SELinux/apache

From Gentoo Wiki
Jump to: navigation, search

Structure

Domains

The apache module provides the following domains:

Domain Process(es) Description
httpd_t apache, lighttpd Webserver processes
httpd_helper_t htsslpass Domain for the htsslpass process
httpd_php_t php-cgi Domain for PHP support through CGI (php-cgi process)
httpd_rotatelogs_t rotatelogs Domain for the rotatelogs process
httpd_suexec_t suexec Domain used by the webserver suexec process to switch to another user before calling and executing a script
httpd_sys_script_t Domain used by the system/package-provided CGI scripts
httpd_user_script_t Domain used by the user-provided CGI scripts
Important
The apache module allows other modules to define their own domains and types for use by the webservers. This is done through templates. The reference policy by default enabled two of such templated sets for user and sys, which you can see in domains like httpd_sys_script_t and httpd_user_script_t. It is very well possible that on your system, more of these template-instantiated domains exist.

File types/labels

The following table lists the file type/labels defined in the apache module.

  • If the function mentions (templated) then it means that the types are generated by the apache module, but that similar others might exist on your system (called through other modules).
  • When talking about scripts, we mean CGI scripts or other scripts that are triggered from the webserver, not from an interactive shell session.
Type Function Description
httpd_exec_t Entrypoint Entrypoint for the webserver processes
httpd_initrc_exec_t Entrypoint Entrypoint for the webserver init scripts
httpd_helper_exec_t Entrypoint Entrypoint for the webserver helper processes
httpd_php_exec_t Entrypoint Entrypoint for the PHP scripts
httpd_rotatelogs_exec_t Entrypoint Entrypoint for the rotatelog helper
httpd_suexec_exec_t Entrypoint Entrypoint for the suexec wrapper
httpd_sys_script_exec_t Entrypoint (templated) Entrypoint for system CGI scripts (or other callable scripts) that need access to the system content files (httpd_sys_content_t)
httpd_user_script_exec_t Entrypoint (templated) Entrypoint for the user-provided scripts callable from the webserver instances
httpd_squirrelmail_t Content Squirrelmail files
squirrelmail_spool_t Content Squirrelmail attachment location
httpd_sys_content_t Content (templated) Readable content for the webservers and system scripts, offered through the system / packages.
httpd_sys_htaccess_t Content (templated) Label for the htaccess files, readable by the webserver but not from scripts or other webserver related domains.
httpd_sys_rw_content_t Content (templated) Read and writeable content for the webservers and system scripts (not user scripts).
httpd_sys_ra_content_t Content (templated) Read and appendable content for the webservers and system scripts (not user scripts).
httpd_user_content_t Content (templated) Readable content for the webservers and user scripts, offered by (and writeable by) users.
httpd_user_htaccess_t Content (templated) Label for the htaccess files, readable by the webserver but not from scripts or other webserver related domains.
httpd_user_rw_content_t Content (templated) Read and writeable content for the webservers and user scripts (not system scripts).
httpd_user_ra_content_t Content (templated) Read and appendable content for the webservers and user scripts (not system scripts).
httpd_php_tmp_t Temporary Files Temporary files from the PHP scripts
httpd_suexec_tmp_t Temporary Files Temporery files for the suexec domain
httpd_tmp_t, httpd_tmpfs_t Temporary Files Temporary files from the httpd domain
httpd_cache_t Web server cache
httpd_config_t Configuration files
httpd_lock_t Lock files
httpd_log_t Web server log files
httpd_modules_t Webserver modules
httpd_var_lib_t Webserver libraries
httpd_var_run_t Runtime files for httpd

Using apache SELinux module

File locations

The policy offered only contains the right file context rules for the default locations. If you deviate from these locations, you'll need to update the contexts accordingly.

The following table provides an overview of common Apache settings (variables in httpd.conf) that are often changed by end users, and the file context that it should have. If you use a different webserver you'll need to base it on the description instead.

