1httpd_selinux(8) httpd Selinux Policy documentation httpd_selinux(8)
2
3
4
6 httpd_selinux - Security Enhanced Linux Policy for the httpd daemon
7
9 Security-Enhanced Linux secures the httpd server via flexible mandatory
10 access control.
11
13 SELinux requires files to have an extended attribute to define the file
14 type. Policy governs the access daemons have to these files. SELinux
15 httpd policy is very flexible allowing users to setup their web ser‐
16 vices in as secure a method as possible.
17
18 The following file contexts types are defined for httpd:
19 httpd_sys_content_t
20 - Set files with httpd_sys_content_t if you want
21 httpd_sys_script_exec_t scripts and the daemon to read the file, and
22 disallow other non sys scripts from access.
23 httpd_sys_script_exec_t
24 - Set cgi scripts with httpd_sys_script_exec_t to allow them to run
25 with access to all sys types.
26 httpd_sys_rw_content_t
27 - Set files with httpd_sys_rw_content_t if you want
28 httpd_sys_script_exec_t scripts and the daemon to read/write the data,
29 and disallow other non sys scripts from access.
30 httpd_sys_content_ra_t
31 - Set files with httpd_sys_content_ra_t if you want
32 httpd_sys_script_exec_t scripts and the daemon to read/append to the
33 file, and disallow other non sys scripts from access.
34 httpd_unconfined_script_exec_t
35 - Set cgi scripts with httpd_unconfined_script_exec_t to allow them to
36 run without any SELinux protection. This should only be used for a very
37 complex httpd scripts, after exhausting all other options. It is bet‐
38 ter to use this script rather than turning off SELinux protection for
39 httpd.
40
41
43 With certain policies you can define additional file contexts based on
44 roles like user or staff. httpd_user_script_exec_t can be defined
45 where it would only have access to "user" contexts.
46
47
49 If you want to share files with multiple domains (Apache, FTP, rsync,
50 Samba), you can set a file context of public_content_t and public_con‐
51 tent_rw_t. These context allow any of the above domains to read the
52 content. If you want a particular domain to write to the public_con‐
53 tent_rw_t domain, you must set the appropriate boolean.
54 allow_DOMAIN_anon_write. So for httpd you would execute:
55
56 setsebool -P allow_httpd_anon_write=1
57
58 or
59
60 setsebool -P allow_httpd_sys_script_anon_write=1
61
62
64 SELinux policy is customizable based on least access required. SElinux
65 can be setup to prevent certain http scripts from working. httpd pol‐
66 icy is extremely flexible and has several booleans that allow you to
67 manipulate the policy and run httpd with the tightest access possible.
68
69 httpd can be setup to allow cgi scripts to be executed, set
70 httpd_enable_cgi to allow this
71
72 setsebool -P httpd_enable_cgi 1
73
74
75 SELinux policy for httpd can be setup to not allowed to access users
76 home directories. If you want to allow access to users home directo‐
77 ries you need to set the httpd_enable_homedirs boolean and change the
78 context of the files that you want people to access off the home dir.
79
80 setsebool -P httpd_enable_homedirs 1
81 chcon -R -t httpd_sys_content_t ~user/public_html
82
83
84 SELinux policy for httpd can be setup to not allow access to the con‐
85 trolling terminal. In most cases this is preferred, because an
86 intruder might be able to use the access to the terminal to gain privi‐
87 leges. But in certain situations httpd needs to prompt for a password
88 to open a certificate file, in these cases, terminal access is
89 required. Set the httpd_tty_comm boolean to allow terminal access.
90
91 setsebool -P httpd_tty_comm 1
92
93
94 httpd can be configured to not differentiate file controls based on
95 context, i.e. all files labeled as httpd context can be read/write/exe‐
96 cute. Setting this boolean to false allows you to setup the security
97 policy such that one httpd service can not interfere with another.
98
99 setsebool -P httpd_unified 0
100
101
102 SELinu policy for httpd can be configured to turn on sending email.
103 This is a security feature, since it would prevent a vulnerabiltiy in
104 http from causing a spam attack. I certain situations, you may want
105 http modules to send mail. You can turn on the httpd_send_mail bool‐
106 ean.
107
108 setsebool -P httpd_can_sendmail 1
109
110 httpd can be configured to turn off internal scripting (PHP). PHP and other
111 loadable modules run under the same context as httpd. Therefore several policy rules allow httpd greater access to the system then is needed if you only use external cgi scripts.
112
113 setsebool -P httpd_builtin_scripting 0
114
115
116 SELinux policy can be setup such that httpd scripts are not allowed to
117 connect out to the network. This would prevent a hacker from breaking
118 into you httpd server and attacking other machines. If you need
119 scripts to be able to connect you can set the httpd_can_network_connect
120 boolean on.
121
122 setsebool -P httpd_can_network_connect 1
123
124
125 system-config-selinux is a GUI tool available to customize SELinux pol‐
126 icy settings.
127
129 This manual page was written by Dan Walsh <dwalsh@redhat.com>.
130
131
133 selinux(8), httpd(8), chcon(1), setsebool(8)
134
135
136
137
138
139dwalsh@redhat.com 17 Jan 2005 httpd_selinux(8)