httpd_selinux - Security Enhanced Linux Policy for the httpd daemon
Security-Enhanced Linux secures the httpd server via flexible mandatory
SELinux requires files to have an extended attribute to define the file
type. Policy governs the access daemons have to these files. SELinux
httpd policy is very flexible allowing users to setup their web
services in as secure a method as possible.
The following file contexts types are defined for httpd:
- Set files with httpd_sys_content_t if you want
httpd_sys_script_exec_t scripts and the daemon to read the file, and
disallow other non sys scripts from access.
- Set cgi scripts with httpd_sys_script_exec_t to allow them to run
with access to all sys types.
- Set files with httpd_sys_content_rw_t if you want
httpd_sys_script_exec_t scripts and the daemon to read/write the data,
and disallow other non sys scripts from access.
- Set files with httpd_sys_content_ra_t if you want
httpd_sys_script_exec_t scripts and the daemon to read/append to the
file, and disallow other non sys scripts from access.
- Set cgi scripts with httpd_unconfined_script_exec_t to allow them to
run without any SELinux protection. This should only be used for a very
complex httpd scripts, after exhausting all other options. It is
better to use this script rather than turning off SELinux protection
With certain policies you can define additional file contexts based on
roles like user or staff. httpd_user_script_exec_t can be defined
where it would only have access to "user" contexts.
If you want to share files with multiple domains (Apache, FTP, rsync,
Samba), you can set a file context of public_content_t and
public_content_rw_t. These context allow any of the above domains to
read the content. If you want a particular domain to write to the
public_content_rw_t domain, you must set the appropriate boolean.
allow_DOMAIN_anon_write. So for httpd you would execute:
setsebool -P allow_httpd_anon_write=1
setsebool -P allow_httpd_sys_script_anon_write=1
SELinux policy is customizable based on least access required. SElinux
can be setup to prevent certain http scripts from working. httpd
policy is extremely flexible and has several booleans that allow you to
manipulate the policy and run httpd with the tightest access possible.
httpd can be setup to allow cgi scripts to be executed, set
httpd_enable_cgi to allow this
setsebool -P httpd_enable_cgi 1
SELinux policy for httpd can be setup to not allowed to access users
home directories. If you want to allow access to users home
directories you need to set the httpd_enable_homedirs boolean and
change the context of the files that you want people to access off the
setsebool -P httpd_enable_homedirs 1
chcon -R -t httpd_sys_content_t ~user/public_html
SELinux policy for httpd can be setup to not allow access to the
controlling terminal. In most cases this is preferred, because an
intruder might be able to use the access to the terminal to gain
privileges. But in certain situations httpd needs to prompt for a
password to open a certificate file, in these cases, terminal access is
required. Set the httpd_tty_comm boolean to allow terminal access.
setsebool -P httpd_tty_comm 1
httpd can be configured to not differentiate file controls based on
context, i.e. all files labeled as httpd context can be
read/write/execute. Setting this boolean to false allows you to setup
the security policy such that one httpd service can not interfere with
setsebool -P httpd_unified 0
SELinu policy for httpd can be configured to turn on sending email.
This is a security feature, since it would prevent a vulnerabiltiy in
http from causing a spam attack. I certain situations, you may want
http modules to send mail. You can turn on the httpd_send_mail
setsebool -P httpd_can_sendmail 1
httpd can be configured to turn off internal scripting (PHP). PHP and other
loadable modules run under the same context as httpd. Therefore several policy rules allow httpd greater access to the system then is needed if you only use external cgi scripts.
setsebool -P httpd_builtin_scripting 0
SELinux policy can be setup such that httpd scripts are not allowed to
connect out to the network. This would prevent a hacker from breaking
into you httpd server and attacking other machines. If you need
scripts to be able to connect you can set the httpd_can_network_connect
setsebool -P httpd_can_network_connect 1
system-config-selinux is a GUI tool available to customize SELinux
This manual page was written by Dan Walsh <email@example.com>.
selinux(8), httpd(8), chcon(1), setsebool(8)