Provided by: selinux-policy-doc_2.20180114-1_all bug

NAME
       httpd_selinux - Security Enhanced Linux Policy for the httpd daemon


DESCRIPTION
       Security-Enhanced Linux secures the httpd server via flexible mandatory access control.


FILE_CONTEXTS
       SELinux  requires files to have an extended attribute to define the file type.  Policy governs the access
       daemons have to these files.  SELinux httpd policy is very flexible allowing users  to  setup  their  web
       services in as secure a method as possible.

       The following file contexts types are defined for httpd:
       httpd_sys_content_t
       -  Set  files with httpd_sys_content_t if you want httpd_sys_script_exec_t scripts and the daemon to read
       the file, and disallow other non sys scripts from access.
       httpd_sys_script_exec_t
       - Set cgi scripts with httpd_sys_script_exec_t to allow them to run with access to all sys types.
       httpd_sys_content_rw_t
       - Set files with httpd_sys_content_rw_t if you want httpd_sys_script_exec_t scripts  and  the  daemon  to
       read/write the data, and disallow other non sys scripts from access.
       httpd_sys_content_ra_t
       -  Set  files  with  httpd_sys_content_ra_t if you want httpd_sys_script_exec_t scripts and the daemon to
       read/append to the file, and disallow other non sys scripts from access.
       httpd_unconfined_script_exec_t
       - Set cgi  scripts  with  httpd_unconfined_script_exec_t  to  allow  them  to  run  without  any  SELinux
       protection.  This  should  only  be  used  for  a  very complex httpd scripts, after exhausting all other
       options.  It is better to use this script rather than turning off SELinux protection for httpd.


NOTE
       With certain policies you can define additional  file  contexts  based  on  roles  like  user  or  staff.
       httpd_user_script_exec_t can be defined where it would only have access to "user" contexts.


SHARING FILES
       If  you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context
       of public_content_t and public_content_rw_t.  These context allow any of the above domains  to  read  the
       content.   If  you  want a particular domain to write to the public_content_rw_t domain, you must set the
       appropriate boolean.  allow_DOMAIN_anon_write.  So for httpd you would execute:

       setsebool -P allow_httpd_anon_write=1

       or

       setsebool -P allow_httpd_sys_script_anon_write=1


BOOLEANS
       SELinux policy is customizable based on least access required.  SELinux can be setup to  prevent  certain
       http scripts from working.  httpd policy is extremely flexible and has several booleans that allow you to
       manipulate the policy and run httpd with the tightest access possible.

       httpd can be setup to allow cgi scripts to be executed, set httpd_enable_cgi to allow this

       setsebool -P httpd_enable_cgi 1

       SELinux policy for httpd can be setup to not allowed to access users home directories.  If  you  want  to
       allow  access  to users home directories you need to set the httpd_enable_homedirs boolean and change the
       context of the files that you want people to access off the home dir.

       setsebool -P httpd_enable_homedirs 1
       chcon -R -t httpd_sys_content_t ~user/public_html

       SELinux policy for httpd can be setup to not allow access to the controlling  terminal.   In  most  cases
       this  is  preferred,  because  an  intruder  might  be  able  to  use  the access to the terminal to gain
       privileges. But in certain situations httpd needs to prompt for a password to open a certificate file, in
       these cases, terminal access is required.  Set the httpd_tty_comm boolean to allow terminal access.

       setsebool -P httpd_tty_comm 1

       httpd  can  be  configured to not differentiate file controls based on context, i.e. all files labeled as
       httpd context can be read/write/execute.  Setting this boolean to false allows you to setup the  security
       policy such that one httpd service can not interfere with another.

       setsebool -P httpd_unified 0

       SELinux policy for httpd can be configured to turn on sending email. This is a security feature, since it
       would prevent a vulnerability in http from causing a spam attack.  I certain  situations,  you  may  want
       http modules to send mail.  You can turn on the httpd_send_mail boolean.

       setsebool -P httpd_can_sendmail 1

       httpd can be configured to turn off internal scripting (PHP).  PHP and other
       loadable modules run under the same context as httpd. Therefore several policy rules allow httpd greater access to the system then is needed if you only use external cgi scripts.

       setsebool -P httpd_builtin_scripting 0

       SELinux  policy can be setup such that httpd scripts are not allowed to connect out to the network.  This
       would prevent a hacker from breaking into you httpd server and attacking other  machines.   If  you  need
       scripts to be able to connect you can set the httpd_can_network_connect boolean on.

       setsebool -P httpd_can_network_connect 1

       system-config-selinux is a GUI tool available to customize SELinux policy settings.


AUTHOR
       This manual page was written by Dan Walsh <dwalsh@redhat.com>.


SEE ALSO
       selinux(8), httpd(8), chcon(1), setsebool(8)