SELinux/apache
Structure
Domains
The apache module provides the following domains:
| Domain | Process(es) | Description |
|---|---|---|
| httpd_t | apache, lighttpd | Webserver processes |
| httpd_helper_t | htsslpass | Domain for the htsslpass process |
| httpd_php_t | php-cgi | Domain for PHP support through CGI (php-cgi process) |
| httpd_rotatelogs_t | rotatelogs | Domain for the rotatelogs process |
| httpd_suexec_t | suexec | Domain used by the webserver suexec process to switch to another user before calling and executing a script |
| httpd_sys_script_t | Domain used by the system/package-provided CGI scripts | |
| httpd_user_script_t | Domain used by the user-provided CGI scripts |
The apache module allows other modules to define their own domains and types for use by the webservers. This is done through templates. The reference policy by default enabled two of such templated sets for user and sys, which you can see in domains like httpd_sys_script_t and httpd_user_script_t. It is very well possible that on your system, more of these template-instantiated domains exist.
File types/labels
The following table lists the file type/labels defined in the apache module.
- If the function mentions (templated) then it means that the types are generated by the apache module, but that similar others might exist on your system (called through other modules).
- When talking about scripts, we mean CGI scripts or other scripts that are triggered from the webserver, not from an interactive shell session.
| Type | Function | Description |
|---|---|---|
| httpd_exec_t | Entrypoint | Entrypoint for the webserver processes |
| httpd_initrc_exec_t | Entrypoint | Entrypoint for the webserver init scripts |
| httpd_helper_exec_t | Entrypoint | Entrypoint for the webserver helper processes |
| httpd_php_exec_t | Entrypoint | Entrypoint for the PHP scripts |
| httpd_rotatelogs_exec_t | Entrypoint | Entrypoint for the rotatelog helper |
| httpd_suexec_exec_t | Entrypoint | Entrypoint for the suexec wrapper |
| httpd_sys_script_exec_t | Entrypoint (templated) | Entrypoint for system CGI scripts (or other callable scripts) that need access to the system content files (httpd_sys_content_t) |
| httpd_user_script_exec_t | Entrypoint (templated) | Entrypoint for the user-provided scripts callable from the webserver instances |
| httpd_squirrelmail_t | Content | Squirrelmail files |
| squirrelmail_spool_t | Content | Squirrelmail attachment location |
| httpd_sys_content_t | Content (templated) | Readable content for the webservers and system scripts, offered through the system / packages. |
| httpd_sys_htaccess_t | Content (templated) | Label for the htaccess files, readable by the webserver but not from scripts or other webserver related domains. |
| httpd_sys_rw_content_t | Content (templated) | Read and writeable content for the webservers and system scripts (not user scripts). |
| httpd_sys_ra_content_t | Content (templated) | Read and appendable content for the webservers and system scripts (not user scripts). |
| httpd_user_content_t | Content (templated) | Readable content for the webservers and user scripts, offered by (and writeable by) users. |
| httpd_user_htaccess_t | Content (templated) | Label for the htaccess files, readable by the webserver but not from scripts or other webserver related domains. |
| httpd_user_rw_content_t | Content (templated) | Read and writeable content for the webservers and user scripts (not system scripts). |
| httpd_user_ra_content_t | Content (templated) | Read and appendable content for the webservers and user scripts (not system scripts). |
| httpd_php_tmp_t | Temporary Files | Temporary files from the PHP scripts |
| httpd_suexec_tmp_t | Temporary Files | Temporery files for the suexec domain |
| httpd_tmp_t, httpd_tmpfs_t | Temporary Files | Temporary files from the httpd domain |
| httpd_cache_t | Web server cache | |
| httpd_config_t | Configuration files | |
| httpd_lock_t | Lock files | |
| httpd_log_t | Web server log files | |
| httpd_modules_t | Webserver modules | |
| httpd_var_lib_t | Webserver libraries | |
| httpd_var_run_t | Runtime files for httpd |
Using apache SELinux module
File locations
The policy offered only contains the right file context rules for the default locations. If you deviate from these locations, you'll need to update the contexts accordingly.
