit drugs 4. Illicit drug use is a crime Article 38 - be able to recognize the main examples given in each category of the drug problem as given by this author (specifically within the crime, economy, health, international politics, morality and civil liberties sections) what is the author's position on legalization of drugs? do not need to know the specific numbers given for costs of drugs Chapters 5 & 6 material the life-cycle of a neurotransmitter, how chemical signaling occurs how drugs work in this chemical signaling process (e.g. cocaine prevents reuptake of dopamine), also section on p.125 on possible mechanisms of drug actions limbic/mesolimbic systems and their roles in reward, pleasure center know the major neurotransmitters and their general actions in the CNS dose-response curve/relationship* potency* routes of administration - know what they are, how they deliver drug to the CNS, their relative characteristics Article 10 - need to know the various ways dopamine affects neurotransmitter actions (in specific, such as how cocaine works in achieving a high and influencing dependence) be able to recognize the article's main points about addiction (the role of genes, the role of environment, role of dopamine, role of other factors) do not need to know the specific #s (for drug usage rates) given in article Chapters 8 & 9 material barbiturates*, benzodiazapines*, phenothiazines/antipsychotics* uses of these three above groups clinically and recreationally the different levels of psychological and physical dependence of the three groups know the principles of dependence, withdrawal, and CNS actions in terms of dose and type (short v. long acting and quick v gradual time of onset) for barbiturates and benzodiazepines methaqualone section date rape drug section inhalants - know the general types and the health effects associated with use, reasons for using mechanism of action of the antipsychotics (i.e. blocking receptors for the neurotransmitters) Chapters 10 & 11 material metabolism - do not need to know specifics, but know role of liver and the rate of alcohol elimination the specific effects of varying BAC on behaviors (e.g. Table 10.2) know how to calculate BAC if given amount of drinks, what type of drink, and how long drinking, if then given info from chart of BAC and amount of drinks associated with that BAC for a given weight/gender (e.g. - if a 200 lb male consumes 10 cans of beer in 4 hours, what is BAC (given the chart section of: 1 beer, .019; 2 beers, .037; 4 beers, .070; 6 beers, .110; 8 beers, .150; 10 beers,

How to Write a Letter of Continued Interest

How to Write a Letter of Continued Interest The college admissions process can be cruel, especially to those students who find themselves in limbo because theyve been deferred or waitlisted. This frustrating status tells you that the school thought you were a strong enough applicant to admit, but you werent among the first round of top-choice candidates. As a result, youre left waiting to find out what your future might hold. On the plus side, you havent been rejected, and you can often take action to improve your chances of getting off the waitlist and eventually being admitted. What to Include in a Letter of Continued Interest Assuming the college explicitly states that you shouldnt write, your first step when you find that youve been deferred or waitlisted should be to write a letter of continued interest. The tips below can help guide you as you craft your letter. Address your letter to the admissions officer assigned to you, or the Director of Admissions. In most cases, youll be writing to the person who sent you the waitlist or deferral letter. An opening such as To Whom it May Concern is impersonal and will make your message seem generic and cold.Restate your interest in attending the college, and give a couple of specific reasons  why  you want to attend. Is there a program that excites you? Did you visit the campus and feel the college was a good match? Does the college line up with your professional and personal goals in a specific way?If the college is your first choice school, dont be shy about telling this to the admissions committee. When colleges give offers of admission, they want students to accept those offers. A strong yield  makes the school look good and helps the admissions staff meet their enrollment goals efficiently.Let the college know if you  have new and significant information to add to your application. Since you originally applied, did you get new and better SAT/ACT scores? Did you win any meaningful awards or honors? Has your GPA gone up? Dont include trivial information, but dont hesitate to highlight new accomplishments. Thank the admissions folks for taking the time to review your application materials.Make sure you include current contact information so that the college can reach you. Waitlist activity can occur in the summer, so make sure the college can contact you even if you are traveling.   To see what an effective letter might look like, here are a couple of sample  letters of continued interest. Notice that they are not long. You dont want to impose too much on the time of the admissions staff. What to Not Include in a Letter of Continued Interest There are various things you shouldnt include a letter of continued interest. This include: Anger or Frustration: You may feel both of these things, but keep your letter positive. Show that you are mature enough to handle disappointment with a level head.Presumption: If you write as if you are assuming youll get off the waitlist, you are likely to come off as arrogant.Desperation: You wont be improving your chances if you tell the college that you have no other options, or that youll die if you dont get in. Highlight your continued interest, not your unenviable position on the waitlist. General Guidelines for a Letter of Continued Interest Make sure the college accepts letters of continued interest. If your waitlist or deferral letter states that you should send no further materials, you should respect the colleges wish and show that you know how to follow directions.Send the letter as soon as you learn that you have been deferred or waitlisted. Your promptness helps show your eagerness to attend (demonstrated interest is essential!), and some schools start admitting students from their waitlists soon after creating lists.Keep the letter to a single page. It shouldnt ever take more space than that to state your continued interest, and you should be respectful of the busy schedules of the admissions staff.A physical letter isnt always the best option. Read the admissions website to see if the college tends to ask for materials electronically or physically. An old-school paper letter looks nice and is easy to slip into an applicants physical file, but if a college is handling all application materials electronically, som eone will have the inconvenience of scanning your paper letter to include it in your file. Attend to grammar, style, and presentation. If your letter of continued interest looks like it was dashed off in two minutes and written by a third-grader, youll be hurting your chances, not helping them. A Final Word Will your letter of continued interest improve your chances of getting in? It might. At the same time, you should be realistic. In most cases, the odds of getting off a waitlist are not in your favor. But when a college does turn to the waitlist, or when the school looks at the general applicant pool in the case of deferral, demonstrated interest matters. Your letter of continued interest is no magic admission bullet, but it certainly can play a positive role in the process.

