Securing an Apache Web server with SELinux
Learn how to keep your Apache Web server secure by applying basic SELinux settings, including adjusting SELinux so Apache uses nondefault settings.
The chances of having your Web servers hacked are real, but SELinux can be used to make sure that your website doesn’t suffer real damage.
You can use SELinux types to create an exact definition of what a service can do and where it can do it. By default, the httpd_sys_content type is set to /var/www, which defines that the httpd process is allowed to work from this directory. If a hacker breaches the Apache Web server and tries to write somewhere else—like the default /tmp to Red Hat and similar Linux distributions such as Fedora and CentOS. But you need to know what you’re dealing with. If you configure Apache to serve content in the /data directory, SELinux would prevent that by default too.
Because of the complications that these default settings may introduce, many Linux administrators disable SELinux. And while it’s true that disabling SELinux makes it easier to provide service on your server, it also increases security risks.
Managing SELinux Settings for Apache
Managing SELinux settings for services like Apache is not hard. The problem is that there are no easy graphical tools that allow you to do a quick setup. But by applying just three commands, you can configure it.
To set the file type on the directory that you want to give your service access to, you must first determine which file system type to use. To do that, type ls –ldZ on the default directory that your service uses.
For Apache, you would use ls –ldZ /var/www. You’ll notice that in this cases, the –Z option gives additional file properties, and the –t option is the one that matters. This process defines the current file system type to which the Apache environment is set (httpd_sys_content_t). This also is the file type that you need to set as your new document root.
There are two commands that you can use for setting your content type: with chcon you can make a temporary change—which disappears after a reboot—and with semanage, followed by restorecon, you can make the changes permanent.
The semanage command may seem complicated, but it’s actually quite simple because you need to change only the type you want to use and the target directory. In the example below, there are just two parameters you would need to change. The following shows that the rest of the example command can remain exactly as it is:
semanage fcontext -a -t httpd_sys_content_t /web(/.*)/?
After using semanage to set the default file type, use the restorecon command to make sure that it is applied.. In the example above, where the file type for the directory /web is changed to allow Apache to server files from that directory, run the following command to apply the changes:
restorecon -R -v /web
At this point, Apache will be able to serve files from the new nondefault document root directory.
Managing Booleans for SELinux
Another aspect of SELinux that youneed to manage are the SELinux Booleans. These are binary values that switch certain functions on or off. Booleans are available for many services. Use the getsebool –a command to get an overview of all the existing Booleans . This command normally gives a long list of settings that you can apply.
To find all Booleans for the service you want to configure, pipe the output of getsebool –a through grep. For instance, use getsebool –a | grep http to find all Booleans that match the string http. Even without having a clear understanding of each Boolean, you’ll often find out by just looking at their names what they are supposed to be doing.
Use getsebool –a to find out which SELinux Booleans are available to modify behavior of your services:
[[email protected] Desktop]# getsebool -a | grep http
allow_httpd_anon_write --> off
allow_httpd_mod_auth_ntlm_winbind --> off
allow_httpd_mod_auth_pam --> off
allow_httpd_sys_script_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_check_spam --> off
httpd_can_network_connect --> off
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> off
httpd_dbus_avahi --> on
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> off
httpd_execmem --> off
httpd_read_user_content --> off
httpd_setrlimit --> off
httpd_ssi_exec --> off
httpd_tmp_exec --> off
httpd_tty_comm --> on
httpd_unified --> on
httpd_use_cifs --> off
httpd_use_gpg --> off
httpd_use_nfs --> off
After learning which Booleans you want to use, apply them using setsebool -P. If you want to allow Apache to use nfs, use setsebool -P http_use_nfs on. For a complete list of all Booleans that are available, consult the httpd_selinux man page, which explains Apache specific file labels as well as Booleans.