1httpd_selinux(8) httpd Selinux Policy documentation httpd_selinux(8)
2
3
4
6 httpd_selinux - Security Enhanced Linux Policy for the httpd daemon
7
9 Security-Enhanced Linux secures the httpd server via flexible mandatory
10 access control.
11
13 SELinux requires files to have an extended attribute to define the file
14 type. Policy governs the access daemons have to these files. SELinux
15 httpd policy is very flexible allowing users to setup their web ser‐
16 vices in as secure a method as possible.
17
18 The following file contexts types are defined for httpd:
19 httpd_sys_content_t
20 - Set files with httpd_sys_content_t for content which is available
21 from all httpd scripts and the daemon.
22 httpd_sys_script_exec_t
23 - Set cgi scripts with httpd_sys_script_exec_t to allow them to run
24 with access to all sys types.
25 httpd_sys_script_ro_t
26 - Set files with httpd_sys_script_ro_t if you want
27 httpd_sys_script_exec_t scripts to read the data, and disallow other
28 sys scripts from access.
29 httpd_sys_script_rw_t
30 - Set files with httpd_sys_script_rw_t if you want
31 httpd_sys_script_exec_t scripts to read/write the data, and disallow
32 other non sys scripts from access.
33 httpd_sys_script_ra_t
34 - Set files with httpd_sys_script_ra_t if you want
35 httpd_sys_script_exec_t scripts to read/append to the file, and disal‐
36 low other non sys scripts from access.
37 httpd_unconfined_script_exec_t
38 - Set cgi scripts with httpd_unconfined_script_exec_t to allow them to
39 run without any SELinux protection. This should only be used for a very
40 complex httpd scripts, after exhausting all other options. It is bet‐
41 ter to use this script rather than turning off SELinux protection for
42 httpd.
43
44
46 With certain policies you can define addional file contexts based on
47 roles like user or staff. httpd_user_script_exec_t can be defined
48 where it would only have access to "user" contexts.
49
50
52 If you want to share files with multiple domains (Apache, FTP, rsync,
53 Samba), you can set a file context of public_content_t and public_con‐
54 tent_rw_t. These context allow any of the above domains to read the
55 content. If you want a particular domain to write to the public_con‐
56 tent_rw_t domain, you must set the appropriate boolean.
57 allow_DOMAIN_anon_write. So for httpd you would execute:
58
59 setsebool -P allow_httpd_anon_write=1
60
61 or
62
63 setsebool -P allow_httpd_sys_script_anon_write=1
64
65
67 SELinux policy is customizable based on least access required. So by
68 default SElinux prevents certain http scripts from working. httpd pol‐
69 icy is extremely flexible and has several booleans that allow you to
70 manipulate the policy and run httpd with the tightest access possible.
71
72 httpd can be setup to allow cgi scripts to be executed, set
73 httpd_enable_cgi to allow this
74
75 setsebool -P httpd_enable_cgi 1
76
77
78 httpd by default is not allowed to access users home directories. If
79 you want to allow access to users home directories you need to set the
80 httpd_enable_homedirs boolean and change the context of the files that
81 you want people to access off the home dir.
82
83 setsebool -P httpd_enable_homedirs 1
84 chcon -R -t httpd_sys_content_t ~user/public_html
85
86
87 httpd by default is not allowed access to the controling terminal. In
88 most cases this is prefered, because an intruder might be able to use
89 the access to the terminal to gain privileges. But in certain situa‐
90 tions httpd needs to prompt for a password to open a certificate file,
91 in these cases, terminal access is required. Set the httpd_tty_comm
92 boolean to allow terminal access.
93
94 setsebool -P httpd_tty_comm 1
95
96
97 httpd can be configured to not differentiate file controls based on
98 context, i.e. all files labeled as httpd context can be read/write/exe‐
99 cute. Setting this boolean to false allows you to setup the security
100 policy such that one httpd service can not interfere with another.
101
102 setsebool -P httpd_unified 0
103
104
105 httpd can be configured to turn off internal scripting (PHP). PHP and
106 other loadable modules run under the same context as httpd. Therefore
107 several policy rules allow httpd greater access to the system then is
108 needed if you only use external cgi scripts.
109
110 setsebool -P httpd_builtin_scripting 0
111
112
113 httpd scripts by default are not allowed to connect out to the network.
114 This would prevent a hacker from breaking into you httpd server and
115 attacking other machines. If you need scripts to be able to connect
116 you can set the httpd_can_network_connect boolean on.
117
118 setsebool -P httpd_can_network_connect 1
119
120
121 system-config-selinux is a GUI tool available to customize SELinux pol‐
122 icy settings.
123
125 This manual page was written by Dan Walsh <dwalsh@redhat.com>.
126
127
129 selinux(8), httpd(8), chcon(1), setsebool(8)
130
131
132
133
134
135dwalsh@redhat.com 17 Jan 2005 httpd_selinux(8)