SELinux/apache

Domains
The apache module provides the following domains:

File types/labels
The following table lists the file type/labels defined in the apache module.


 * If the function mentions (templated) then it means that the types are generated by the apache module, but that similar others might exist on your system (called through other modules).
 * When talking about scripts, we mean CGI scripts or other scripts that are triggered from the webserver, not from an interactive shell session.

File locations
The policy offered only contains the right file context rules for the default locations. If you deviate from these locations, you'll need to update the contexts accordingly.

The following table provides an overview of common Apache settings (variables in httpd.conf) that are often changed by end users, and the file context that it should have. If you use a different webserver you'll need to base it on the description instead.

Sharing files
The SELinux policy (as part of the miscfiles module) supports two additional types: public_content_t and public_content_rw_t. These are used for what is called anonymous files which are readable by all file-serving services. If all services only need to read from it, then public_content_t is used. If at least one services needs to write to it, use public_content_rw_t and toggle the right SELinux boolean for the domain that needs write access to it (allow_DOMAIN_anon_write).

For instance, if you have files that are shared by Apache, NFS, Samba, ... you label these public_content_t (read-only) or public_content_rw_t (read-write for some) and then toggle the appropriate booleans:

Booleans
The apache module has several booleans which manipulate the allowed permissions within your installation. The table below gives an overview of the booleans, but also mentions which USE flags you could associate with it. Note that the booleans are not linked to USE flags. However, if you have set a particular USE flag for the webserver environment, then you might want to toggle these booleans as well.

If you want to toggle booleans, you can do so through setsebool:

Ports
If you need to run the webserver on a non-default port, you can either mark this port as an HTTP port (http_port_t) or create the appropriate rule to allow it to bind to the specified port.

To mark a particular port (say 81) as an HTTP port, use semanage:

If you need to allow the webserver to bind on a port but are not allowed to modify that ports' type, you'll need to create a policy that allows the httpd_t domain to bind to the particular port. For instance, to allow it to bind on the SMTP port:

allow httpd_t smtp_port_t:tcp_socket name_bind;