RHEL 7 HTTPD SELinux policy hardening.

Share this link

If you have to migrate a HTTPD server from RHEL 6/CentOS 6 to RHEL 7/CentOS 7, you should be careful.

The default HTTPD SELinux policy has changed and very limited information has been provided about it: many free tutorials available on the Internet won’t work because of SELinux!

In RHEL 6/CentOS 6, you didn’t need to define precisely what directories or files you were allowed to read, write and execute. You could assign the httpd_sys_content_t SELinux context to all the directories and files under the /var/www/html directory or any path of your choice and, as the httpd_unified SELinux boolean was set to on by default, you could get read, write, and execution access rights everywhere within this path. Things were pretty simple!

With RHEL 7/CentOS 7, the httpd_unified SELinux boolean is now set to off by default, meaning that the httpd_sys_content_t SELinux context allows only read access.

You’ve got now three cases:

  • you agree with the previous relaxed SELinux policy: set the httpd_unified SELinux boolean to on and you are done,
  • you accept the new restricted policy and your webserver uses the /var/www/html path: apply the restorecon -R /var/www/html command and test your webserver behaviour,
  • you accept the new restricted policy but your server doesn’t use the standard /var/www/html path: you have to define precisely all the SELinux rules to get read, write or execution access rights.

With WordPress websites for example, a symptom of a wrong SELinux configuration can be the inability to upload anything or when updating a plugin getting a message asking for the ftp account!

At the end of the day, there is nothing complicated. But you need to be aware!

Additional information is available in the HTTPD SELinux policy page.

Posted in RHEL7

Upcoming Events (Local Time)

  1. Feb

    1. (all-day) - View Details
      CentOS: Connect, FOSDEM, 2023.

RHCSA7: Task of the day

Allowed time: 5 minutes.
Configure a cron task to write the uptime at 2PM every day.

RHCE7: Task of the day

Allowed time: 10 minutes.
Configure a system to forward all email to a central mail server at (change the IP address accordingly).

Follow me on Twitter

Poll for favorite RHEL 7 book

What is your favorite RHEL 7 book to prepare RHCSA & RHCE exams?

View Results

Loading ... Loading ...

Poll for most difficult RHCSA 7 topic

What do you think is the most difficult RHCSA 7 topic?

View Results

Loading ... Loading ...

Poll for most difficult RHCE 7 topic

What do you think is the most difficult RHCE 7 topic?

View Results

Loading ... Loading ...