Product Launch Plan Essay Example | Topics and Well Written Essays - 750 words

Product Launch Plan - Essay Example Nonetheless, the target consumers are middle class groups, who are highly involved in the media-saturated world attributable to things like advertisements, internet and mobile phone. Company SWOTT analysis Strengths The company is located in Italy, which is a company that is associated with a tradition of pioneering production of wine. In fact, this is a tradition that would enable the company to have a good reputation and the customers will have confidence in their products (Marini & Tepponen, 2012). The company will be situated in company that has favorable climate conditions, given that Italy is countries that cover an area attributed to different types of climatic zones; in this case, this will provide ideal location for increased productivity of grapes used for making wine. In 2011, trends of wine sales were attributed to establishment of modern concept, which are contrasting with the France conservative culture (Marini & Tepponen, 2012). In fact, France has a market of wine tha t is highly competitive due to introduction of flavored wines. Weaknesses Structures of Italian vineyards lack a specific strategy given that it is highly concentrated with small wineries that are owned by families and this have a negative impact on production (Marini & Tepponen, 2012). The company is likely to face challenges due to unfamiliarity with French culture and their customs; in fact, this may have a negative impact on the effort to venture into the market (Marini & Tepponen, 2012). Opportunities In France, there are potential customers, who have developed tastes and preferences for wine; in fact, they are able to rank these products based on value over volume leading to willingness to pay high prices per unit price (Marini & Tepponen, 2012). There are opportunities derived through wine intelligence in France market, whereby there are models being developed to facilitate market growth and ascendancy of wine; thus, the consumers will develop ways of distinguishing between v arious categories of wine (Marini & Tepponen, 2012). On the other hand, the company can focus on establishing a single brand with consistency in quality, taste and it will be associated with Italy. Threats France market has been surpassed by other markets such as Australia and Britain; thereby a decision to venture this market poses a threat of reduced profitability compared to other markets (Marini & Tepponen, 2012). There are other threats emanating from a decrease in the number of wine drinkers; in fact, this is a tradition has been introduced in the market, despite high per capita among consumers in the market. The competition There are increased chances that Italy will lose their position of being leaders in the market of wines due to stiff competition from other countries such as Australia, America, Chile and South Africa. However, Italy has attained a competitive advantage based on marketing strategies, whereby they promote products through captivating images (Fernandez-Cruz, 2003). Nonetheless, this competition has led to a decrease sales of wine in Italy; in fact, analysis in 2010 indicates that the country lost to their leading position to South Africa, which attained twenty percent market share. Therefore, this

What Is Marriage For Essay Example | Topics and Well Written Essays - 1000 words

What Is Marriage For - Essay Example Marriage is the changeable conception and it is right to accept the modern changes that are concerning homosexual couples. The Society like the constant variable is trying to refute same-sex marriage, using different prohibitions, but it is impossible to stop the development of the world only refuting the existence of one or other situation. It is obvious that when opponents of gay marriage are defending their point of view, they, after a ritual condemnation of homosexuality and claims that gay marriage somehow inexplicably â€Å"threaten society† and â€Å"undermine marriage†, will certainly end up with unfortunate consequences of same-sex marriage: if we allow gay marriage then people will want to legalize polygamy and marriage with pets. But arguing this position it is possible to say that same-sex marriage never results from polygamy and, in fact, we can say that if same-sex marriage is good because it allows more people to get the benefits and advantages of family life, then polygamy is undesirable because it deprives some people of the benefits and advantages. Let us explain the changing meaning of marriage from 1850-1950. What was marriage for those times? First of all, the marriage was a kind of the contract that helped to share money between families. The engagement feast was the moment that the two families finished negotiations and finally signed, witnessed, and notarized the marriage contract. Those times the marriage was not seeing by the society as a union of the two loving people.... It is obvious that when opponents of gay marriage are defending their point of view, they, after a ritual condemnation of homosexuality and claims that gay marriage somehow inexplicably â€Å"threaten society† and â€Å"undermine marriage†, will certainly end up with unfortunate consequences of same-sex marriage: if we allow gay marriage then people will want to legalize polygamy and marriage with pets. But arguing this position it is possible to say that same-sex marriage never results polygamy and, in fact, we can say that if same-sex marriage is good because it allows more people to get the benefits and advantages of family life, then polygamy is undesirable because it deprives some people of the benefits and advantages. Let us explain the changing meaning of marriage from 1850-1950. What was marriage for those times? First of all, the marriage was a kind of the contract that helped to share money between families. According to Graff, â€Å"the engagement feast was the moment that the two families finished negotiations and finally signed, witnessed, and notarized the marriage contract†. (Graff, 2004). Those times the marriage was not seeing by the society as a union of the two loving people. The marriage for love was the privilege of extremely poor people who had no property and some of them had no even two different cloths. Also people used the marriage as a way to share labor. Giving several examples we can say that a fisher needed a fishwife; a butcher needed a butcher wife and so on. We can see that during the longest period of time marriage was deal. This point of view and this seeing of the concept of the marriage were common for

Increase in energy Essay Example for Free

Increase in energy Essay Introduction Resistance is the opposition a component has on the flow of current and it is measured in Ohms. Resistance occurs as the electrons move along the wire they collide with the metal atoms. These collisions make the atoms vibrate more, which make the metal hotter, they also slow down the flow of electrons causing resistance. Resistance is a measure of how hard it is for the electrons to move through the wire. There are four factors that affect resistance in a wire. They are: 1. Temperature: If the wire is heated up the atoms in the wire will start to vibrate because of their increase in energy. This causes more collisions between the electrons and the atoms as, the atoms are moving into the way of the electrons. This increase in collisions means that the resistance of the wire will also increase. 2. Material: The type of material will affect the amount of free electrons which are able to flow through the wire, if the material has very few atoms then there will be high number of electrons causing a lower resistance because the electrons would have less collisions making it easier for the current to flow. But if there were few free electrons there would be more atoms packed closely together making it more difficult for the electrons to pass. 3. Wire length: If the wire is longer, then the resistance will be higher because the electrons will have a longer distance to travel and so more collisions will occur. Because of this the length increase should be proportional to the resistance increase. 4. Cross-Sectional Area of the Wire: If the wires width is increased the resistance will decrease. This is because of the increase in the space for the electrons to travel through. Because this increased space between the atoms there should be fewer collisions, and more current will flow. Resistance can be calculated using this formula R = V/I. Resistance can be useful in filament lamps and toasters, because if there was no resistance then the wire would not get hot and there would be no light and no toast. But on the other hand in very big power lines you do not want to waste any electricity in heating up the power lines. That is why in the National Grid they use very wide wires so that there are fewer collisions between the electrons and the metal atoms, thats why the electricity is transmitted at high voltage and low current. This causes less resistance and less power is lost. Aim In this experiment I am going to be investigating what effect changing the cross-sectional area has on the resistance of a wire. Input variables are the things which can be changed in an experiment. In My experiment the input variables are going to be the cross-sectional area of the wire this will be varied from thicker to thinner. Output variables are things which are predetermined the input variables. In my experiment the output variables are amperes and volts, and these measurements will be used to calculate resistance. My circuit will include a power supply, wires, an ammeter, a voltmeter, and the subject wire. To make this experiment a fair test I am going to keep the voltage to 3 volts, and keep the length of wire to 20 cm. I am not going to change the wires, ammeters and voltmeter. And I am also not going to change any of the other factors only the cross-sectional area of the subject wire. Prediction. I predict that if the cross-sectional area of the wire decreases then the resistance will increase in proportion to the cross-sectional area. I think this because of my prior scientific knowledge which shows that the wider the wire the more electrons that will be able to flow through them and the less collisions. But in a thinner wire there is less space for the electrons to move therefore more collisions. My tables and graphs should support my prediction. Apparatus list:   Power Supply used to supply an electrical current and voltage   An Ammeter- used to measure current in amps, connected in series. A Voltmeter- used to measure voltage. Connected in parallel.   Two different thicknesses of Nichrome wire- used to experiment on.   Two different thicknesses of Constantan wire- used to experiment on Meter ruler- used to keep the wire to 20 cm long.   2 crocodile clips- used to connect the subject wire to the circuit.   Connecting wires- to connect all the components. Safety I have decided to take some safety precautions by Keeping the voltage at 3 volts because 4 is dangerous, being careful when connecting the wires and while handling the live subject wire. I also wore goggles and used heat proof mats to prevent the live wire from burning the table. Method 1. Firstly I am going to connect the voltmeter to the Power supply. 2. Connect up all the wires. 3. Connect the ammeter. 4. Use crocodile clips to connect the subject wire. 5. Turn the power supply on to 3 volts. 6. The circuit should look like my diagram in the aim. 7. Write down the readings on the ammeter and voltmeter. 8. Repeat for all the thicknesses of wire. 9. After all the wires have been done create a table and calculate the resistance of each wire. 10. Lastly repeat all steps 2 times for reliable results. 11. And find the averages for the results you have collected. Preliminary Work I have decided to use 20 cm of wire as it seemed a sensible length. I also determined to use 3 volts, because 4 volts melted the wire, and 3 seemed a reasonable, safer alternative. I experimented on which of the two materials to use. (Nichrome or Constantan). I compared results on two different thickness SWG 32 and SWG 26 and recorded this information in three tables and three graphs.

