httpd_selinux(8)

1httpd_selinux(8)      httpd Selinux Policy documentation      httpd_selinux(8)
2
3
4

NAME

6       httpd_selinux - Security Enhanced Linux Policy for the httpd daemon
7

DESCRIPTION

9       Security-Enhanced Linux secures the httpd server via flexible mandatory
10       access control.
11

FILE_CONTEXTS

13       SELinux requires files to have an extended attribute to define the file
14       type.   Policy governs the access daemons have to these files.  SELinux
15       httpd policy is very flexible allowing users to setup  their  web  ser‐
16       vices in as secure a method as possible.
17
18       The following file contexts types are defined for httpd:
19       httpd_sys_content_t
20       -     Set     files    with    httpd_sys_content_t    if    you    want
21       httpd_sys_script_exec_t scripts and the daemon to read  the  file,  and
22       disallow other non sys scripts from access.
23       httpd_sys_script_exec_t
24       -  Set  cgi  scripts  with httpd_sys_script_exec_t to allow them to run
25       with access to all sys types.
26       httpd_sys_rw_content_t
27       -   Set    files    with    httpd_sys_rw_content_t    if    you    want
28       httpd_sys_script_exec_t  scripts and the daemon to read/write the data,
29       and disallow other non sys scripts from access.
30       httpd_sys_content_ra_t
31       -   Set    files    with    httpd_sys_content_ra_t    if    you    want
32       httpd_sys_script_exec_t  scripts  and  the daemon to read/append to the
33       file, and disallow other non sys scripts from access.
34       httpd_unconfined_script_exec_t
35       - Set cgi scripts with httpd_unconfined_script_exec_t to allow them  to
36       run without any SELinux protection. This should only be used for a very
37       complex httpd scripts, after exhausting all other options.  It is  bet‐
38       ter  to  use this script rather than turning off SELinux protection for
39       httpd.
40
41

NOTE

43       With certain policies you can define additional file contexts based  on
44       roles  like  user  or  staff.   httpd_user_script_exec_t can be defined
45       where it would only have access to "user" contexts.
46
47

SHARING FILES

49       If you want to share files with multiple domains (Apache,  FTP,  rsync,
50       Samba),  you can set a file context of public_content_t and public_con‐
51       tent_rw_t.  These context allow any of the above domains  to  read  the
52       content.   If  you want a particular domain to write to the public_con‐
53       tent_rw_t   domain,   you   must   set   the    appropriate    boolean.
54       allow_DOMAIN_anon_write.  So for httpd you would execute:
55
56       setsebool -P allow_httpd_anon_write=1
57
58       or
59
60       setsebool -P allow_httpd_sys_script_anon_write=1
61
62

BOOLEANS

64       SELinux policy is customizable based on least access required.  SElinux
65       can be setup to prevent certain http scripts from working.  httpd  pol‐
66       icy  is  extremely  flexible and has several booleans that allow you to
67       manipulate the policy and run httpd with the tightest access possible.
68
69       httpd  can  be  setup  to  allow  cgi  scripts  to  be  executed,   set
70       httpd_enable_cgi to allow this
71
72       setsebool -P httpd_enable_cgi 1
73
74
75       SELinux  policy  for  httpd can be setup to not allowed to access users
76       home directories.  If you want to allow access to users  home  directo‐
77       ries  you  need to set the httpd_enable_homedirs boolean and change the
78       context of the files that you want people to access off the home dir.
79
80       setsebool -P httpd_enable_homedirs 1
81       chcon -R -t httpd_sys_content_t ~user/public_html
82
83
84       SELinux policy for httpd can be setup to not allow access to  the  con‐
85       trolling  terminal.   In  most  cases  this  is  preferred,  because an
86       intruder might be able to use the access to the terminal to gain privi‐
87       leges.  But  in certain situations httpd needs to prompt for a password
88       to open  a  certificate  file,  in  these  cases,  terminal  access  is
89       required.  Set the httpd_tty_comm boolean to allow terminal access.
90
91       setsebool -P httpd_tty_comm 1
92
93
94       httpd  can  be  configured  to not differentiate file controls based on
95       context, i.e. all files labeled as httpd context can be read/write/exe‐
96       cute.   Setting  this boolean to false allows you to setup the security
97       policy such that one httpd service can not interfere with another.
98
99       setsebool -P httpd_unified 0
100
101
102       SELinu policy for httpd can be configured to  turn  on  sending  email.
103       This  is  a security feature, since it would prevent a vulnerabiltiy in
104       http from causing a spam attack.  I certain situations,  you  may  want
105       http  modules  to send mail.  You can turn on the httpd_send_mail bool‐
106       ean.
107
108       setsebool -P httpd_can_sendmail 1
109
110       httpd can be configured to turn off internal scripting (PHP).  PHP and other
111       loadable modules run under the same context as httpd. Therefore several policy rules allow httpd greater access to the system then is needed if you only use external cgi scripts.
112
113       setsebool -P httpd_builtin_scripting 0
114
115
116       SELinux policy can be setup such that httpd scripts are not allowed  to
117       connect  out to the network.  This would prevent a hacker from breaking
118       into you httpd server  and  attacking  other  machines.   If  you  need
119       scripts to be able to connect you can set the httpd_can_network_connect
120       boolean on.
121
122       setsebool -P httpd_can_network_connect 1
123
124
125       system-config-selinux is a GUI tool available to customize SELinux pol‐
126       icy settings.
127

AUTHOR

129       This manual page was written by Dan Walsh <dwalsh@redhat.com>.
130
131