RHEL 7 HTTPD SELinux policy hardening.

Share this link

If you have to migrate a HTTPD server from RHEL 6/CentOS 6 to RHEL 7/CentOS 7, you should be careful.

The default HTTPD SELinux policy has changed and very limited information has been provided about it: many free tutorials available on the Internet won’t work because of SELinux!

In RHEL 6/CentOS 6, you didn’t need to define precisely what directories or files you were allowed to read, write and execute. You could assign the httpd_sys_content_t SELinux context to all the directories and files under the /var/www/html directory or any path of your choice and, as the httpd_unified SELinux boolean was set to on by default, you could get read, write, and execution access rights everywhere within this path. Things were pretty simple!

With RHEL 7/CentOS 7, the httpd_unified SELinux boolean is now set to off by default, meaning that the httpd_sys_content_t SELinux context allows only read access.

You’ve got now three cases:

  • you agree with the previous relaxed SELinux policy: set the httpd_unified SELinux boolean to on and you are done,
  • you accept the new restricted policy and your webserver uses the /var/www/html path: apply the restorecon -R /var/www/html command and test your webserver behaviour,
  • you accept the new restricted policy but your server doesn’t use the standard /var/www/html path: you have to define precisely all the SELinux rules to get read, write or execution access rights.

With WordPress websites for example, a symptom of a wrong SELinux configuration can be the inability to upload anything or when updating a plugin getting a message asking for the ftp account!

At the end of the day, there is nothing complicated. But you need to be aware!

Additional information is available in the HTTPD SELinux policy page.

Posted in RHEL7

RHCSA7: Task of the day

Allowed time: 10 minutes.
Create two new user accounts "steve" and "oliver".
Create a group "team". Create a directory "shared".
All files put into the "shared" directory by "steve" or "oliver" should belong to the "team" group and be only visible by them.

RHCE7: Task of the day

Allowed time: 8 minutes.
Set up an iScsi target based on a block backstore of 100MB called lv_iscsi with basic authentication, ext4 filesystem and standard firewall configuration.

Follow me on Twitter

Poll for favorite RHEL 7 book

What is your favorite RHEL 7 book to prepare RHCSA & RHCE exams?

View Results

Loading ... Loading ...

Poll for most difficult RHCSA 7 topic

What do you think is the most difficult RHCSA 7 topic?

View Results

Loading ... Loading ...

Poll for most difficult RHCE 7 topic

What do you think is the most difficult RHCE 7 topic?

View Results

Loading ... Loading ...