Religion In Schools Today :: essays research papers

The American Religious Experience   Ã‚  Ã‚  Ã‚  Ã‚  In America today we all have choices to make in regards to our religious beliefs. Many young children are brought up today confused about religion and the significance it plays in their lives. There are many sanctions and rules now on what can and can’t be thought or displayed to people on public property, but it wasn’t always like this. In this paper I will be discussing the American religious experience in regards to the impact religion has in the public schools.   Ã‚  Ã‚  Ã‚  Ã‚  since 1776 the United States has grown from a nation of relatively few religious differences to one of countless religious groups. This expanding pluralism challenges the public schools to deal creatively and sensitively with students professing many religions and none. The following questions and answers concern religious holidays and public education, a subject often marked by confusion and conflict. Teachers and school officials, as well as parents and students, should approach this discussion as an opportunity to work cooperatively for the sake of good education rather than at cross purposes. School districts developing guidelines about religious holidays will want to base their policies in the shared commitment of respect for individual religious beliefs expressed in the constitutional guarantee of religious liberty. This means that public schools may neither promote nor inhibit religious belief or nonbelief. Drafters of such guidelines also will want to take account of the role of religion in history and culture. Awareness of legal issues is essential in considering religion and public education, but the law does not supply answers to every question. Within the current legal framework, schools-their boards, administrators, teachers, parents, and students-must make many practical decisions regarding religious holidays. This work can be done only by showing sensitivity to the needs of every student and willingness to steer a course between the avoidance of all references to religion on the one hand and the promotion of religion on the other. You are probably asking yourself what is the courts decision in all of this. The Supreme Court has ruled that public schools may not sponsor religious practices (Engel v. Vitale, 1962; Abington v. Schempp, 1963) but may teach about religion. While having made no definitive ruling on religious holidays in the schools, the Supreme Court let stand a lower federal court decision stating that recognition of holidays may be constitutional if the purpose is to provide secular instruction about religious traditions rather than to promote the particular religion involved (Florey v.

Selinux

Blueprints First Steps with Security-Enhanced Linux (SELinux): Hardening the Apache Web Server Blueprints First Steps with Security-Enhanced Linux (SELinux): Hardening the Apache Web Server Note Before using this information and the product it supports, read the information in â€Å"Notices† on page 17. First Edition (August 2009)  © Copyright IBM Corporation 2009. US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Introduction . . . . . . . . . . . . . v First Steps with Security-Enhanced Linux (SELinux): Hardening the Apache Web Server . . . . . . . . . . . . 1 Scope, requirements, and support Security-Enhanced Linux overview Access control: MAC and DAC SELinux basics. . . . . . SELinux and Apache . . . . Installing and running HTTPD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1 1 2 5 5 HTTPD and context types . . . . . . . . . 5 HTTPD and SE Linux Booleans . . . . . . . 8 Configuring HTTPD security using SELinux . . . . 9 Securing Apache (static content only) . . . . . 9 Hardening CGI scripts with SELinux . . . . . 12 Appendix. Related information and downloads . . . . . . . . . . . . . 15 Notices . . . . . . . . . . . . . . 17 Trademarks . . . . . . . . . . . . . 18  © Copyright IBM Corp. 2009 iii iv Blueprints: First Steps with Security-Enhanced Linux (SELinux): Hardening the Apache Web Server Introduction This blueprint provides a brief introduction to basic Security-Enhanced Linux (SELinux) commands and concepts, including Boolean variables. In addition, the paper shows you how to increase the security of the Apache Web server with SELinux by using these concepts. Key tools and technologies discussed in this demonstration include security-enhanced Linux (SELinux), mandatory access control (MAC), getenforce, sestatus, getsebool, and setsebool. Intended audienceThis blueprint is intended for Linux system or network administrators who want to learn more about securing their systems with SELinux. You should be familiar with installing and configuring Linux distributions, networks, and the Apache Web server. Scope and purpose This paper provides a basic overview of SELinux, SELinux Boolean variables, and hardening Apache on Red Hat Enterprise Linux (RHEL) 5. 3. For more information about configuring RHEL 5. 3, see the documentation supplied with your installation media or the distribution Web site. For more information about SELinux, see â€Å"Related information and downloads,† on page 15.Software requirements This blueprint is written and tested using Red Hat Enterprise Linux (RHEL) 5. 3. Hardware requirements The information contained in this blueprint is tested on different models of IBM System x and System p hardware. For a list of hardware supported by RHEL 5. 3, see the documentation supplied with your Linux distribution. Author names Robert Sisk Other contributors Monza Lui Kersten Richter Robb Romans IBM Services Linux offers flexibility, options, and competitive total cost of ownership with a world class enterprise operating system.Community innovation integrates leading-edge technologies and best practices into Linux. IBM ® is a leader in the Linux community with over 600 developers in the IBM Linux Technology Center working on over 100 open source projects in the community. IBM supports Linux on all IBM servers, storage, and middleware, offering the broadest flexibility to match your business needs.  © Copyright IBM Corp. 2009 v For more information about IBM and Linux, go to ibm. com/linux (https://www. ibm. com/linux) IBM Support Questions and comments regarding this documentation can be posted on the developerWorks Security Blueprint Community Forum: http://www. bm. com/developerworks/forums/forum. jspa? forumID=1271 The IBM developerWorks ® discussion forums let you ask questions, share knowledge, ideas, and opinions about technologies and progr amming techniques with other developerWorks users. Use the forum content at your own risk. While IBM will attempt to provide a timely response to all postings, the use of this developerWorks forum does not guarantee a response to every question that is posted, nor do we validate the answers or the code that are offered. Typographic conventionsThe following typographic conventions are used in this Blueprint: Bold Identifies commands, subroutines, keywords, files, structures, directories, and other items whose names are predefined by the system. Also identifies graphical objects such as buttons, labels, and icons that the user selects. Identifies parameters whose actual names or values are to be supplied by the user. Identifies examples of specific data values, examples of text like what you might see displayed, examples of portions of program code like what you might write as a programmer, messages from the system, or information you should actually type.Italics Monospace Related ref erence: â€Å"Scope, requirements, and support† on page 1 This blueprint applies to System x ® running Linux and PowerLinux. You can learn more about the systems to which this information applies. vi Blueprints: First Steps with Security-Enhanced Linux (SELinux): Hardening the Apache Web Server First Steps with Security-Enhanced Linux (SELinux): Hardening the Apache Web Server Scope, requirements, and support This blueprint applies to System x running Linux and PowerLinux. You can learn more about the systems to which this information applies.Systems to which this information applies System x running Linux and PowerLinux Security-Enhanced Linux overview Security-Enhanced Linux (SELinux) is a component of the Linux operating system developed primarily by the United States National Security Agency. SELinux