On Apache/1.3.41 (Unix) PHP/5.2.5 mod_perl/1.30 mod_gzip/1.3.26.1a
Under GNU General Public License
2009-01-09 08:56 @38.103.63.58 CrawledBy CCBot/1.0 (+http://www.commoncrawl.org/bot.html)
httpd_selinux(8) httpd Selinux Policy documentation httpd_selinux(8)
NAME
httpd_selinux - Security Enhanced Linux Policy for the httpd daemon
DESCRIPTION
Security-Enhanced Linux secures the httpd server via flexible mandatory access con-
trol.
FILE_CONTEXTS
SELinux requires files to have an extended attribute to define the file type. Pol-
icy governs the access daemons have to these files. SELinux httpd policy is very
flexible allowing users to setup their web services in as secure a method as possi-
ble.
The following file contexts types are defined for httpd:
httpd_sys_content_t
- Set files with httpd_sys_content_t for content which is available from all
httpd scripts and the daemon.
httpd_sys_script_exec_t
- Set cgi scripts with httpd_sys_script_exec_t to allow them to run with
access to all sys types.
httpd_sys_script_ro_t
- Set files with httpd_sys_script_ro_t if you want httpd_sys_script_exec_t
scripts to read the data, and disallow other sys scripts from access.
httpd_sys_script_rw_t
- Set files with httpd_sys_script_rw_t if you want httpd_sys_script_exec_t
scripts to read/write the data, and disallow other non sys scripts from
access.
httpd_sys_script_ra_t
- Set files with httpd_sys_script_ra_t if you want httpd_sys_script_exec_t
scripts to read/append to the file, and disallow other non sys scripts from
access.
httpd_unconfined_script_exec_t
- Set cgi scripts with httpd_unconfined_script_exec_t to allow them to run
without any SELinux protection. This should only be used for a very complex
httpd scripts, after exhausting all other options. It is better to use this
script rather than turning off SELinux protection for httpd.
NOTE
With certain policies you can define addional file contexts based on roles like
user or staff. httpd_user_script_exec_t can be defined where it would only have
access to "user" contexts.
SHARING FILES
If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you
can set a file context of public_content_t and public_content_rw_t. These context
allow any of the above domains to read the content. If you want a particular
domain to write to the public_content_rw_t domain, you must set the appropriate
boolean. allow_DOMAIN_anon_write. So for httpd you would execute:
setsebool -P allow_httpd_anon_write=1
or
setsebool -P allow_httpd_sys_script_anon_write=1
BOOLEANS
SELinux policy is customizable based on least access required. So by default
SElinux prevents certain http scripts from working. httpd policy is extremely
flexible and has several booleans that allow you to manipulate the policy and run
httpd with the tightest access possible.
httpd can be setup to allow cgi scripts to be executed, set httpd_enable_cgi to
allow this
setsebool -P httpd_enable_cgi 1
httpd by default is not allowed to access users home directories. If you want to
allow access to users home directories you need to set the httpd_enable_homedirs
boolean and change the context of the files that you want people to access off the
home dir.
setsebool -P httpd_enable_homedirs 1
chcon -R -t httpd_sys_content_t ~user/public_html
httpd by default is not allowed access to the controling terminal. In most cases
this is prefered, because an intruder might be able to use the access to the termi-
nal to gain privileges. But in certain situations httpd needs to prompt for a pass-
word to open a certificate file, in these cases, terminal access is required. Set
the httpd_tty_comm boolean to allow terminal access.
setsebool -P httpd_tty_comm 1
httpd can be configured to not differentiate file controls based on context, i.e.
all files labeled as httpd context can be read/write/execute. Setting this boolean
to false allows you to setup the security policy such that one httpd service can
not interfere with another.
setsebool -P httpd_unified 0
httpd can be configured to turn off internal scripting (PHP). PHP and other
loadable modules run under the same context as httpd. Therefore several pol-
icy rules allow httpd greater access to the system then is needed if you
only use external cgi scripts.
setsebool -P httpd_builtin_scripting 0
httpd scripts by default are not allowed to connect out to the network.
This would prevent a hacker from breaking into you httpd server and attack-
ing other machines. If you need scripts to be able to connect you can set
the httpd_can_network_connect boolean on.
setsebool -P httpd_can_network_connect 1
You can disable suexec transition, set httpd_suexec_disable_trans deny this
setsebool -P httpd_suexec_disable_trans 1
You can disable SELinux protection for the httpd daemon by executing:
setsebool -P httpd_disable_trans 1
service httpd restart
system-config-securitylevel is a GUI tool available to customize SELinux policy
settings.
AUTHOR
This manual page was written by Dan Walsh <dwalsh AT redhat.com>.
SEE ALSO
selinux(8), httpd(8), chcon(1), setsebool(8)
dwalsh AT redhat.com 17 Jan 2005 httpd_selinux(8)
Generated by $Id: phpMan.php,v 4.55 2007/09/05 04:42:51 chedong Exp $ Author: Che Dong
On Apache/1.3.41 (Unix) PHP/5.2.5 mod_perl/1.30 mod_gzip/1.3.26.1a
Under GNU General Public License
2009-01-09 08:56 @38.103.63.58 CrawledBy CCBot/1.0 (+http://www.commoncrawl.org/bot.html)