Type Enforcement is the main permission control used in SELinux targeted policy. All files and processes are labeled with a type: types define a domain for processes and a type for files. SELinux policy rules define how types access each other, whether it be a domain accessing a type, or a domain accessing another domain. Access is only allowed if a specific SELinux policy rule exists that allows it.
The following example creates a new file in the /var/www/html/
directory, and shows the file inheriting the httpd_sys_content_t
type from its parent directory (/var/www/html/
):
-
Run ls -dZ /var/www/html
to view the SELinux context of /var/www/html/
:
$ ls -dZ /var/www/html
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html
This shows /var/www/html/
is labeled with the httpd_sys_content_t
type.
-
Run touch /var/www/html/file1
as the root user to create a new file.
-
Run ls -Z /var/www/html/file1
to view the SELinux context:
$ ls -Z /var/www/html/file1
-rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/file1
The ls -Z
command shows file1
labeled with the httpd_sys_content_t
type. SELinux allows httpd
to read files labeled with this type, but not write to them, even if Linux permissions allow write access. SELinux policy defines what types a process running in the httpd_t
domain (where httpd
runs) can read and write to. This helps prevent processes from accessing files intended for use by another process.
For example, httpd
can access files labeled with the httpd_sys_content_t
type (intended for the Apache HTTP Server), but by default, can not access files labeled with the samba_share_t
type (intended for Samba). Also, files in user home directories are labeled with the user_home_t
type: by default, this prevents httpd
from reading or writing to files in user home directories.
The following lists some of the types used with httpd
. Different types allow you to configure flexible access:
httpd_sys_content_t
-
Use this type for static web content, such as .html
files used by a static website. Files labeled with this type are accessible (read only) to httpd
and scripts executed by httpd
. By default, files and directories labeled with this type can not be written to or modified by httpd
or other processes. Note: by default, files created in or copied into /var/www/html/
are labeled with the httpd_sys_content_t
type.
httpd_sys_script_exec_t
-
Use this type for scripts you want httpd
to execute. This type is commonly used for Common Gateway Interface (CGI) scripts in /var/www/cgi-bin/
. By default, SELinux policy prevents httpd
from executing CGI scripts. To allow this, label the scripts with the httpd_sys_script_exec_t
type and turn the httpd_enable_cgi
Boolean on. Scripts labeled with httpd_sys_script_exec_t
run in the httpd_sys_script_t
domain when executed by httpd
. The httpd_sys_script_t
domain has access to other system domains, such as postgresql_t
and mysqld_t
.
httpd_sys_content_rw_t
-
Files labeled with this type can be written to by scripts labeled with the httpd_sys_script_exec_t
type, but can not be modified by scripts labeled with any other type. You must use the httpd_sys_content_rw_t
type to label files that will be read from and written to by scripts labeled with the httpd_sys_script_exec_t
type.
httpd_sys_content_ra_t
-
Files labeled with this type can be appended to by scripts labeled with the httpd_sys_script_exec_t
type, but can not be modified by scripts labeled with any other type. You must use the httpd_sys_content_ra_t
type to label files that will be read from and appended to by scripts labeled with the httpd_sys_script_exec_t
type.
httpd_unconfined_script_exec_t
-
Scripts labeled with this type run without SELinux protection. Only use this type for complex scripts, after exhausting all other options. It is better to use this type instead of turning SELinux protection off for httpd
, or for the entire system.
To see more of the available types for httpd, run the following command:
grep httpd /etc/selinux/targeted/contexts/files/file_contexts
The type for files and directories can be changed with the chcon
command. Changes made with chcon
do not survive a file system relabel or the restorecon
command. SELinux policy controls whether users are able to modify the SELinux context for any given file. The following example demonstrates creating a new directory and an index.html
file for use by httpd
, and labeling that file and directory to allow httpd
access to them:
-
Run mkdir -p /my/website
as the root user to create a top-level directory structure to store files to be used by httpd
.
-
Files and directories that do not match a pattern in file-context configuration may be labeled with the default_t
type. This type is inaccessible to confined services:
$ ls -dZ /my
drwxr-xr-x root root unconfined_u:object_r:default_t:s0 /my
-
Run chcon -R -t httpd_sys_content_t /my/
as the root user to change the type of the /my/
directory and subdirectories, to a type accessible to httpd
. Now, files created under /my/website/
inherit the httpd_sys_content_t
type, rather than the default_t
type, and are therefore accessible to httpd:
# chcon -R -t httpd_sys_content_t /my/
# touch /my/website/index.html
# ls -Z /my/website/index.html
-rw-r--r-- root root unconfined_u:object_r:httpd_sys_content_t:s0 /my/website/index.html
Refer to the Temporary Changes: chcon section of the Red Hat Enterprise Linux 6 SELinux User Guide for further information about chcon
.
Use the semanage fcontext
command (semanage
is provided by the policycoreutils-python package) to make label changes that survive a relabel and the restorecon
command. This command adds changes to file-context configuration. Then, run the restorecon
command, which reads file-context configuration, to apply the label change. The following example demonstrates creating a new directory and an index.html
file for use by httpd
, and persistently changing the label of that directory and file to allow httpd
access to them:
-
Run mkdir -p /my/website
as the root user to create a top-level directory structure to store files to be used by httpd
.
-
Run the following command as the root user to add the label change to file-context configuration:
semanage fcontext -a -t httpd_sys_content_t "/my(/.*)?"
The "/my(/.*)?"
expression means the label change applies to the /my/
directory and all files and directories under it.
-
Run touch /my/website/index.html
as the root user to create a new file.
-
Run restorecon -R -v /my/
as the root user to apply the label changes (restorecon
reads file-context configuration, which was modified by the semanage
command in step 2):
# restorecon -R -v /my/
restorecon reset /my context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /my/website context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
restorecon reset /my/website/index.html context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
Refer to the Persistent Changes: semanage fcontext section of the Red Hat Enterprise Linux SELinux User Guide for further information on semanage.