httpd_selinux

a b c d e f g h i j k l m n o p q r s t u v w x y z _
httpd_selinux(8)      httpd Selinux Policy documentation     httpd_selinux(8)



NAME
       httpd_selinux - Security Enhanced Linux Policy for the httpd daemon

DESCRIPTION
       Security-Enhanced  Linux	 secures the httpd server via flexible manda-
       tory access control.

FILE_CONTEXTS
       SELinux requires files to have an extended  attribute  to  define  the
       file  type.   Policy  governs  the access daemons have to these files.
       SELinux httpd policy is very flexible allowing users  to	 setup	their
       web services in as secure a method as possible.

       The following file contexts types are defined for httpd:

	      httpd_sys_content_t
	      -	 Set  files  with  httpd_sys_content_t	for  content which is
	      available from all httpd scripts and the daemon.

	      httpd_sys_script_exec_t
	      - Set cgi scripts with httpd_sys_script_exec_t to allow them to
	      run with access to all sys types.

	      httpd_sys_script_ro_t
	      -	  Set	files	with   httpd_sys_script_ro_t   if   you	 want
	      httpd_sys_script_exec_t scripts to read the data, and  disallow
	      other sys scripts from access.

	      httpd_sys_script_rw_t
	      -	  Set	files	with   httpd_sys_script_rw_t   if   you	 want
	      httpd_sys_script_exec_t scripts to  read/write  the  data,  and
	      disallow other non sys scripts from access.

	      httpd_sys_script_ra_t
	      -	  Set	files	with   httpd_sys_script_ra_t   if   you	 want
	      httpd_sys_script_exec_t scripts to read/append to the file, and
	      disallow other non sys scripts from access.

	      httpd_unconfined_script_exec_t
	      -	 Set cgi scripts with httpd_unconfined_script_exec_t to allow
	      them to run without any SELinux protection. This should only be
	      used  for	 a  very  complex httpd scripts, after exhausting all
	      other options.  It is better to use  this	 script	 rather	 than
	      turning off SELinux protection for httpd.


NOTE
       With  certain  policies you can define addional file contexts based on
       roles like user or staff.   httpd_user_script_exec_t  can  be  defined
       where it would only have access to "user" contexts.


BOOLEANS
       SELinux	policy is customizable based on least access required.	So by
       default SElinux prevents certain http  scripts  from  working.	httpd
       policy  is  extremely flexible and has several booleans that allow you
       to manipulate the policy and run httpd with the tightest access possi-
       ble.

       httpd  can  be  setup  to  allow	 cgi  scripts  to  be  executed,  set
       httpd_enable_cgi to allow this

	      setsebool -P httpd_enable_cgi 1


       httpd  by default is not allowed to access users home directories.  If
       you want to allow access to users home directories you need to set the
       httpd_enable_homedirs boolean and change the context of the files that
       you want people to access off the home dir.

	      setsebool -P httpd_enable_homedirs 1
	      chcon -R -t httpd_sys_content_t ~user/public_html


       httpd by default is not allowed access to the controling terminal.  In
       most cases this is prefered, because an intruder might be able to  use
       the  access  to the terminal to gain privileges. But in certain situa-
       tions httpd needs to prompt for a password to open a certificate file,
       in  these  cases, terminal access is required.  Set the httpd_tty_comm
       boolean to allow terminal access.

	      setsebool -P httpd_tty_comm 1


       httpd  can  be  configured to not differentiate file controls based on
       context,	 i.e.  all  files   labeled   as   httpd   context   can   be
       read/write/execute.  Setting this boolean to false allows you to setup
       the security policy such that one httpd service can not interfere with
       another.

	      setsebool -P httpd_unified 0


       httpd can be configured to turn off internal scripting (PHP).  PHP and
       other
	      loadable modules run under the same context as httpd. Therefore
	      several policy rules allow httpd greater access to  the  system
	      then is needed if you only use external cgi scripts.

	      setsebool -P httpd_builtin_scripting 0


       httpd  scripts  by  default are not allowed to connect out to the net-
       work.
	      This would prevent a hacker from breaking into you httpd server
	      and attacking other machines.  If you need scripts to  be	 able
	      to  connect  you	can set the httpd_can_network_connect boolean
	      on.

	      setsebool -P httpd_can_network_connect 1


       You can disable suexec transition, set httpd_suexec_disable_trans deny
       this

	      setsebool -P httpd_suexec_disable_trans 1


       You can disable SELinux protection for the httpd daemon by executing:

	      setsebool -P httpd_disable_trans 1
	      system httpd restart


       system-config-securitylevel is  a  GUI  tool  available	to  customize
       SELinux policy settings.

AUTHOR
       This manual page was written by Dan Walsh <dwalsh@redhat.com>.


SEE ALSO
       selinux(8), httpd(8), chcon(1), setsebool(8)





dwalsh@redhat.com		 17 Jan 2005		     httpd_selinux(8)