The following table provides an overview of common Apache settings (variables in httpd.conf) that are often changed by end users, and the file context that it should have. If you use a different webserver you'll need to base it on the description instead.
| Setting in httpd.conf | Description | Default location | File context(s) |
|---|---|---|---|
| DocumentRoot | Location where web content is stored (html pages and such) | /srv/localhost/www | system_u:object_r:httpd_sys_content_t |
| Document | Location where CGI scripts are stored | /srv/localhost/cgi-bin | system_u:object_r:httpd_sys_script_exec_t |
| Directory | User home directory location where user-provided content is stored | /home/*/public_html | system_u:object_r:httpd_user_content_t |
| Directory | User home directory location where user-provided CGI scripts are stored | /home/*/public_html/cgi-bin | system_u:object_r:httpd_user_script_exec_t |
Sharing files
The SELinux policy (as part of the miscfiles module) supports two additional types: public_content_t and public_content_rw_t. These are used for what is called anonymous files which are readable by all file-serving services. If all services only need to read from it, then public_content_t is used. If at least one services needs to write to it, use public_content_rw_t and toggle the right SELinux boolean for the domain that needs write access to it (allow_DOMAIN_anon_write).
For instance, if you have files that are shared by Apache, NFS, Samba, ... you label these public_content_t (read-only) or public_content_rw_t (read-write for some) and then toggle the appropriate booleans:
root #setsebool -P allow_httpd_sys_script_anon_write onBooleans
The apache module has several booleans which manipulate the allowed permissions within your installation. The table below gives an overview of the booleans, but also mentions which USE flags you could associate with it. Note that the booleans are not linked to USE flags. However, if you have set a particular USE flag for the webserver environment, then you might want to toggle these booleans as well.
| Boolean | Description | Gentoo USE flag suggestion |
|---|---|---|
| allow_httpd_anon_write | Allow the webserver to modify public files (labeled public_content_rw_t) | |
| allow_httpd_sys_script_anon_write | Allow the system scripts to modify public files | |
| allow_httpd_user_script_anon_wriet | Allow the user scripts to modify public files | |
| allow_httpd_mod_auth_pam | Allow the webserver to use the auth_pam module | |
| httpd_builtin_scripting | Needed when your webservers use internal scripting languages like PHP (languages that are read and interpreted by the webserver directly rather than called through separate processes like with CGI) | |
| httpd_can_network_connect | Allow the webserver scripts and modules to connect to the network | |
| httpd_can_network_connect_db | Allow the webserver scripts and modules to connect to databases over the network | |
| httpd_can_network_relay | Allow webservers to act as a relay | |
| httpd_can_sendmail | Allow webservers to send e-mails | |
| httpd_dbus_avahi | Allow webservers to communicate with avahi service via dbus | |
| httpd_enable_cgi | Allow webservers to call CGI scripts (labeled httpd_sys_script_exec_t or httpd_user_script_exec_t) | |
| httpd_enable_ftp_server | Allow webservers to act as an FTP server by listening on the FTP ports | |
| httpd_enable_homedirs | Allow webservers to read home directories (user_home_t). Not to be mistaken with httpd_user_content_t, which resides in the users' home directory but is labeled, well, httpd_user_content_t ;-) | |
| httpd_ssi_exec | Allow webservers to run SSI executables in the same domain as the CGI scripts | |
| httpd_tty_com | Unify webservers to communicate with the terminal. This is needed when you need to enter a passphraze for certificates at the terminal. | |
| httpd_unified | When enabled, the various webserver content types (all types with attribute httpdcontent set) are not differentiated anymore, but all considered to be readable, writeable and executable by the webserver. | |
| httpd_use_cifs | Allow webservers to access CIFS file systems | |
| httpd_use_gpg | Allow webservers to run gpg | |
| httpd_use_nfs | Allow webservers to access NFS file systems |
If you want to toggle booleans, you can do so through setsebool:
root #setsebool -P httpd_enable_homedirs onPorts
If you need to run the webserver on a non-default port, you can either mark this port as an HTTP port (http_port_t) or create the appropriate rule to allow it to bind to the specified port.
To mark a particular port (say 81) as an HTTP port, use semanage:
root #semanage port -a -t http_port_t -p tcp 81If you need to allow the webserver to bind on a port but are not allowed to modify that ports' type, you'll need to create a policy that allows the httpd_t domain to bind to the particular port. For instance, to allow it to bind on the SMTP port:
allow httpd_t smtp_port_t:tcp_socket name_bind;