Provided by: selinux-policy-doc_2.20210203-10_all bug

NAME

       httpd_selinux - Security Enhanced Linux Policy for the httpd daemon

DESCRIPTION

       Security-Enhanced Linux secures the httpd server via flexible mandatory access control.

FILE_CONTEXTS

       SELinux  requires  files  to  have  an extended attribute to define the file type.  Policy
       governs the access daemons have to these files.  SELinux httpd  policy  is  very  flexible
       allowing users to setup their web services in as secure a method as possible.

       The following file contexts types are defined for httpd:
       httpd_sys_content_t
       -  Set  files with httpd_sys_content_t if you want httpd_sys_script_exec_t scripts and the
       daemon to read the file, and disallow other non sys scripts from access.
       httpd_sys_script_exec_t
       - Set cgi scripts with httpd_sys_script_exec_t to allow them to run with access to all sys
       types.
       httpd_sys_content_rw_t
       -  Set  files  with httpd_sys_content_rw_t if you want httpd_sys_script_exec_t scripts and
       the daemon to read/write the data, and disallow other non sys scripts from access.
       httpd_sys_content_ra_t
       - Set files with httpd_sys_content_ra_t if you want  httpd_sys_script_exec_t  scripts  and
       the daemon to read/append to the file, and disallow other non sys scripts from access.
       httpd_unconfined_script_exec_t
       -  Set  cgi  scripts  with httpd_unconfined_script_exec_t to allow them to run without any
       SELinux protection. This should only be used for  a  very  complex  httpd  scripts,  after
       exhausting  all  other  options.   It is better to use this script rather than turning off
       SELinux protection for httpd.

NOTE

       With certain policies you can define additional file contexts based on roles like user  or
       staff.   httpd_user_script_exec_t can be defined where it would only have access to "user"
       contexts.

SHARING FILES

       If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can  set
       a  file  context  of public_content_t and public_content_rw_t.  These context allow any of
       the above domains to read the content.  If you want a particular domain to  write  to  the
       public_content_rw_t     domain,     you     must     set    the    appropriate    boolean.
       allow_DOMAIN_anon_write.  So for httpd you would execute:

       setsebool -P allow_httpd_anon_write=1

       or

       setsebool -P allow_httpd_sys_script_anon_write=1

BOOLEANS

       SELinux policy is customizable based on least access required.  SELinux can  be  setup  to
       prevent  certain  http  scripts  from working.  httpd policy is extremely flexible and has
       several booleans that allow you to manipulate the policy and run httpd with  the  tightest
       access possible.

       httpd can be setup to allow cgi scripts to be executed, set httpd_enable_cgi to allow this

       setsebool -P httpd_enable_cgi 1

       SELinux policy for httpd can be setup to not allowed to access users home directories.  If
       you  want  to  allow  access  to  users   home   directories   you   need   to   set   the
       httpd_enable_homedirs  boolean and change the context of the files that you want people to
       access off the home dir.

       setsebool -P httpd_enable_homedirs 1
       chcon -R -t httpd_sys_content_t ~user/public_html

       SELinux policy for httpd can be setup to not allow access to the controlling terminal.  In
       most  cases  this is preferred, because an intruder might be able to use the access to the
       terminal to gain privileges. But in  certain  situations  httpd  needs  to  prompt  for  a
       password to open a certificate file, in these cases, terminal access is required.  Set the
       httpd_tty_comm boolean to allow terminal access.

       setsebool -P httpd_tty_comm 1

       httpd can be configured to not differentiate file controls  based  on  context,  i.e.  all
       files  labeled  as httpd context can be read/write/execute.  Setting this boolean to false
       allows you to setup the security policy such that one httpd service can not interfere with
       another.

       setsebool -P httpd_unified 0

       SELinux  policy  for  httpd can be configured to turn on sending email. This is a security
       feature, since it would prevent a vulnerability in http from causing  a  spam  attack.   I
       certain  situations,  you  may  want  http  modules  to  send  mail.   You can turn on the
       httpd_send_mail boolean.

       setsebool -P httpd_can_sendmail 1

       httpd can be configured to turn off internal scripting (PHP).  PHP and other
       loadable modules run under the same context as httpd. Therefore several policy rules allow httpd greater access to the system then is needed if you only use external cgi scripts.

       setsebool -P httpd_builtin_scripting 0

       SELinux policy can be setup such that httpd scripts are not allowed to connect out to  the
       network.   This  would  prevent a hacker from breaking into you httpd server and attacking
       other  machines.   If  you  need  scripts  to  be  able  to  connect  you  can   set   the
       httpd_can_network_connect boolean on.

       setsebool -P httpd_can_network_connect 1

       system-config-selinux is a GUI tool available to customize SELinux policy settings.

AUTHOR

       This manual page was written by Dan Walsh <dwalsh@redhat.com>.

SEE ALSO

       selinux(8), httpd(8), chcon(1), setsebool(8)