|
Chris PeBenito |
bf080a |
.TH "httpd_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "httpd Selinux Policy documentation"
|
|
Chris PeBenito |
bf080a |
.SH "NAME"
|
|
Chris PeBenito |
bf080a |
httpd_selinux \- Security Enhanced Linux Policy for the httpd daemon
|
|
Chris PeBenito |
bf080a |
.SH "DESCRIPTION"
|
|
Chris PeBenito |
bf080a |
|
|
Chris PeBenito |
bf080a |
Security-Enhanced Linux secures the httpd server via flexible mandatory access
|
|
Chris PeBenito |
bf080a |
control.
|
|
Chris PeBenito |
bf080a |
.SH FILE_CONTEXTS
|
|
Chris PeBenito |
bf080a |
SELinux requires files to have an extended attribute to define the file type.
|
|
Chris PeBenito |
bf080a |
Policy governs the access daemons have to these files.
|
|
Chris PeBenito |
bf080a |
SELinux httpd policy is very flexible allowing users to setup their web services in as secure a method as possible.
|
|
Chris PeBenito |
bf080a |
.TP
|
|
Chris PeBenito |
bf080a |
The following file contexts types are defined for httpd:
|
|
Chris PeBenito |
bf080a |
.br
|
|
Chris PeBenito |
bf080a |
|
|
Chris PeBenito |
bf080a |
httpd_sys_content_t
|
|
Chris PeBenito |
bf080a |
.br
|
|
Chris PeBenito |
bf080a |
- Set files with httpd_sys_content_t for content which is available from all httpd scripts and the daemon.
|
|
Chris PeBenito |
bf080a |
.br
|
|
Chris PeBenito |
bf080a |
|
|
Chris PeBenito |
bf080a |
httpd_sys_script_exec_t
|
|
Chris PeBenito |
bf080a |
.br
|
|
Chris PeBenito |
bf080a |
- Set cgi scripts with httpd_sys_script_exec_t to allow them to run with access to all sys types.
|
|
Chris PeBenito |
bf080a |
.br
|
|
Chris PeBenito |
bf080a |
|
|
Chris PeBenito |
bf080a |
httpd_sys_script_ro_t
|
|
Chris PeBenito |
bf080a |
.br
|
|
Chris PeBenito |
bf080a |
- Set files with httpd_sys_script_ro_t if you want httpd_sys_script_exec_t scripts to read the data, and disallow other sys scripts from access.
|
|
Chris PeBenito |
bf080a |
.br
|
|
Chris PeBenito |
bf080a |
|
|
Chris PeBenito |
bf080a |
httpd_sys_script_rw_t
|
|
Chris PeBenito |
bf080a |
.br
|
|
Chris PeBenito |
bf080a |
- Set files with httpd_sys_script_rw_t if you want httpd_sys_script_exec_t scripts to read/write the data, and disallow other non sys scripts from access.
|
|
Chris PeBenito |
bf080a |
.br
|
|
Chris PeBenito |
bf080a |
|
|
Chris PeBenito |
bf080a |
httpd_sys_script_ra_t
|
|
Chris PeBenito |
bf080a |
.br
|
|
Chris PeBenito |
bf080a |
- Set files with httpd_sys_script_ra_t if you want httpd_sys_script_exec_t scripts to read/append to the file, and disallow other non sys scripts from access.
|
|
Chris PeBenito |
bf080a |
|
|
Chris PeBenito |
bf080a |
httpd_unconfined_script_exec_t
|
|
Chris PeBenito |
bf080a |
.br
|
|
Chris PeBenito |
bf080a |
- Set cgi scripts with httpd_unconfined_script_exec_t to allow them to run without any SELinux protection. This should only be used for a very complex httpd scripts, after exhausting all other options. It is better to use this script rather than turning off SELinux protection for httpd.
|
|
Chris PeBenito |
bf080a |
.br
|
|
Chris PeBenito |
bf080a |
|
|
Chris PeBenito |
bf080a |
.SH NOTE
|
|
Chris PeBenito |
bf080a |
With certain policies you can define addional file contexts based on roles like user or staff. httpd_user_script_exec_t can be defined where it would only have access to "user" contexts.
|
|
Chris PeBenito |
bf080a |
|
|
Chris PeBenito |
bf080a |
.SH SHARING FILES
|
|
Chris PeBenito |
bf080a |
If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. allow_DOMAIN_anon_write. So for httpd you would execute:
|
|
Chris PeBenito |
bf080a |
|
|
Chris PeBenito |
bf080a |
setsebool -P allow_httpd_anon_write=1
|
|
Chris PeBenito |
bf080a |
|
|
Chris PeBenito |
bf080a |
or
|
|
Chris PeBenito |
bf080a |
|
|
Chris PeBenito |
bf080a |
setsebool -P allow_httpd_sys_script_anon_write=1
|
|
Chris PeBenito |
bf080a |
|
|
Chris PeBenito |
bf080a |
.SH BOOLEANS
|
|
Chris PeBenito |
bf080a |
SELinux policy is customizable based on least access required. So by
|
|
Chris PeBenito |
bf080a |
default SElinux prevents certain http scripts from working. httpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd with the tightest access possible.
