1httpd_selinux(8)      httpd Selinux Policy documentation      httpd_selinux(8)
2
3
4

NAME

6       httpd_selinux - Security Enhanced Linux Policy for the httpd daemon
7

DESCRIPTION

9       Security-Enhanced Linux secures the httpd server via flexible mandatory
10       access control.
11

FILE_CONTEXTS

13       SELinux requires files to have an extended attribute to define the file
14       type.   Policy governs the access daemons have to these files.  SELinux
15       httpd policy is very flexible allowing users to setup  their  web  ser‐
16       vices in as secure a method as possible.
17
18       The following file contexts types are defined for httpd:
19       httpd_sys_content_t
20       -  Set  files  with  httpd_sys_content_t for content which is available
21       from all httpd scripts and the daemon.
22       httpd_sys_script_exec_t
23       - Set cgi scripts with httpd_sys_script_exec_t to  allow  them  to  run
24       with access to all sys types.
25       httpd_sys_script_ro_t
26       -    Set    files    with    httpd_sys_script_ro_t    if    you    want
27       httpd_sys_script_exec_t scripts to read the data,  and  disallow  other
28       sys scripts from access.
29       httpd_sys_script_rw_t
30       -    Set    files    with    httpd_sys_script_rw_t    if    you    want
31       httpd_sys_script_exec_t scripts to read/write the  data,  and  disallow
32       other non sys scripts from access.
33       httpd_sys_script_ra_t
34       -    Set    files    with    httpd_sys_script_ra_t    if    you    want
35       httpd_sys_script_exec_t scripts to read/append to the file, and  disal‐
36       low other non sys scripts from access.
37       httpd_unconfined_script_exec_t
38       -  Set cgi scripts with httpd_unconfined_script_exec_t to allow them to
39       run without any SELinux protection. This should only be used for a very
40       complex  httpd scripts, after exhausting all other options.  It is bet‐
41       ter to use this script rather than turning off SELinux  protection  for
42       httpd.
43
44

NOTE

46       With  certain  policies  you can define addional file contexts based on
47       roles like user or  staff.   httpd_user_script_exec_t  can  be  defined
48       where it would only have access to "user" contexts.
49
50

SHARING FILES

52       If  you  want to share files with multiple domains (Apache, FTP, rsync,
53       Samba), you can set a file context of public_content_t and  public_con‐
54       tent_rw_t.   These  context  allow any of the above domains to read the
55       content.  If you want a particular domain to write to  the  public_con‐
56       tent_rw_t    domain,    you   must   set   the   appropriate   boolean.
57       allow_DOMAIN_anon_write.  So for httpd you would execute:
58
59       setsebool -P allow_httpd_anon_write=1
60
61       or
62
63       setsebool -P allow_httpd_sys_script_anon_write=1
64
65

BOOLEANS

67       SELinux policy is customizable based on least access required.   So  by
68       default SElinux prevents certain http scripts from working.  httpd pol‐
69       icy is extremely flexible and has several booleans that  allow  you  to
70       manipulate the policy and run httpd with the tightest access possible.
71
72       httpd   can  be  setup  to  allow  cgi  scripts  to  be  executed,  set
73       httpd_enable_cgi to allow this
74
75       setsebool -P httpd_enable_cgi 1
76
77
78       httpd by default is not allowed to access users home  directories.   If
79       you  want to allow access to users home directories you need to set the
80       httpd_enable_homedirs boolean and change the context of the files  that
81       you want people to access off the home dir.
82
83       setsebool -P httpd_enable_homedirs 1
84       chcon -R -t httpd_sys_content_t ~user/public_html
85
86
87       httpd  by default is not allowed access to the controling terminal.  In
88       most cases this is prefered, because an intruder might be able  to  use
89       the  access  to  the terminal to gain privileges. But in certain situa‐
90       tions httpd needs to prompt for a password to open a certificate  file,
91       in  these  cases,  terminal access is required.  Set the httpd_tty_comm
92       boolean to allow terminal access.
93
94       setsebool -P httpd_tty_comm 1
95
96
97       httpd can be configured to not differentiate  file  controls  based  on
98       context, i.e. all files labeled as httpd context can be read/write/exe‐
99       cute.  Setting this boolean to false allows you to setup  the  security
100       policy such that one httpd service can not interfere with another.
101
102       setsebool -P httpd_unified 0
103
104
105       httpd  can be configured to turn off internal scripting (PHP).  PHP and
106       other loadable modules run under the same context as  httpd.  Therefore
107       several  policy  rules allow httpd greater access to the system then is
108       needed if you only use external cgi scripts.
109
110       setsebool -P httpd_builtin_scripting 0
111
112
113       httpd scripts by default are not allowed to connect out to the network.
114       This  would  prevent  a  hacker from breaking into you httpd server and
115       attacking other machines.  If you need scripts to be  able  to  connect
116       you can set the httpd_can_network_connect boolean on.
117
118       setsebool -P httpd_can_network_connect 1
119
120
121       system-config-selinux is a GUI tool available to customize SELinux pol‐
122       icy settings.
123

AUTHOR

125       This manual page was written by Dan Walsh <dwalsh@redhat.com>.
126
127

SEE ALSO

129       selinux(8), httpd(8), chcon(1), setsebool(8)
130
131
132
133
134
135dwalsh@redhat.com                 17 Jan 2005                 httpd_selinux(8)
Impressum