httpd_selinux(8)                httpd Selinux Policy documentation               httpd_selinux(8)



NAME
       httpd_selinux - Security Enhanced Linux Policy for the httpd daemon

DESCRIPTION
       Security-Enhanced Linux secures the httpd server via flexible mandatory access control.

FILE_CONTEXTS
       SELinux requires files to have an extended attribute to define the file type.  Policy gov-
       erns the access daemons have to these files.  SELinux httpd policy is very flexible allow-
       ing users to setup their web services in as secure a method as possible.

       The following file contexts types are defined for httpd:

              httpd_sys_content_t
              -  Set files with httpd_sys_content_t for content which is available from all httpd
              scripts and the daemon.

              httpd_sys_script_exec_t
              - Set cgi scripts with httpd_sys_script_exec_t to allow them to run with access  to
              all sys types.

              httpd_sys_script_ro_t
              -  Set files with httpd_sys_script_ro_t if you want httpd_sys_script_exec_t scripts
              to read the data, and disallow other sys scripts from access.

              httpd_sys_script_rw_t
              - Set files with httpd_sys_script_rw_t if you want httpd_sys_script_exec_t  scripts
              to read/write the data, and disallow other non sys scripts from access.

              httpd_sys_script_ra_t
              -  Set files with httpd_sys_script_ra_t if you want httpd_sys_script_exec_t scripts
              to read/append to the file, and disallow other non sys scripts from access.

              httpd_unconfined_script_exec_t
              - Set cgi scripts with httpd_unconfined_script_exec_t to allow them to run  without
              any  SELinux protection. This should only be used for a very complex httpd scripts,
              after exhausting all other options.  It is better to use this  script  rather  than
              turning off SELinux protection for httpd.


NOTE
       With  certain  policies  you can define addional file contexts based on roles like user or
       staff.  httpd_user_script_exec_t can be defined where it would only have access to  "user"
       contexts.


BOOLEANS
       SELinux policy is customizable based on least access required.  So by default SElinux pre-
       vents certain http scripts from working.  httpd policy is extremely flexible and has  sev-
       eral  booleans  that  allow  you  to manipulate the policy and run httpd with the tightest
       access possible.

       httpd can be setup to allow cgi scripts to be executed, set httpd_enable_cgi to allow this

              setsebool -P httpd_enable_cgi 1


       httpd by default is not allowed to access users home directories.  If you  want  to  allow
       access  to  users  home  directories you need to set the httpd_enable_homedirs boolean and
       change the context of the files that you want people to access off the home dir.

              setsebool -P httpd_enable_homedirs 1
              chcon -R -t httpd_sys_content_t ~user/public_html


       httpd by default is not allowed access to the controling terminal.  In most cases this  is
       prefered,  because  an  intruder  might  be able to use the access to the terminal to gain
       privileges. But in certain situations httpd needs to prompt for a password to open a  cer-
       tificate  file,  in  these  cases,  terminal  access  is required.  Set the httpd_tty_comm
       boolean to allow terminal access.

              setsebool -P httpd_tty_comm 1


       httpd can be configured to not differentiate file controls  based  on  context,  i.e.  all
       files  labeled  as httpd context can be read/write/execute.  Setting this boolean to false
       allows you to setup the security policy such that one httpd service can not interfere with
       another.

              setsebool -P httpd_unified 0


       httpd can be configured to turn off internal scripting (PHP).  PHP and other
              loadable modules run under the same context  as  httpd.  Therefore  several  policy
              rules  allow  httpd  greater  access  to  the system then is needed if you only use
              external cgi scripts.

              setsebool -P httpd_builtin_scripting 0


       httpd scripts by default are not allowed to connect out to the network.
              This would prevent a hacker from breaking into you httpd server and attacking other
              machines.  If you need scripts to be able to connect you can set the httpd_can_net-
              work_connect boolean on.

              setsebool -P httpd_can_network_connect 1


       You can disable suexec transition, set httpd_suexec_disable_trans deny this

              setsebool -P httpd_suexec_disable_trans 1


       You can disable SELinux protection for the httpd daemon by executing:

              setsebool -P httpd_disable_trans 1
              system httpd restart


       system-config-securitylevel is a GUI tool available to customize SELinux policy  settings.

AUTHOR
       This manual page was written by Dan Walsh <>.


SEE ALSO
       selinux(8), httpd(8), chcon(1), setsebool(8)





                          17 Jan 2005                           httpd_selinux(8)