provides a method for creation and enforcement of mandatory access control (MAC) policies. These policies confine users and processes to the minimal amount of privilege req uired to perform assigned tasks. For more information about the history of SELinux, see http://en. wikipedia. org/wiki/Selinux.Since its release to the open source community in December 2000, the SELinux project has gained improvements such as predefined Boolean variables that make it easier to use. This paper helps you understand how to use these variables to configure SELinux policies on your system and to secure the Apache httpd daemon. Related reference: â€Å"Scope, requirements, and support† This blueprint applies to System x running Linux and PowerLinux. You can learn more about the systems to which this information applies. Access control: MAC and DAC Access level is important to computer system security.To compromise a system, attackers try to gain any possible level of access and then try to escalate that level until they are able to obtain restricted data or make unapproved system modifications. Because each user has some level of system access, every user account on your system increases the potential for abuse. System security has historically relied on trusting users not to abuse their access, but this trust has proven to be problematic. Today, server consolidation leads to more users per system. Outsourcing of Systems Management gives legitimate access, often at the system administrator level, to unknown users.Because server consolidation and outsourcing can be financially advantageous, what can you do to prevent abuse on Linux systems? To begin to answer that question, let's take a look at discretionary access control (DAC) and mandatory access control (MAC) and their differences. Discretionary access control (DAC), commonly known as file permissions, is the predominant access control mechanism in traditional UNIX and Linux systems. You may recognize the drwxr-xr-x or the ugo abbreviations for owner, group, and other permissions seen in a directory listing. In DAC, generally the resource owner (a user) controls who has access to a resour ce.For convenience, some users commonly set dangerous DAC file permissions that allow every user on the system to read, write, and execute many files that they own. In addition, a process started by a user can modify or delete any file to which the user has access. Processes that elevate their privileges high enough could therefore modify or delete system files. These instances are some of the disadvantages of DAC.  © Copyright IBM Corp. 2009 1 In contrast to DAC, mandatory access control (MAC) regulates user and process access to resources based upon an organizational (higher-level) security policy.This policy is a collection of rules that specify what types of access are allowed on a system. System policy is related to MAC in the same way that firewall rules are related to firewalls. SELinux is a Linux kernel implementation of a flexible MAC mechanism called type enforcement. In type enforcement, a type identifier is assigned to every user and object. An object can be a file or a process. To access an object, a user must be authorized for that object type. These authorizations are defined in a SELinux policy. Let's work through some examples and you will develop a better understanding of MAC and how it relates to SELinux.Related reference: â€Å"Scope, requirements, and support† on page 1 This blueprint applies to System x running Linux and PowerLinux. You can learn more about the systems to which this information applies. SELinux basics It is a good practice not to use the root user unless necessary. However for demonstrating how to use SELinux, the root user is used in the examples in this blueprint. Some of the commands shown require root privileges to run them; for example, running getenforce and editing the /etc/selinux/config file. Related reference: â€Å"Scope, requirements, and support† on page 1 This blueprint applies to System x running Linux and PowerLinux.You can learn more about the systems to which this information applies. Run modes You can enable or disable SELinux policy enforcement on a Red Hat Enterprise Linux system during or after operating system installation. When disabled, SELinux has no effect on the system. When enabled, SELinux runs in one of two modes: v Enforcing: SELinux is enabled and SELinux policy is enforced v Permissive: SELinux is enabled but it only logs warnings instead of enforcing the policy When prompted during operating system installation, if you choose to enable SELinux, it is installed with a default security policy and set to run in the enforcing mode.Confirm the status of SELinux on your system. Like in many UNIX or Linux operating systems, there is more than one way to perform a task. To check the current mode, run one of the following commands: getenforce, sestatus, or cat /etc/selinux/config. v The getenorce command returns the current SELinux run mode, or Disabled if SELinux is not enabled. In the following example, getenforce shows that SELinux is enabled and enforcin g the current SELinux policy: [[email  protected] ~]$ getenforce EnforcingIf your system is displaying Permissive or Disabled and you want to follow along with the instructions, change the /etc/selinux/config file to run in Enforcing mode before continuing with the demonstration. Remember that if you are in Disabled mode, you should change first to Permissive and then to Enforcing. v The setstatus command returns the current run mode, along with information about the SELinux policy if SELinux is enabled. In the following example, setstatus shows that SELinux is enabled and enforcing the current SELinux policy: [[email  protected] ~]$ sestatus SELinux status: SELinuxfs mount: enabled /selinux Blueprints: First Steps with Security-Enhanced Linux (SELinux): Hardening the Apache Web Server Current mode: Mode from config file: Policy version: Policy from config file: enforcing enforcing 21 targeted v The /etc/selinux/config file configures SELinux and controls the mode as well as the active policy. Changes to the /etc/selinux/config file become effective only after you reboot the system. In the following example, the file shows that the mode is set to enforcing and the current policy type is targeted. [[email  protected] ~]$ cat /etc/selinux/config # This file controls the state of SELinux on the system. SELINUX= can take one of these three values: # enforcing – SELinux security policy is enforced. # permissive – SELinux prints warnings instead of enforcing. # disabled – SELinux is fully disabled. SELINUX=enforcing # SELINUXTYPE= type of policy in use. Possible values are: # targeted – Only targeted network daemons are protected. # strict – Full SELinux protection. SELINUXTYPE=targeted To enable SELinux, you need to set the value of the SELINUX parameter in the /etc/selinux/config file to either enforcing or permissive. If you enable SELinux in the config file, you must reboot your system to start SELinux.We recommend that y ou set SELINUX=permissive if the file system has never been labeled, has not been labeled recently, or you are not sure when it was last labeled. Note that file system labeling is the process of assigning a label containing security-relevant information to each file. In SELinux a file label is composed of the user, role, and type such as system_u:object_r:httpd_sys_content_t. Permissive mode ensures that SELinux does not interfere with the boot sequence if a command in the sequence occurs before the file system relabel is completed. Once the system is up and running, you can change the SELinux mode to enforcing.If you want to change the mode of SELinux on a running system, use the setenforce command. Entering setenforce enforcing changes the mode to enforcing and setenforce permissive changes the mode to permissive. To disable SELinux, edit the /etc/selinux/config file as described previously and reboot. You cannot disable or enable SELinux on a running system from the command line; you can only switch between enforcing and permissive when SELinux is enabled. Change the mode of SELinux to permissive by entering the following command: [[email  protected] ~]$ setenforce permissiveRecheck the output from getenforce, sestatus, and cat /etc/selinux/config. v The getenforce command returns Permissive, confirming