From RHEL 6 to RHEL 7, a slight change happened in the HTTPD SELinux policy. The expression HTTPD SELinux policy is used here because it encompasses Apache and Nginx web servers that follow the same SELinux policy.
A boolean called httpd_unified previously enabled became disabled by default. Red Hat decided that people were educated enough to allow a stronger SELinux policy.
When enabled, this boolean allows Apache/Nginx processes to treat all Apache/Nginx content with the same rules in an undistinguished way. The processes can basically read/write/execute all httpd_sys_content* labels (httpd_sys_content_t, httpd_sys_content_rw_t, etc).
When disabled, the webserver document directory becomes a read-only world (httpd_sys_content_t).
As this boolean is disabled by default in RHEL 7, you’ve got two options:
– enable it to get the same behavior as RHEL 6:
# setsebool -P httpd_unified 1
– define the labels in all your webserver document directory precisely and apply them:
# semanage fcontext -a ... # restorecon -R /var/www/html
More explanations can be found in this must-read Dan Walsh’s blog post.
Leave a Reply
You must be logged in to post a comment.