Chapter 2. The Apache HTTP Server
The Apache HTTP Server provides an open-source HTTP server with the current HTTP standards.[3]
In Red Hat Enterprise Linux, the httpd package provides the Apache HTTP Server. Run the
rpm -q httpd
command to see if the httpd package is installed. If it is not installed and you want to use the Apache HTTP Server, run the following command as the root user to install it:
~]# yum install httpd
2.1. The Apache HTTP Server and SELinux
When SELinux is enabled, the Apache HTTP Server (
httpd
) runs confined by default. Confined processes run in their own domains, and are separated from other confined processes. If a confined process is compromised by an attacker, depending on SELinux policy configuration, an attacker's access to resources and the possible damage they can do is limited. The following example demonstrates the httpd
processes running in their own domain. This example assumes the httpd, setroubleshoot, setroubleshoot-server and policycoreutils-python packages are installed:
- Run the
getenforce
command to confirm SELinux is running in enforcing mode:~]$
getenforce
EnforcingThegetenforce
command returnsEnforcing
when SELinux is running in enforcing mode. - Run the
service httpd start
command as the root user to starthttpd
:~]#
service httpd start
Starting httpd: [ OK ] - Run the
ps -eZ | grep httpd
command to view thehttpd
processes:~]$
ps -eZ | grep httpd
unconfined_u:system_r:httpd_t:s0 2850 ? 00:00:00 httpd unconfined_u:system_r:httpd_t:s0 2852 ? 00:00:00 httpd unconfined_u:system_r:httpd_t:s0 2853 ? 00:00:00 httpd unconfined_u:system_r:httpd_t:s0 2854 ? 00:00:00 httpd unconfined_u:system_r:httpd_t:s0 2855 ? 00:00:00 httpd unconfined_u:system_r:httpd_t:s0 2856 ? 00:00:00 httpd unconfined_u:system_r:httpd_t:s0 2857 ? 00:00:00 httpd unconfined_u:system_r:httpd_t:s0 2858 ? 00:00:00 httpd unconfined_u:system_r:httpd_t:s0 2859 ? 00:00:00 httpdThe SELinux context associated with thehttpd
processes isunconfined_u:system_r:httpd_t:s0
. The second last part of the context,httpd_t
, is the type. A type defines a domain for processes and a type for files. In this case, thehttpd
processes are running in thehttpd_t
domain.
SELinux policy defines how processes running in confined domains (such as
httpd_t
) interact with files, other processes, and the system in general. Files must be labeled correctly to allow httpd
access to them. For example, httpd
can read files labeled with the httpd_sys_content_t
type, but cannot write to them, even if Linux (DAC) permissions allow write access. Booleans must be enabled to allow certain behavior, such as allowing scripts network access, allowing httpd
access to NFS and CIFS volumes, and httpd
being allowed to execute Common Gateway Interface (CGI) scripts.
When
/etc/httpd/conf/httpd.conf
is configured so httpd
listens on a port other than TCP ports 80, 443, 488, 8008, 8009, or 8443, the semanage port
command must be used to add the new port number to SELinux policy configuration. The following example demonstrates configuring httpd
to listen on a port that is not already defined in SELinux policy configuration for httpd
, and, as a consequence, httpd
failing to start. This example also demonstrates how to then configure the SELinux system to allow httpd
to successfully listen on a non-standard port that is not already defined in the policy. This example assumes the httpd package is installed. Run each command in the example as the root user:
- Run the
service httpd status
command to confirmhttpd
is not running:~]#
service httpd status
httpd is stoppedIf the output differs, run theservice httpd stop
command to stop the process:~]#
service httpd stop
Stopping httpd: [ OK ] - Run the
semanage port -l | grep -w http_port_t
command to view the ports SELinux allowshttpd
to listen on:~]#
semanage port -l | grep -w http_port_t
http_port_t tcp 80, 443, 488, 8008, 8009, 8443 - Edit
/etc/httpd/conf/httpd.conf
as the root user. Configure theListen
option so it lists a port that is not configured in SELinux policy configuration forhttpd
. In this example,httpd
is configured to listen on port 12345:# Change this to Listen on specific IP addresses as shown below to # prevent Apache from glomming onto all bound IP addresses (0.0.0.0) # #Listen 12.34.56.78:80 Listen 127.0.0.1:12345
- Run the
service httpd start
command to starthttpd
:~]#
service httpd start
Starting httpd: (13)Permission denied: make_sock: could not bind to address 127.0.0.1:12345 no listening sockets available, shutting down Unable to open logs [FAILED]An SELinux denial similar to the following is logged:setroubleshoot: SELinux is preventing the httpd (httpd_t) from binding to port 12345. For complete SELinux messages. run sealert -l f18bca99-db64-4c16-9719-1db89f0d8c77
- For SELinux to allow
httpd
to listen on port 12345, as used in this example, the following command is required:~]#
semanage port -a -t http_port_t -p tcp 12345
- Run
service httpd start
again to starthttpd
and have it listen on the new port:~]#
service httpd start
Starting httpd: [ OK ] - Now that SELinux has been configured to allow
httpd
to listen on a non-standard port (TCP 12345 in this example),httpd
starts successfully on this port. - To prove that
httpd
is listening and communicating on TCP port 12345, open a telnet connection to the specified port and issue a HTTP GET command, as follows:~]#
telnet localhost 12345
Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. GET / HTTP/1.0 HTTP/1.1 200 OK Date: Wed, 02 Dec 2009 14:36:34 GMT Server: Apache/2.2.13 (Red Hat) Accept-Ranges: bytes Content-Length: 3985 Content-Type: text/html; charset=UTF-8 [...continues...]