the mode change: [[email  protected] ~]$ getenforce Permissive v The sestatus command also returns a Permissive mode value: [[email  protected] ~]$sestatus SELinux status: SELinuxfs mount: Current mode: Mode from config file: Policy version: Policy from config file: enabled /selinux permissive enforcing 21 targeted v After changing the mode to permissive, both the getenforce and sestatus commands return the correct permissive mode.However, look carefully at the output from the sestatus command: [[email  protected] ~]$ cat /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enfo rcing – SELinux security policy is enforced. # permissive – SELinux prints warnings instead of enforcing. First Steps with Security-Enhanced Linux (SELinux) 3 # disabled – SELinux is fully disabled. SELINUX=enforcing # SELINUXTYPE= type of policy in use. Possible values are: # targeted – Only targeted network daemons are protected. # strict – Full SELinux protection.SELINUXTYPE=targeted [[email  protected] ~]$ The Mode from config file parameter is enforcing. This setting is consistent with the cat /etc/selinux/config output because the config file was not changed. This status implies that the changes made by the setenforce command does not carry over to the next boot. If you reboot, SELinux returns to run state as configured in /etc/selinux/conf in enforcing mode. Change the running mode back to enforcing by entering the following command: [[email  protected] ~]$ setenforce enforcing The following output confirms the mode change: [[email  pr otected] ~]$ getenforce EnforcingRelated reference: â€Å"Scope, requirements, and support† on page 1 This blueprint applies to System x running Linux and PowerLinux. You can learn more about the systems to which this information applies. Security contexts The concept of type enforcement and the SELinux type identifier were discussed in the Overview. Let's explore these concepts in more detail. The SELinux implementation of MAC employs a type enforcement mechanism that requires every subject and object to be assigned a type identifier. The terms subject and object are defined in the Bell-La Padula multilevel security model (see http://en. wikipedia. rg/wiki/Bell-La_Padula_model for more information). Think of the subject as a user or a process and the object as a file or a process. Typically, a subject accesses an object; for example, a user modifies a file. When SELinux runs in enforcing mode, a subject cannot access an object unless the type identifier assigned to the subje ct is authorized to access the object. The default policy is to deny all access not specifically allowed. Authorization is determined by rules defined in the SELinux policy. An example of a rule granting access may be as simple as: allow httpd_t httpd_sys_content_t : file {ioctol read getattr lock};In this rule, the subject http daemon, assigned the type identifier of httpd_t, is given the permissions ioctol, read, getattr, and lock for any file object assigned the type identifier httpd_sys_content_t. In simple terms, the http daemon is allowed to read a file that is assigned the type identifier httpd_sys_content_t. This is a basic example of an allow rule type. There are many types of allow rules and some are very complex. There are also many type identifiers for use with subjects and objects. For more information about rule definitions, see: SELinux by Example in the â€Å"Related information and downloads,† on page 15 section.SELinux adds type enforcement to standard Linux distributions. To access an object, the user must have both the appropriate file permissions (DAC) and the correct SELinux access. An SELinux security context contains three parts: the user, the role, and the type identifier. Running the ls command with the –Z switch displays the typical file information as well as the security context for each item in the subdirectory. In the following example, the security context for the index. html file is composed of user_u as the user, object_r as the role, and httpd_sys_content_t as the type identifier [[email  protected] html]$ ls -Z index. tml -rw-r–r– web_admin web_admin user_u:object_r:httpd_sys_content_t index. html 4 Blueprints: First Steps with Security-Enhanced Linux (SELinux): Hardening the Apache Web Server Related reference: â€Å"Scope, requirements, and support† on page 1 This blueprint applies to System x running Linux and PowerLinux. You can learn more about the systems to which this information a pplies. SELinux and Apache Related reference: â€Å"Scope, requirements, and support† on page 1 This blueprint applies to System x running Linux and PowerLinux. You can learn more about the systems to which this information applies.Installing and running HTTPD Now that you have a general understanding of the SELinux security context, you can secure an Apache Web server using SELinux. To follow along, you must have Apache installed on your system. You can install Apache on Red Hat Linux by entering the following command: [[email  protected] html]$ yum install httpd Next, start the Apache http daemon by entering service httpd start, as follows: [[email  protected] html]$ service httpd start Starting httpd: Related reference: â€Å"Scope, requirements, and support† on page 1 This blueprint applies to System x running Linux and PowerLinux.You can learn more about the systems to which this information applies. HTTPD and context types Red Hat Enterprise Linux 5. 3, at th e time of this writing, uses selinux-policy-2. 4. 6-203. el5. This policy defines the security context for the http daemon object as httpd_t. Because SELinux is running in enforcing mode, entering /bin/ps axZ | grep httpd produces the following output: [[email  protected] html]$ ps axZ | grep http rootroot:system_r:httpd_t 2555 ? Ss 0:00 /usr/sbin/httpd rootroot:system_r:httpd_t 2593 ? S 0:00 /usr/sbin/httpd rootroot:system_r:httpd_t 2594 ? S 0:00 /usr/sbin/httpd root:system_r:httpd_t 2595 ?S 0:00 /usr/sbin/httpd root:system_r:httpd_t 2596 ? S 0:00 /usr/sbin/httpd root:system_r:httpd_t 2597 ? S 0:00 /usr/sbin/httpd root:system_r:httpd_t 2598 ? S 0:00 /usr/sbin/httpd root:system_r:httpd_t 2599 ? S 0:00 /usr/sbin/httpd root:system_r:httpd_t 2600 ? S 0:00 /usr/sbin/httpd The Z option to ps shows the security context for the httpd processes as root:system_r:httpd_t, confirming that httpd is running as the security type httpd_t. The selinux-policy-2. 4. 6-203. el5 also defines several file security context types to be used with the http daemon. For a listing, see the man page for httpd_selinux.The httpd_sys_content_t context type is used for files and subdirectories containing content to be accessible by the http daemon and all httpd scripts. Entering ls –Z displays the security context for items in the default http directory (/var/www/), as follows: [[email  protected] ~]$ ls -Z /var/www/ | grep html drwxr-xr-x root root system_u:object_r:httpd_sys_content_t html First Steps with Security-Enhanced Linux (SELinux) 5 The /var/www/html directory is the default location for all Web server content (defined by the variable setting of DocumentRoot /var/www/html in the /etc/httpd/conf/httpd. conf http configuration file).This directory is assigned the type httpd_sys_content_t as part of its security context which allows the http daemon to access its contents. Any file or subdirectory inherits the security context of the directory in which it is created; therefo re a file created in the html subdirectory inherits the httpd_sys_content_t type. In the following example, the root user creates the index. html file in the /root directory. The index. html inherits the security root:object_r:user_home_t context which is the expected security context for root in RHEL 5. 3. [[email  protected] ~]$ touch /root/index. html [[email  protected] ~]$ ls -Z /root/index. tml -rw-r–r– root root root:object_r:user_home_t /root/index. html If the root user copies the newly created index. html file to the /var/www/html/ directory, the file inherits the security context (httpd_sys_content_t) of the html subdirectory because a new copy of the file is created in the html subdirectory: [[email  protected] ~]$ cp /root/index. html /var/www/html [[email  protected] ~]$ ls -Z /var/www/html/index. html -rw-r–r– root root user_u:object_r:httpd_sys_content_t /var/www/html/index. html If you move the index. html file instead of copying it, a new file is not created in the html subdirectory and index. tml retains the user_home_t type: [[email  protected] ~]$ mv -f /root/index. html /var/www/html [[email  protected] ~]$ ls -Z /var/www/html/index. html -rw-r–r– root root user_u:object_r:user_home_t /var/www/html/index. html When a Web browser or network download agent like wget makes a request to the http daemon for the moved index. html file, with user_home_t context, the browser is denied access because SELinux is running in enforcing mode. [[email  protected] ~]# wget localhost/index. html –21:10:00– http://localhost/index. html Resolving localhost†¦ 127. 