Difference between revisions of "Apache SELinux configuration"

From Notes_Wiki
(Created page with "=apache SELinux configuration= ==Apache SELinux contexts== Apache process runs with SELinux context '<tt>unconfined_u:system_r:httpd_t:s0</tt>'. Files used by apache can h...")
 
m
Line 1: Line 1:
<yambe:breadcrumb>SELinux configuration|SELinux configuration</yambe:breadcrumb>
=apache SELinux configuration=
=apache SELinux configuration=




Line 89: Line 89:


Learned from http://beginlinux.com/index.php/server_training/web-server/117-web-server/976-apache-and-selinux
Learned from http://beginlinux.com/index.php/server_training/web-server/117-web-server/976-apache-and-selinux
<yambe:breadcrumb>SELinux configuration|SELinux configuration</yambe:breadcrumb>

Revision as of 18:35, 17 August 2018

<yambe:breadcrumb>SELinux configuration|SELinux configuration</yambe:breadcrumb>

apache SELinux configuration

Apache SELinux contexts

Apache process runs with SELinux context 'unconfined_u:system_r:httpd_t:s0'. Files used by apache can have following contexts based on requirements:

Context Meaning
httpd_sys_content_t Set files with httpd_sys_content_t for content which is available from all httpd scripts and the daemon.
httpd_sys_script_exec_t Set cgi scripts with httpd_sys_script_exec_t to allow them to run with access to all sys types.
httpd_sys_script_ro_t Set files with httpd_sys_script_ro_t if you want httpd_sys_script_exec_t scripts to read the data, and disallow other sys scripts from access.
httpd_sys_script_rw_t Set files with httpd_sys_script_rw_t if you want httpd_sys_script_exec_t scripts to read/write the data, and disallow other non sys scripts from access.
httpd_sys_script_ra_t Set files with httpd_sys_script_ra_t if you want httpd_sys_script_exec_t scripts to read/append to the file, and disallow other non sys scripts from access.
httpd_unconfined_script_exec_t Set cgi scripts with httpd_unconfined_script_exec_t to allow them to run without any SELinux protection. This should only be used for a very complex httpd scripts, after exhausting all other options. It is better to use this script rather than turning off SELinux protection for httpd.


SELinux booleans

Enable CGI

To enable CGI applications we can use

setsebool -P httpd_enable_cgi 1

Note that we should also change the context of applications to one of the above listed contexts for it to work. Just changing boolean is not enough


Enable UserDir

To enable UserDir we can use

setsebool -P httpd_enable_homedirs 1

It is still necessary to change the type of file to 'httpd_sys_content_t' using something like

chcon -R -t httpd_sys_content_t ~user/public_html

so that it can be accessed by apache.


SELinux ports

By default apache can listen only on ports 80, 443, 488, 8008, 8009, 8443 using TCP. If we try to setup apache on different port it will not work. To add or remove port to/from this list we can use following methods


To see apache related ports

Use

semanage port -l | grep http

to see all apache related ports


To add port on which apache can listen

To add port to list on which apache can listen, use

semanage port -a -t http_port_t -p tcp <additional_port_number>


To remove port on which apache can listen

To remove port from list on which apache can listen, use

semanage port -d -t http_port_t -p tcp <port_number>



Learned from http://beginlinux.com/index.php/server_training/web-server/117-web-server/976-apache-and-selinux


<yambe:breadcrumb>SELinux configuration|SELinux configuration</yambe:breadcrumb>