|
|
Chris PeBenito |
bf080a |
.TP
|
|
Chris PeBenito |
bf080a |
httpd can be setup to allow cgi scripts to be executed, set httpd_enable_cgi to allow this
|
|
Chris PeBenito |
bf080a |
.br
|
|
Chris PeBenito |
bf080a |
|
|
Chris PeBenito |
bf080a |
setsebool -P httpd_enable_cgi 1
|
|
Chris PeBenito |
bf080a |
|
|
Chris PeBenito |
bf080a |
.TP
|
|
Chris PeBenito |
bf080a |
httpd by default is not allowed to access users home directories. If you want to allow access to users home directories you need to set the httpd_enable_homedirs boolean and change the context of the files that you want people to access off the home dir.
|
|
Chris PeBenito |
bf080a |
.br
|
|
Chris PeBenito |
bf080a |
|
|
Chris PeBenito |
bf080a |
setsebool -P httpd_enable_homedirs 1
|
|
Chris PeBenito |
bf080a |
.br
|
|
Chris PeBenito |
bf080a |
chcon -R -t httpd_sys_content_t ~user/public_html
|
|
Chris PeBenito |
bf080a |
|
|
Chris PeBenito |
bf080a |
.TP
|
|
Chris PeBenito |
bf080a |
httpd by default is not allowed access to the controling terminal. In most cases this is prefered, because an intruder might be able to use the access to the terminal to gain privileges. But in certain situations httpd needs to prompt for a password to open a certificate file, in these cases, terminal access is required. Set the httpd_tty_comm boolean to allow terminal access.
|
|
Chris PeBenito |
bf080a |
.br
|
|
Chris PeBenito |
bf080a |
|
|
Chris PeBenito |
bf080a |
setsebool -P httpd_tty_comm 1
|
|
Chris PeBenito |
bf080a |
|
|
Chris PeBenito |
bf080a |
.TP
|
|
Chris PeBenito |
bf080a |
httpd can be configured to not differentiate file controls based on context, i.e. all files labeled as httpd context can be read/write/execute. Setting this boolean to false allows you to setup the security policy such that one httpd service can not interfere with another.
|
|
Chris PeBenito |
bf080a |
.br
|
|
Chris PeBenito |
bf080a |
|
|
Chris PeBenito |
bf080a |
setsebool -P httpd_unified 0
|
|
Chris PeBenito |
bf080a |
|
|
Chris PeBenito |
bf080a |
.TP
|
|
Chris PeBenito |
bf080a |
httpd can be configured to turn off internal scripting (PHP). PHP and other
|
|
Chris PeBenito |
bf080a |
loadable modules run under the same context as httpd. Therefore several policy rules allow httpd greater access to the system then is needed if you only use external cgi scripts.
|
|
Chris PeBenito |
bf080a |
.br
|
|
Chris PeBenito |
bf080a |
|
|
Chris PeBenito |
bf080a |
setsebool -P httpd_builtin_scripting 0
|
|
Chris PeBenito |
bf080a |
|
|
Chris PeBenito |
bf080a |
.TP
|
|
Chris PeBenito |
bf080a |
httpd scripts by default are not allowed to connect out to the network.
|
|
Chris PeBenito |
bf080a |
This would prevent a hacker from breaking into you httpd server and attacking
|
|
Chris PeBenito |
bf080a |
other machines. If you need scripts to be able to connect you can set the httpd_can_network_connect boolean on.
|
|
Chris PeBenito |
bf080a |
.br
|
|
Chris PeBenito |
bf080a |
|
|
Chris PeBenito |
bf080a |
setsebool -P httpd_can_network_connect 1
|
|
Chris PeBenito |
bf080a |
|
|
Chris PeBenito |
bf080a |
.TP
|
|
Chris PeBenito |
bf080a |
You can disable suexec transition, set httpd_suexec_disable_trans deny this
|
|
Chris PeBenito |
bf080a |
.br
|
|
Chris PeBenito |
bf080a |
|
|
Chris PeBenito |
bf080a |
setsebool -P httpd_suexec_disable_trans 1
|
|
Chris PeBenito |
bf080a |
|
|
Chris PeBenito |
bf080a |
.TP
|
|
Chris PeBenito |
bf080a |
You can disable SELinux protection for the httpd daemon by executing:
|
|
Chris PeBenito |
bf080a |
.br
|
|
Chris PeBenito |
bf080a |
|
|
Chris PeBenito |
bf080a |
setsebool -P httpd_disable_trans 1
|
|
Chris PeBenito |
bf080a |
.br
|
|
Chris PeBenito |
bf080a |
service httpd restart
|
|
Chris PeBenito |
bf080a |
|
|
Chris PeBenito |
bf080a |
.TP
|
|
Chris PeBenito |
bf080a |
system-config-securitylevel is a GUI tool available to customize SELinux policy settings.
|
|
Chris PeBenito |
bf080a |
.SH AUTHOR
|
|
Chris PeBenito |
bf080a |
This manual page was written by Dan Walsh <dwalsh@redhat.com>.
|
|
Chris PeBenito |
bf080a |
|
|
Chris PeBenito |
bf080a |
.SH "SEE ALSO"
|
|
Chris PeBenito |
bf080a |
selinux(8), httpd(8), chcon(1), setsebool(8)
|
|
Chris PeBenito |
bf080a |
|
|
Chris PeBenito |
bf080a |
|