Setting in httpd.conf Description Default location File context(s)
DocumentRoot Location where web content is stored (html pages and such) /srv/localhost/www system_u:object_r:httpd_sys_content_t
Document Location where CGI scripts are stored /srv/localhost/cgi-bin system_u:object_r:httpd_sys_script_exec_t
Directory User home directory location where user-provided content is stored /home/*/public_html system_u:object_r:httpd_user_content_t
Directory User home directory location where user-provided CGI scripts are stored /home/*/public_html/cgi-bin system_u:object_r:httpd_user_script_exec_t

Sharing files

The SELinux policy (as part of the miscfiles module) supports two additional types: public_content_t and public_content_rw_t. These are used for what is called anonymous files which are readable by all file-serving services. If all services only need to read from it, then public_content_t is used. If at least one services needs to write to it, use public_content_rw_t and toggle the right SELinux boolean for the domain that needs write access to it (allow_DOMAIN_anon_write).

For instance, if you have files that are shared by Apache, NFS, Samba, ... you label these public_content_t (read-only) or public_content_rw_t (read-write for some) and then toggle the appropriate booleans:

root #setsebool -P allow_httpd_sys_script_anon_write on

Booleans

The apache module has several booleans which manipulate the allowed permissions within your installation. The table below gives an overview of the booleans, but also mentions which USE flags you could associate with it. Note that the booleans are not linked to USE flags. However, if you have set a particular USE flag for the webserver environment, then you might want to toggle these booleans as well.

Boolean Description Gentoo USE flag suggestion
allow_httpd_anon_write Allow the webserver to modify public files (labeled public_content_rw_t)
allow_httpd_sys_script_anon_write Allow the system scripts to modify public files
allow_httpd_user_script_anon_wriet Allow the user scripts to modify public files
allow_httpd_mod_auth_pam Allow the webserver to use the auth_pam module
httpd_builtin_scripting Needed when your webservers use internal scripting languages like PHP (languages that are read and interpreted by the webserver directly rather than called through separate processes like with CGI)
httpd_can_network_connect Allow the webserver scripts and modules to connect to the network
httpd_can_network_connect_db Allow the webserver scripts and modules to connect to databases over the network
httpd_can_network_relay Allow webservers to act as a relay
httpd_can_sendmail Allow webservers to send e-mails
httpd_dbus_avahi Allow webservers to communicate with avahi service via dbus
httpd_enable_cgi Allow webservers to call CGI scripts (labeled httpd_sys_script_exec_t or httpd_user_script_exec_t)
httpd_enable_ftp_server Allow webservers to act as an FTP server by listening on the FTP ports
httpd_enable_homedirs Allow webservers to read home directories (user_home_t). Not to be mistaken with httpd_user_content_t, which resides in the users' home directory but is labeled, well, httpd_user_content_t ;-)
httpd_ssi_exec Allow webservers to run SSI executables in the same domain as the CGI scripts
httpd_tty_com Unify webservers to communicate with the terminal. This is needed when you need to enter a passphraze for certificates at the terminal.
httpd_unified When enabled, the various webserver content types (all types with attribute httpdcontent set) are not differentiated anymore, but all considered to be readable, writeable and executable by the webserver.
httpd_use_cifs Allow webservers to access CIFS file systems
httpd_use_gpg Allow webservers to run gpg
httpd_use_nfs Allow webservers to access NFS file systems

If you want to toggle booleans, you can do so through setsebool:

root #setsebool -P httpd_enable_homedirs on

Ports

If you need to run the webserver on a non-default port, you can either mark this port as an HTTP port (http_port_t) or create the appropriate rule to allow it to bind to the specified port.

To mark a particular port (say 81) as an HTTP port, use semanage:

root #semanage port -a -t http_port_t -p tcp 81

If you need to allow the webserver to bind on a port but are not allowed to modify that ports' type, you'll need to create a policy that allows the httpd_t domain to bind to the particular port. For instance, to allow it to bind on the SMTP port:

allow httpd_t smtp_port_t:tcp_socket name_bind;