0. 0. 1 Connecting to localhost|127. 0. 0. 1|:80†¦ onnected. HTTP request sent, awaiting response†¦ 403 Forbidden 21:10:00 ERROR 403: Forbidden. SELinux generates error messages in both /var/log/messages and /var/log/httpd/error_log. The following message in /var/log/httpd/error_log is not very helpful because it t ells you only that access is being denied: [Wed May 20 12:47:57 2009] [error] [client 172. 16. 1. 100] (13) Permission denied: access to /index. html denied The following error message in /var/log/messages is more helpful because it tells you why SELinux is preventing access to the /var/www/html/index. html file – a potentially mislabeled file.Furthermore, it provides a command that you can use to produce a detailed summary of the issue. May 20 12:22:48 localhost setroubleshoot: SELinux is preventing the httpd from using potentially mislabeled files (/var/www/html/index. html). For complete SELinux messages. run sealert -l 9e568d42-4b20-471c-9214-b98020c4d97a Entering sealert –l 9e568d42-4b20-471c-9214-b98020c4d97 as suggested in the previous error message returns the following detailed error message: [[email  protected] ~]$ sealert –l 9e568d42-4b20-471c-9214-b98020c4d97 Summary: SELinux is preventing the httpd from using potentially mislabeled files (/var/www /html/index. html).Detailed Description: SELinux has denied httpd access to potentially mislabeled file(s) (/var/www/html/index. html). This means that SELinux will not allow httpd to use these files. It is common for users to edit files in their home directory or tmp directories and then 6 Blueprints: First Steps with Security-Enhanced Linux (SELinux): Hardening the Apache Web Server move (mv) them to system directories. The problem is that the files end up with the wrong file context which confined applications are not allowed to access. Allowing Access: If you want httpd to access this files, you need to relabel them using restorecon -v ’/var/www/html/index. tml’. You might want to relabel the entire directory using restorecon -R -v ’/var/www/html’. Additional Information: Source Context root:system_r:httpd_t Target Context root:object_r:user_home_t Target Objects /var/www/html/index. html [ file ] Source httpd Source Path /usr/sbin/httpd Port Host loc alhost. localdomain Source RPM Packages httpd-2. 2. 3-22. el5 Target RPM Packages Policy RPM selinux-policy-2. 4. 6-203. el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name home_tmp_bad_labels Host Name localhost. localdomain Platform Linux localhost. ocaldomain 2. 6. 18-128. 1. 10. el5 #1 SMP Wed Apr 29 13:55:17 EDT 2009 i686 i686 Alert Count 24 First Seen Fri May 15 13:36:32 2009 Last Seen Wed May 20 12:47:56 2009 Local ID 9e568d42-4b20-471c-9214-b98020c4d97a Line Numbers Raw Audit Messages host=localhost. localdomain type=AVC msg=audit(1242838076. 937:1141): avc: denied { getattr } for pid=3197 comm=†httpd† path=†/var/www/html/index. html† dev=dm-0 ino=3827354 scontext=root:system_r:httpd_t:s0 context=root:object_r:user_home_t:s0 tclass=file host=localhost. localdomain type=SYSCALL msg=audit(1242838076. 37:1141): arch=40000003 syscall=196 success=no exit=-13 a0=8eaa788 a1=bfc8d49c a2=419ff4 a3=2008171 items=0 ppid=3273 pid=3197 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4 comm=†httpd† exe=†/usr/sbin/httpd† subj=root:system_r:httpd_t:s0 key=(null) Although called a summary, this output is a very detailed report that provides the necessary commands to resolve the issue. As shown below, entering /sbin/restorecon -v ’/var/www/html/index. html as suggested not only resolves the problem, but also explains how you should change the security context for the /var/www/html/index. tml file. [[email  protected] ~]$ restorecon -v ’/var/www/html/index. html’ /sbin/restorecon reset /var/www/html/index. html context root:object_r:user_home_t:s0-; root:object_r:httpd_sys_content_t:s0 The previous restorecon -v command changed the security context of /var/www/html/index. html from root:object_r:user_home_t to root:object_r:httpd_sys_content_t. With a root:object_r:httpd_sys_content_t security context, the http dae mon can now access /var/www/html/index. html. Use a Web browser or wget to make another request to the httpd daemon for the index. html file with a restored security context.This time, the request is permitted: [[email  protected] ~]# wget localhost/index. html –21:09:21– http://localhost/index. html Resolving localhost†¦ 127. 0. 0. 1 Connecting to localhost|127. 0. 0. 1|:80†¦ connected. HTTP request sent, awaiting response†¦ 200 OK Length: 0 [text/html] Saving to: ’index. html’ First Steps with Security-Enhanced Linux (SELinux) 7 [ ] 0 –. -K/s in 0s 21:09:21 (0. 00 B/s) – ’index. html’ saved [0/0] Related reference: â€Å"Scope, requirements, and support† on page 1 This blueprint applies to System x running Linux and PowerLinux. You can learn more about the systems to which this information applies.HTTPD and SELinux Booleans SELinux has a set of built-in switches named Booleans or conditional policies t hat you can use to turn specific SELinux features on or off. Entering the getsebool -a | grep http command lists the 23 Booleans related to the http daemon, which are a subset of the 234 Booleans currently defined in the selinux-policy-2. 4. 6-203. el5 policy. These 23 Booleans allow you to customize SELinux policy for the http daemon during runtime without modifying, compiling, or loading a new policy. You can customize the level of http security by setting the relevant Boolean values or toggling between on and off values. [email  protected] ~]$ getsebool -a | grep http allow_httpd_anon_write –> off allow_httpd_bugzilla_script_anon_write –> off allow_httpd_mod_auth_pam –> off allow_httpd_nagios_script_anon_write –> off allow_httpd_prewikka_script_anon_write –> off allow_httpd_squid_script_anon_write –> off allow_httpd_sys_script_anon_write –> off httpd_builtin_scripting –> on httpd_can_network_connect –> off httpd_can _network_connect_db –> off httpd_can_network_relay –> off httpd_can_sendmail –> on httpd_disable_trans –> off httpd_enable_cgi –> on httpd_enable_ftp_server –> off httpd_enable_homedirs –> on httpd_rotatelogs_disable_trans –> off httpd_ssi_exec –> off httpd_suexec_disable_trans –> off httpd_tty_comm –> on httpd_unified –> on httpd_use_cifs –> off httpd_use_nfs –> off SELinux provides three command-line tools for working with Booleans: getsebool, setsebool, and togglesebool. The getsebool –a command returns the current state of all the SELinux Booleans defined by the policy.You can also use the command without the –a option to return settings for one or more specific Booleans entered on the command line, as follows: [[email  protected] ~]$ getsebool httpd_enable_cgi httpd_enable_cgi –> on Use setsebool to set the current state of one or more Booleans by specifying the Boolean and its value. Acceptable values to enable a Boolean are 1, true, and on. Acceptable values to disable a Boolean are 0, false, and off. See the following cases for examples. You can use the -P option with the setsebool command to write the specified changes to the SELinux policy file. These changes are persistent across reboots; unwritten changes remain in effect until you change them or the system is rebooted. Use setsebool to change status of the httpd_enable_cgi Boolean to off: [[email  protected] ~]$ setsebool httpd_enable_cgi 0 8Blueprints: First Steps with Security-Enhanced Linux (SELinux): Hardening the Apache Web Server Confirm status change of the httpd_enable_cgi Boolean: [[email  protected] ~]$ getsebool httpd_enable_cgi httpd_enable_cgi –> off The togglesebool tool flips the current value of one or more Booleans. This tool does not have an option that writes the changes to the policy file. Changes remain in effect until changed or the system is reb ooted. Use the togglesebool tool to switch the status of the httpd_enable_cgi Boolean, as follows: [[email  protected] ~]$ togglesebool httpd_enable_cgi httpd_enable_cgi: active Confirm the status change of the httpd_enable_cgi Boolean: [[email  protected] ~]$ getsebool httpd_enable_cgi httpd_enable_cgi –> onRelated reference: â€Å"Scope, requirements, and support† on page 1 This blueprint applies to System x running Linux and PowerLinux. You can learn more about the systems to which this information applies. Configuring HTTPD security using SELinux Related reference: â€Å"Scope, requirements, and support† on page 1 This blueprint applies to System x running Linux and PowerLinux. You can learn more about the systems to which this information applies. Securing Apache (static content only) The default Red Hat Enterprise Linux 5. 