Skip to content. | Skip to navigation

Navigation

You are here: Home / Support / Guides / Tools / SELinux / Apache httpd

Personal tools

SELinux

Security-Enhanced Linux trickery

Apache httpd

You may not want to have your web distribution under /var/www but if you don't then you'll be caught out by the files being the in the wrong context.

Your files need to be in the right context. Which is?

# ls -Z /var/www
drwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 cgi-bin
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 html

Notice there are two key types here: httpd_sys_content_t for files and httpd_sys_script_exec_t for scripts.

If we have everything (NFS?) mounted under /www then we will need to do:

  1. Firstly

    chcon -Rv --type=httpd_sys_content_t /www
    

    now and

  2. secondly

    semanage fcontext -a -t httpd_sys_content_t "/www(/.*)?"
    

    to protect against (ir)regular relabelling of the modified portion of the filesystem. Whenever that happens.

  3. An alternative mechanism is to define the security context for future files then restore it onto the existing ones. Log files need a similar treatment:

    semanage fcontext -a -t httpd_log_t "/www/logs(/.*)?"
    restorecon -Fr /www/logs
    

But that's not all.

CGI Scripts

If you want a CGI script, an error handler, say, to be able to write into your /www tree then you need to modify the permissions of part of your tree to a read-write http content type:

chcon -t httpd_sys_rw_content_t /www/logs/errors

Other Daemons

If you want https to be able to communicate with other daemons, e.g. Plone, then you must enable one of the multi-various boolean flags:

# getsebool -a | grep http | grep network
httpd_can_network_connect --> on
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> off
httpd_can_network_memcache --> off
httpd_can_network_relay --> off

There is a corresponding setsebool command. In this instance we set httpd_can_network_connect to enable back-end comms.

setsebool -P

to make the change permanent.

Document Actions