RHEL7: How to deal with HTTPD SELinux policy.

Share this link

From RHEL 6 to RHEL 7, a slight change happened in the HTTPD SELinux policy. The expression HTTPD SELinux policy is used here because it encompasses Apache and Nginx web servers that follow the same SELinux policy.

A boolean called httpd_unified previously enabled became disabled by default. Red Hat decided that people were educated enough to allow a stronger SELinux policy.

When enabled, this boolean allows Apache/Nginx processes to treat all Apache/Nginx content with the same rules in an undistinguished way. The processes can basically read/write/execute all httpd_sys_content* labels (httpd_sys_content_t, httpd_sys_content_rw_t, etc).

When disabled, the webserver document directory becomes a read-only world (httpd_sys_content_t).

As this boolean is disabled by default in RHEL 7, you’ve got two options:
– enable it to get the same behavior as RHEL 6:

# setsebool -P httpd_unified 1

– define the labels in all your webserver document directory precisely and apply them:

# semanage fcontext -a ... 
# restorecon -R /var/www/html

More explanations can be found in this must-read Dan Walsh’s blog post.

1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)

Leave a Reply

Please Login to comment
Notify of

Upcoming Events (Local Time)

There are no events.

RHCSA7: Task of the day

Allowed time: 5 minutes.
Create a user account named "tony" with password “redhat” and belonging to a secondary group called “team”.

RHCE7: Task of the day

Allowed time: 10 minutes.
Set up a httpd virtual server called "dummy" with DocumentRoot assigned to /opt.

Follow me on Twitter

Poll for favorite RHEL 7 book

What is your favorite RHEL 7 book to prepare RHCSA & RHCE exams?

View Results

Loading ... Loading ...

Poll for most difficult RHCSA 7 topic

What do you think is the most difficult RHCSA 7 topic?

View Results

Loading ... Loading ...

Poll for most difficult RHCE 7 topic

What do you think is the most difficult RHCE 7 topic?

View Results

Loading ... Loading ...