Apache SELinux configuration
apache SELinux configuration
Apache SELinux contexts
Apache process runs with SELinux context 'unconfined_u:system_r:httpd_t:s0'. Files used by apache can have following contexts based on requirements:
Context | Meaning |
httpd_sys_content_t | Set files with httpd_sys_content_t for content which is available from all httpd scripts and the daemon. |
httpd_sys_script_exec_t | Set cgi scripts with httpd_sys_script_exec_t to allow them to run with access to all sys types. |
httpd_sys_script_ro_t | Set files with httpd_sys_script_ro_t if you want httpd_sys_script_exec_t scripts to read the data, and disallow other sys scripts from access. |
httpd_sys_script_rw_t | Set files with httpd_sys_script_rw_t if you want httpd_sys_script_exec_t scripts to read/write the data, and disallow other non sys scripts from access. |
httpd_sys_script_ra_t | Set files with httpd_sys_script_ra_t if you want httpd_sys_script_exec_t scripts to read/append to the file, and disallow other non sys scripts from access. |
httpd_unconfined_script_exec_t | Set cgi scripts with httpd_unconfined_script_exec_t to allow them to run without any SELinux protection. This should only be used for a very complex httpd scripts, after exhausting all other options. It is better to use this script rather than turning off SELinux protection for httpd. |
SELinux booleans
Enable CGI
To enable CGI applications we can use
setsebool -P httpd_enable_cgi 1
Note that we should also change the context of applications to one of the above listed contexts for it to work. Just changing boolean is not enough
Enable UserDir
To enable UserDir we can use
setsebool -P httpd_enable_homedirs 1
It is still necessary to change the type of file to 'httpd_sys_content_t' using something like
chcon -R -t httpd_sys_content_t ~user/public_html
so that it can be accessed by apache.
SELinux ports
By default apache can listen only on ports 80, 443, 488, 8008, 8009, 8443 using TCP. If we try to setup apache on different port it will not work. To add or remove port to/from this list we can use following methods
Use
semanage port -l | grep http
to see all apache related ports
To add port on which apache can listen
To add port to list on which apache can listen, use
semanage port -a -t http_port_t -p tcp <additional_port_number>
To remove port on which apache can listen
To remove port from list on which apache can listen, use
semanage port -d -t http_port_t -p tcp <port_number>
Learned from http://beginlinux.com/index.php/server_training/web-server/117-web-server/976-apache-and-selinux