3 installation with SELinux running in enforcing mode provides a basic level of Web server security. You can increase that security level with a little effort.Because security is related to the function of the system, let's start with a Web server that only serves static content from the /var/www/html directory. 1. Ensure that SELinux is enabled and running in enforcing mode: [[email  protected] ~]$ sestatus SELinux status: SELinuxfs mount: Current mode: Mode from config file: Policy version: Policy from config file: enabled /selinux enforcing enforcing 21 2. Confirm that httpd is running as type httpd_t: [[email  protected] html]$ /bin/ps axZ root:system_r:httpd_t 2555 ? root:system_r:httpd_t 2593 ? root:system_r:httpd_t 2594 ? root:system_r:httpd_t 2595 ? root:system_r:httpd_t 2596 ? root:system_r:httpd_t 2597 ? root:system_r:httpd_t 2598 ? root:system_r:httpd_t 2599 ? root:system_r:httpd_t 2600 ? grep http Ss 0:00 httpd S 0:00 httpd S 0:00 httpd S 0:00 httpd S 0:00 httpd S 0:00 httpd S 0:00 httpd S 0:00 httpd S 0:00 httpd 3. Confirm that the /var/www/html directory is assigned the httpd_sys_content_t con text type: [[email  protected] ~]$ ls -Z /var/www/ drwxr-xr-x root root root:object_r:httpd_sys_script_exec_t cgi-bin drwxr-xr-x root root root:object_r:httpd_sys_content_t error drwxr-xr-x root root root:object_r:httpd_sys_content_t html First Steps with Security-Enhanced Linux (SELinux) 9 drwxr-xr-x drwxr-xr-x drwxr-xr-x root root root:object_r:httpd_sys_content_t icons root root root:object_r:httpd_sys_content_t manual webalizer root root:object_r:httpd_sys_content_t usage 4.Confirm that the content to be served is assigned the httpd_sys_content_t context type. For example: [[email  protected] ~]$ ls -Z /var/www/html/index. html -rw-r–r– root root root:object_r:httpd_sys_content_t /var/www/html/index. html Use a Web browser or wget to make a request to the httpd daemon for the index. html file and you should see that permission is granted. To increase the level of protection provided by SELinux, disable any httpd-related features that you do not want by turning off their corresponding Boolean. By default, the following six Boolean are set to on. If you do not need these features, turn them off by setting their Boolean variables to off. [email  protected] ~]# getsebool -a|grep http|grep â€Å"–> on† httpd_builtin_scripting –> on httpd_can_sendmail –> on httpd_enable_cgi –> on httpd_enable_homedirs –> on httpd_tty_comm –> on httpd_unified –> on httpd_can_sendmail If the Web server does not use Sendmail, turn this Boolean to off. This action prevents unauthorized users from sending e-mail spam from this system. httpd_enable_homedirs When this Boolean is set to on, it allows httpd to read content from subdirectories located under user home directories. If the Web server is not configured to serve content from user home directories, set this Boolean to off. httpd_tty_comm By default, httpd is allowed to access the controlling terminal.This action is necessary in certain situations where httpd must prompt the user for a password. If the Web server does not require this feature, set the Boolean to off. httpd_unified This Boolean affects the transition of the http daemon to security domains defined in SELinux policy. Enabling this Boolean creates a single security domain for all http-labeled content. For more information, see SELinux by Example listed under the â€Å"Related information and downloads,† on page 15 section. httpd_enable_cgi If your content does not use the Common Gateway Interface (CGI) protocol, set this Boolean to off. If you are unsure about using CGI in the Web server, try setting it to off and examine the log entries in the /var/log/messages file.The following example shows an error message from /var/log/messages resulting from SELinux blocking httpd execution of a CGI script: May 28 15:48:37 localhost setroubleshoot: SELinux is preventing the http daemon from executing cgi scripts. For complete SELinux messages. run sealert -l 0fdf4649-60df -47b5-bfd5-a72772207adc Entering sealert -l 0fdf4649-60df-47b5-bfd5-a72772207adc produces the following output: Summary: SELinux is preventing the http daemon from executing cgi scripts. Detailed Description: SELinux has denied the http daemon from executing a cgi script. httpd can be setup in a locked down mode where cgi scripts are not allowed to be executed. If the httpd server has been setup to not execute cgi scripts, this could signal a intrusion attempt.Allowing Access: If you want httpd to be able to run cgi scripts, you need to turn on the httpd_enable_cgi Boolean: â€Å"setsebool -P httpd_enable_cgi=1†³ 10 Blueprints: First Steps with Security-Enhanced Linux (SELinux): Hardening the Apache Web Server The following command will allow this access: setsebool -P httpd_enable_cgi=1 Additional Information: Source Context root:system_r:httpd_t Target Context root:object_r:httpd_sys_script_exec_t Target Objects /var/www/cgi-bin [ dir ] Source httpd Source Path httpd Port Hos t localhost. localdomain Source RPM Packages httpd-2. 2. 3-22. el5 Target RPM Packages httpd-2. 2. 3-22. el5 Policy RPM selinux-policy-2. 4. 6-203. l5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name httpd_enable_cgi Host Name localhost. localdomain Platform Linux localhost. localdomain 2. 6. 18-128. 1. 10. el5 #1 SMP Wed Apr 29 13:55:17 EDT 2009 i686 i686 Alert Count 1 First Seen Thu May 28 15:48:36 2009 Last Seen Thu May 28 15:48:36 2009 Local ID 0fdf4649-60df-47b5-bfd5-a72772207adc Line Numbers Raw Audit Messages host=localhost. localdomain type=AVC msg=audit(1243540116. 963:248): avc: denied { getattr } for pid=2595 comm=†httpd† path=†/var/www/cgi-bin† dev=dm-0 ino=5527166 scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:httpd_sys_script_exec_t:s0 tclass=dir host=localhost. localdomain type=SYSCALL msg=audit(1243540116. 63:248): arch=40000003 syscall=196 success=no exit=-13 a0=8bd0a88 a1=bfc790bc a2=4 d0ff4 a3=2008171 items=0 ppid=2555 pid=2595 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=†httpd† exe=†httpd† subj=root:system_r:httpd_t:s0 key=(null) At the end of the previous output, listed under the Raw Audit Messages are these lines: â€Å"scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:httpd_sys_script_exec_t:s0 tclass=dir† This output shows you that httpd attempted to access a subdirectory with the httpd_sys_script_exec_t context type. This type is the context type of /var/www/cgi-bin, the directory where httpd looks for CGI scripts. The httpd daemon, with a httpd_t context type, was unable to access this subdirectory because the httpd_enable_cgi variable is set to off.With this configuration, SELinux does not allow a user or process of type httpd_t to access a directory, file, or process of type httpd_sys_script_exec_t. Therefore, the http daemon was denied access to the CGI script located in /var/www/cgi-bin. If you find similar messages in your log file, set the httpd_enable_cgi Boolean to on. httpd_builtin_scripting If you did not configure Apache to load scripting modules by changing the /etc/httpd/conf/ httpd. conf configuration file, set this Boolean to off. If you are unsure, turn httpd_builtin_scripting to off and check the /var/log/messages file for any httpd-related SELinux warnings. See the description of httpd_enable_cgi for an example. PHP and other scripting modules run with the same level of access as the http daemon.Therefore, turning httpd_builtin_scripting to off reduces the amount of access available if the Web server