SELinux change DocumentRoot for Apache

Posted on December 3, 2016 by edit

Subject (processes) and Objects (files) have a security context.
(Process contexts are called domains, file contexts are called labels)

Context type
Apache uses a DocumentRoot that has "httpd_sys_content_t" as type.

ls -Zd /var/www/html
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html

Apache's httpd runs with type httpd_t.

ps -efZ |grep httpd
system_u:system_r:httpd_t:s0 root 27356 1 0 11:30 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND
(snipped)

With SELinux enabled, httpd is allowed to access /var/www/html.

When you create a new DocumentRoot, access to this directory will be denied because the new directory will not have the same context as the original DocumentRoot.

mkdir /newdocumentroot
ls -Zd /newdocumentroot
drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 /newdocumentroot

Now, when you access the webserver, access will be denied.
Make sure httpd.conf has the following entries:

DocumentRoot "/newdocumentroot"
<Directory "/newdocumentroot">
AllowOverride None
# Allow open access:
Require all granted
</Directory>

restart httpd:
service httpd restart

follow audit.log:

tail -f /var/log/audit/audit.log
type=AVC msg=audit(1480764099.856:1548): avc: denied { read } for pid=16337 comm="httpd" name="index.html" dev="dm-1" ino=28350272 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:default_t:s0 tclass=file

What is the content type that the new documentroot should have for httpd to be allowed to access it?

ls -Z /var/www/html

httpd_sys_content_t

to allow access, change the type to httpd_sys_content_t

chcon -Rt httpd_sys_content_t /newdocumentroot/
or run
chcon -v --type=httpd_sys_content_t /newdocumentroot
This will recursively change context type for all files and directories in /newdocumentroot
including newly added files.

ls -lZ /newdocumentroot
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 index.html

to restore the orginal context of /newdocumentroot (thus blocking again):
restorecon -R /newdocumentroot
If you want your /newdocumentroot to still have the correct context after a restorecon, you should
make the context permanent with the following command.
semanage fcontext -a -t httpd_sys_content_t "/newdocumentroot(/.*)?"

Note: when you move a an existing file to /newdocumentroot, it will not have the correct context.
You can run the following command to change it in to httpd_sys_content_t

restorecon -R /newdocumentroot

This entry was posted in Uncategorized. Bookmark the permalink.

Comments are closed.