RHEL7: How to deal with HTTPD SELinux policy.

Share this link

From RHEL 6 to RHEL 7, a slight change happened in the HTTPD SELinux policy. The expression HTTPD SELinux policy is used here because it encompasses Apache and Nginx web servers that follow the same SELinux policy.

A boolean called httpd_unified previously enabled became disabled by default. Red Hat decided that people were educated enough to allow a stronger SELinux policy.

When enabled, this boolean allows Apache/Nginx processes to treat all Apache/Nginx content with the same rules in an undistinguished way. The processes can basically read/write/execute all httpd_sys_content* labels (httpd_sys_content_t, httpd_sys_content_rw_t, etc).

When disabled, the webserver document directory becomes a read-only world (httpd_sys_content_t).

As this boolean is disabled by default in RHEL 7, you’ve got two options:
– enable it to get the same behavior as RHEL 6:

# setsebool -P httpd_unified 1

– define the labels in all your webserver document directory precisely and apply them:

# semanage fcontext -a ... 
# restorecon -R /var/www/html

More explanations can be found in this must-read Dan Walsh’s blog post.

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

Leave a Reply

Be the First to Comment!

Notify of
wpDiscuz

RHCSA7: Task of the day

Allowed time: 5 minutes.
Create a user called tom. Create a directory named /private. Use an acl to only allow access (rwx) to tom to the private directory.

RHCE7: Task of the day

Allowed time: 5 minutes.
Set up time synchronization with default configuration.

Poll for favorite RHEL 7 book

What is your favorite RHEL 7 book to prepare RHCSA & RHCE exams?

View Results

Loading ... Loading ...

Poll for most difficult RHCSA 7 topic

What do you think is the most difficult RHCSA 7 topic?

View Results

Loading ... Loading ...

Poll for most difficult RHCE 7 topic

What do you think is the most difficult RHCE 7 topic?

View Results

Loading ... Loading ...

Recent Comments