is compromised. To turn off all six of these Booleans and write the values to the policy file by using the setsebool -P command follow these steps: 1. Enter the setsebool -P command: First Steps with Security-Enhanced Linux (SELinux) 11 [[email  protected] ~]# setsebool -P httpd_can_sendmail=0 httpd_enable_homedirs =0 httpd_tty_comm=0 httpd_unified=0 httpd_enable_cgi=0 httpd_builtin_scripting=0 2. Check all the Boolean settings related to httpd by entering getsebool –a | grep httpd. The following output shows that all Boolean are set to off, including the six previously described variables which default to on. [email  protected] ~]$ getsebool -a | grep httpd allow_httpd_anon_write –> off allow_httpd_bugzilla_script_anon_write –> off allow_httpd_mod_auth_pam –> off allow_httpd_nagios_script_anon_write –> off allow_httpd_prewikka_script_anon_write –> off allow_httpd_squid_script_anon_write –> off allow_httpd_sys_script_anon_write –> off httpd_builtin_scripting –> off httpd_can_network_connect –> off httpd_can_network_connect_db –> off httpd_can_network_relay –> off httpd_can_sendmail –> off httpd_disable_trans –> off httpd_enable_cgi –> off httpd_enable_ftp_server –> off httpd_enable _homedirs –> off httpd_rotatelogs_disable_trans –> off httpd_ssi_exec –> off httpd_suexec_disable_trans –> off httpd_tty_comm –> off httpd_unified –> off httpd_use_cifs –> off httpd_use_nfs –> off 3. Use a Web browser or wget to make another request to the httpd daemon for the index. html file and you should succeed. Rebooting your machine does not change this configuration. This completes the necessary basic SELinux settings for hardening a Web server with static content. Next, look at hardening scripts accessed by the http daemon. Related reference: â€Å"Scope, requirements, and support† on page 1 This blueprint applies to System x running Linux and PowerLinux. You can learn more about the systems to which this information applies.Hardening CGI scripts with SELinux In the previous section, you used SELinux Booleans to disable scripting because the Web server used only static content. Beginning with that configuration, you can enable CGI scripting and use SELinux to secure the scripts. 1. Confirm that your Web server is configured as described in section â€Å"Securing Apache (static content only)† on page 9. 2. Red Hat Enterprise Linux provides a CGI script that you can use for testing. You can find the script at /usr/lib/perl5/5. 8. 8/CGI/eg/tryit. cgi. Copy this script to the /var/www/cgi-bin/ directory, as follows: [[email  protected] ~]$ cp /usr/lib/perl5/5. 8. 8/CGI/eg/tryit. gi /var/www/cgi-bin/ 3. Make sure that the first line of the tryit. cgi script contains the correct path to the perl binary. From the which perl output shown below, the path should be changed to ! #/usr/bin/perl. [[email  protected] ~]# which perl /usr/bin/perl [[email  protected] ~]# head -1 /var/www/cgi-bin/tryit. cgi #! /usr/local/bin/perl 4. Confirm that /var/www/cgi-bin is assigned the httpd_sys_script_exec_t context type as follows: [[email  protected] ~]$ ls -Z /var/www/ | grep cgi-bin drwxr-xr-x root root root:object_r:httpd_sys_script_exec_t cgi-bin 12 Blueprints: First Steps with Security-Enhanced Linux (SELinux): Hardening the Apache Web Server 5.Allow and confirm read and execute permission for the tryit. cgi script to all users: [[email  protected] cgi-bin]# chmod 555 /var/www/cgi-bin/tryit. cgi [[email  protected] cgi-bin]# ls -Z -r-xr-xr-x root root root:object_r:httpd_sys_script_exec_t tryit. cgi 6. Confirm that /var/www/cgi-bin/tryit. cgi is assigned the httpd_sys_script_exec_t context type: [[email  protected] ~]$ ls -Z /var/www/cgi-bin/tryit. cgi -r-xr-xr-x root root root:object_r:httpd_sys_script_exec_t /var/www/cgi-bin/tryit. cgi 7. Enable CGI scripting in SELinux and confirm that it is enabled: [[email  protected] cgi-bin]$ setsebool httpd_enable_cgi=1 [[email  protected] cgi-bin]$ getsebool httpd_enable_cgi httpd_enable_cgi –> on 8.Open a Web browser and type the Web server address into the location bar. Include the /cgi-bin/tryit. cgi in the URL. For example, type http://192. 168. 1. 100/cgi-bin/tryit. cgi. The tryit. cgi script should return output similar to Figure 1: Figure 1. Figure 1: A Simple Example 9. Provide test answers to the form fields and click Submit Query. The tryit. cgi script should return output similar to Figure 2: First Steps with Security-Enhanced Linux (SELinux) 13 Figure 2. Figure 2: A Simple Example with results Related reference: â€Å"Scope, requirements, and support† on page 1 This blueprint applies to System x running Linux and PowerLinux. You can learn more about the systems to which this information applies. 14Blueprints: First Steps with Security-Enhanced Linux (SELinux): Hardening the Apache Web Server Appendix. Related information and downloads Related information v Wikipedia: Security-Enhanced Linux http://en. wikipedia. org/wiki/Selinux v Bell-La Padula model http://en. wikipedia. org/wiki/Bell-La_Padula_model v NSA Security-Enhanced Linux http://www. nsa. gov/research/selinux /index. shtml v Managing Red Hat Enterprise Linux 5 presentation http://people. redhat. com/dwalsh/SELinux/Presentations/ManageRHEL5. pdf v developerWorks Security Blueprint Community Forum http://www. ibm. com/developerworks/forums/forum. jspa? forumID=1271 v Red Hat Enterprise Linux 4: Red Hat SELinux Guide http://www. linuxtopia. rg/online_books/redhat_selinux_guide/rhlcommon-section-0055. html v F. Mayer, K. MacMillan, D. Caplan, â€Å"SELinux By Example – Using Security Enhanced Linux† Prentice Hall, 2007 Related reference: â€Å"Scope, requirements, and support† on page 1 This blueprint applies to System x running Linux and PowerLinux. You can learn more about the systems to which this information applies.  © Copyright IBM Corp. 2009 15 16 Blueprints: First Steps with Security-Enhanced Linux (SELinux): Hardening the Apache Web Server Notices This information was developed for products and services offered in the U. S. A. IBM may not offer the products, s ervices, or features discussed in this document in other countries.Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not grant you any license to these patents.You can send license inquiries, in writing, to: IBM Director of Licensing IBM Corporation North Castle Drive Armonk, NY 10504-1785 U. S. A. The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION â€Å"AS IS† WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors.Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other progr ams (including this one) and (ii) the mutual use of the information which has been exchanged, should contact: IBM Corporation Dept. LRAS/Bldg. 903 11501 Burnet Road Austin, TX 78758-3400 U. S. A. Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee.The licensed program described in this document and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement or any equivalent agreement between us.  © Copyright IBM Corp. 2009 17 For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to: IBM World Trade Asia Corporation Licensing 2-31 Roppongi 3-chome, Minato-ku Tokyo 106-0032, Japan IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you. Informatio n concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources.IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk. This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products.All of these names are fictitious and any similarity to the names and addresses used by an ac tual business enterprise is entirely coincidental. Trademarks IBM, the IBM logo, and ibm. com ® are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol ( ® and â„ ¢), these symbols indicate U. S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at Copyright and trademark information at www. ibm. com/legal/copytrade. html Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other countries. Java and all Java-based trademarks and logos are registered trademarks of Sun Microsystems, Inc. in the United States, other countries, or both. Linux is a trademark of Linus Torvalds in the United States, other countries, or both. UNIX is a registered trademark of The Open Group in the United States and other countries. Other company, product, or service names may be trademarks or service marks of others. 18 Blueprints: First Steps with Security-Enhanced Linux (SELinux): Hardening the Apache Web Server Printed in USA