SELinux in relation to Apache (linux) | The Planet Knowledge Base

Red Hat Enterprise version 4 introduced SELinux to our offereing
of Linux operating systems. We are now offering CentOS 4.x, which has support for SELinux as well. It is possible for any given web
document on your server to have the correct permissions to be viewable
from the web, but the httpd daemon will not be able to read it, unless
you assign the correct security context or daemon access
permissions. Context related errors usually show up as 403 errors
when viewed from a web browser.

When a new file is created, it inherits the security context of its
parent directory. So, in turn, if you are creating files in the
default web root(/var/www), you should not run into any problems.
If however, you have uploaded the files to another directory, and then
copy them into your web root, you will experience this issue. The
context of a file depends on the SELinux label it is given. The
following table lists the most important types of security labels(taken
from http://www.siliconvalleyccie.com/linux-hn/apachebasic.htm):

HTTP Code	Description
httpd_sys_content_t	The type used by regular static web pages with .html and .htm extensions.
httpd_sys_script_ro_t	Required for CGI scripts to read files and directories.
httpd_sys_script_ra_t	Same as the httpd_sys_script_ro_t type but also allows appending data to files by the CGI script.
httpd_sys_script_rw_t	Files with this type may be changed by a CGI script in any way, including deletion.
httpd_sys_script_exec_t	The type required for the execution of CGI scripts

HTTP Code

Description

httpd_sys_content_t

The type used by regular static
web pages with .html and .htm extensions.

httpd_sys_script_ro_t

Required
for CGI scripts to read files and directories.

httpd_sys_script_ra_t

Same as the httpd_sys_script_ro_t
type but also allows appending data to files by the CGI script.

httpd_sys_script_rw_t

Files with this type may be
changed by a CGI script in any way, including deletion.

httpd_sys_script_exec_t

The type required for the
execution of CGI scripts

To view the current contexts of any given file, you can use the unix
comman ‘ls’ with only the ‘-Z’ option. This will produce a list
similar to the following:

[user@box www]$ ls -Z

drwxr-xr-x root     root     system_u:object_r:httpd_sys_script_exec_t cgi-bin

drwxr-xr-x root     root     system_u:object_r:httpd_sys_content_t error

drwxr-xr-x root     root     system_u:object_r:httpd_sys_content_t html

drwxr-xr-x root     root     system_u:object_r:httpd_sys_content_t icons

drwxr-xr-x root     root     system_u:object_r:httpd_sys_content_t manual

drwxr-xr-x webalize root     system_u:object_r:httpd_sys_content_t usage

[user@box www]$

As we can see in the above listing, everything appears to be set
correctly. Should you require a change in any of your files
and/or directories, you can change the current context with the chcon
command. I will not go in depth about the command here, however
you can get more information by reading the man page for this
command. Generally you can accomplish what you wish to do by
changing the files using a reference. For example, a file that
already shows correctly from the web. Using the chcon
command, you can modify the contexts on your new files, to match the
old file. To do this, you would want to issue the following
command:

[user@box www]$ chcon —reference=file1 file2

This will set the context of file2 to that of file1, and should then
allow you to access the page normally from the web. Much more
information can be found about Red Hat’s implementation of SELinux by
reading through Red Hat’s own documentation. That can be found
here:
http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/