Man Linux: Main Page and Category List

NAME

       httpd_selinux - Security Enhanced Linux Policy for the httpd daemon

DESCRIPTION

       Security-Enhanced Linux secures the httpd server via flexible mandatory
       access control.

FILE_CONTEXTS

       SELinux requires files to have an extended attribute to define the file
       type.   Policy governs the access daemons have to these files.  SELinux
       httpd policy is  very  flexible  allowing  users  to  setup  their  web
       services in as secure a method as possible.

       The following file contexts types are defined for httpd:
       httpd_sys_content_t
       -     Set     files    with    httpd_sys_content_t    if    you    want
       httpd_sys_script_exec_t scripts and the daemon to read  the  file,  and
       disallow other non sys scripts from access.
       httpd_sys_script_exec_t
       -  Set  cgi  scripts  with httpd_sys_script_exec_t to allow them to run
       with access to all sys types.
       httpd_sys_content_rw_t
       -   Set    files    with    httpd_sys_content_rw_t    if    you    want
       httpd_sys_script_exec_t  scripts and the daemon to read/write the data,
       and disallow other non sys scripts from access.
       httpd_sys_content_ra_t
       -   Set    files    with    httpd_sys_content_ra_t    if    you    want
       httpd_sys_script_exec_t  scripts  and  the daemon to read/append to the
       file, and disallow other non sys scripts from access.
       httpd_unconfined_script_exec_t
       - Set cgi scripts with httpd_unconfined_script_exec_t to allow them  to
       run without any SELinux protection. This should only be used for a very
       complex httpd scripts, after  exhausting  all  other  options.   It  is
       better  to  use  this script rather than turning off SELinux protection
       for httpd.

NOTE

       With certain policies you can define additional file contexts based  on
       roles  like  user  or  staff.   httpd_user_script_exec_t can be defined
       where it would only have access to "user" contexts.

SHARING FILES

       If you want to share files with multiple domains (Apache,  FTP,  rsync,
       Samba),   you   can   set   a  file  context  of  public_content_t  and
       public_content_rw_t.  These context allow any of the above  domains  to
       read  the  content.   If  you  want a particular domain to write to the
       public_content_rw_t domain,  you  must  set  the  appropriate  boolean.
       allow_DOMAIN_anon_write.  So for httpd you would execute:

       setsebool -P allow_httpd_anon_write=1

       or

       setsebool -P allow_httpd_sys_script_anon_write=1

BOOLEANS

       SELinux policy is customizable based on least access required.  SElinux
       can be setup to prevent  certain  http  scripts  from  working.   httpd
       policy is extremely flexible and has several booleans that allow you to
       manipulate the policy and run httpd with the tightest access  possible.

       httpd   can  be  setup  to  allow  cgi  scripts  to  be  executed,  set
       httpd_enable_cgi to allow this

       setsebool -P httpd_enable_cgi 1

       SELinux policy for httpd can be setup to not allowed  to  access  users
       home   directories.   If  you  want  to  allow  access  to  users  home
       directories you need  to  set  the  httpd_enable_homedirs  boolean  and
       change  the context of the files that you want people to access off the
       home dir.

       setsebool -P httpd_enable_homedirs 1
       chcon -R -t httpd_sys_content_t ~user/public_html

       SELinux policy for httpd can be  setup  to  not  allow  access  to  the
       controlling  terminal.   In  most  cases  this is preferred, because an
       intruder might be able to use  the  access  to  the  terminal  to  gain
       privileges.  But  in  certain  situations  httpd  needs to prompt for a
       password to open a certificate file, in these cases, terminal access is
       required.  Set the httpd_tty_comm boolean to allow terminal access.

       setsebool -P httpd_tty_comm 1

       httpd  can  be  configured  to not differentiate file controls based on
       context,  i.e.  all   files   labeled   as   httpd   context   can   be
       read/write/execute.   Setting this boolean to false allows you to setup
       the security policy such that one httpd service can not interfere  with
       another.

       setsebool -P httpd_unified 0

       SELinu  policy  for  httpd  can be configured to turn on sending email.
       This is a security feature, since it would prevent a  vulnerabiltiy  in
       http  from  causing  a spam attack.  I certain situations, you may want
       http modules to  send  mail.   You  can  turn  on  the  httpd_send_mail
       boolean.

       setsebool -P httpd_can_sendmail 1

       httpd can be configured to turn off internal scripting (PHP).  PHP and other
       loadable modules run under the same context as httpd. Therefore several policy rules allow httpd greater access to the system then is needed if you only use external cgi scripts.

       setsebool -P httpd_builtin_scripting 0

       SELinux  policy can be setup such that httpd scripts are not allowed to
       connect out to the network.  This would prevent a hacker from  breaking
       into  you  httpd  server  and  attacking  other  machines.  If you need
       scripts to be able to connect you can set the httpd_can_network_connect
       boolean on.

       setsebool -P httpd_can_network_connect 1

       system-config-selinux  is  a  GUI  tool  available to customize SELinux
       policy settings.

AUTHOR

       This manual page was written by Dan Walsh <dwalsh@redhat.com>.

SEE ALSO

       selinux(8), httpd(8), chcon(1), setsebool(8)