Provided by: selinux-policy-doc_2.20140421-9_all bug


       httpd_selinux - Security Enhanced Linux Policy for the httpd daemon


       Security-Enhanced Linux secures the httpd server via flexible mandatory
       access control.


       SELinux requires files to have an extended attribute to define the file
       type.   Policy governs the access daemons have to these files.  SELinux
       httpd policy is  very  flexible  allowing  users  to  setup  their  web
       services in as secure a method as possible.

       The following file contexts types are defined for httpd:
       -     Set     files    with    httpd_sys_content_t    if    you    want
       httpd_sys_script_exec_t scripts and the daemon to read  the  file,  and
       disallow other non sys scripts from access.
       -  Set  cgi  scripts  with httpd_sys_script_exec_t to allow them to run
       with access to all sys types.
       -   Set    files    with    httpd_sys_content_rw_t    if    you    want
       httpd_sys_script_exec_t  scripts and the daemon to read/write the data,
       and disallow other non sys scripts from access.
       -   Set    files    with    httpd_sys_content_ra_t    if    you    want
       httpd_sys_script_exec_t  scripts  and  the daemon to read/append to the
       file, and disallow other non sys scripts from access.
       - Set cgi scripts with httpd_unconfined_script_exec_t to allow them  to
       run without any SELinux protection. This should only be used for a very
       complex httpd scripts, after  exhausting  all  other  options.   It  is
       better  to  use  this script rather than turning off SELinux protection
       for httpd.


       With certain policies you can define additional file contexts based  on
       roles  like  user  or  staff.   httpd_user_script_exec_t can be defined
       where it would only have access to "user" contexts.


       If you want to share files with multiple domains (Apache,  FTP,  rsync,
       Samba),   you   can   set   a  file  context  of  public_content_t  and
       public_content_rw_t.  These context allow any of the above  domains  to
       read  the  content.   If  you  want a particular domain to write to the
       public_content_rw_t domain,  you  must  set  the  appropriate  boolean.
       allow_DOMAIN_anon_write.  So for httpd you would execute:

       setsebool -P allow_httpd_anon_write=1


       setsebool -P allow_httpd_sys_script_anon_write=1


       SELinux policy is customizable based on least access required.  SELinux
       can be setup to prevent  certain  http  scripts  from  working.   httpd
       policy is extremely flexible and has several booleans that allow you to
       manipulate the policy and run httpd with the tightest access possible.

       httpd  can  be  setup  to  allow  cgi  scripts  to  be  executed,   set
       httpd_enable_cgi to allow this

       setsebool -P httpd_enable_cgi 1

       SELinux  policy  for  httpd can be setup to not allowed to access users
       home  directories.   If  you  want  to  allow  access  to  users   home
       directories  you  need  to  set  the  httpd_enable_homedirs boolean and
       change the context of the files that you want people to access off  the
       home dir.

       setsebool -P httpd_enable_homedirs 1
       chcon -R -t httpd_sys_content_t ~user/public_html

       SELinux  policy  for  httpd  can  be  setup  to not allow access to the
       controlling terminal.  In most cases  this  is  preferred,  because  an
       intruder  might  be  able  to  use  the  access to the terminal to gain
       privileges. But in certain situations  httpd  needs  to  prompt  for  a
       password to open a certificate file, in these cases, terminal access is
       required.  Set the httpd_tty_comm boolean to allow terminal access.

       setsebool -P httpd_tty_comm 1

       httpd can be configured to not differentiate  file  controls  based  on
       context,   i.e.   all   files   labeled   as   httpd   context  can  be
       read/write/execute.  Setting this boolean to false allows you to  setup
       the  security policy such that one httpd service can not interfere with

       setsebool -P httpd_unified 0

       SELinu policy for httpd can be configured to  turn  on  sending  email.
       This  is  a security feature, since it would prevent a vulnerabiltiy in
       http from causing a spam attack.  I certain situations,  you  may  want
       http  modules  to  send  mail.   You  can  turn  on the httpd_send_mail

       setsebool -P httpd_can_sendmail 1

       httpd can be configured to turn off internal scripting (PHP).  PHP and other
       loadable modules run under the same context as httpd. Therefore several policy rules allow httpd greater access to the system then is needed if you only use external cgi scripts.

       setsebool -P httpd_builtin_scripting 0

       SELinux policy can be setup such that httpd scripts are not allowed  to
       connect  out to the network.  This would prevent a hacker from breaking
       into you httpd server  and  attacking  other  machines.   If  you  need
       scripts to be able to connect you can set the httpd_can_network_connect
       boolean on.

       setsebool -P httpd_can_network_connect 1

       system-config-selinux is a GUI  tool  available  to  customize  SELinux
       policy settings.


       This manual page was written by Dan Walsh <>.


       selinux(8), httpd(8), chcon(1), setsebool(8)