Product SiteDocumentation Site

13.4. Configuration examples

The following examples provide real-world demonstrations of how SELinux complements the Apache HTTP Server and how full function of the Apache HTTP Server can be maintained.

13.4.1. Running a static site

To create a static website, label the .html files for that website with the httpd_sys_content_t type. By default, the Apache HTTP Server cannot write to files that are labeled with the httpd_sys_content_t type. The following example creates a new directory to store files for a read-only website:
  1. Use the mkdir utility as root to create a top-level directory:
    ~]# mkdir /mywebsite
  2. As root, create a /mywebsite/index.html file. Copy and paste the following content into /mywebsite/index.html:
    <html>
    <h2>index.html from /mywebsite/</h2>
    </html>
    
  3. To allow the Apache HTTP Server read only access to /mywebsite/, as well as files and subdirectories under it, label the directory with the httpd_sys_content_t type. Run the following command as root to add the label change to file-context configuration:
    ~]# semanage fcontext -a -t httpd_sys_content_t "/mywebsite(/.*)?"
  4. Use the restorecon utility as root to make the label changes:
    ~]# restorecon -R -v /mywebsite
    restorecon reset /mywebsite context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
    restorecon reset /mywebsite/index.html context unconfined_u:object_r:default_t:s0->system_u:object_r:httpd_sys_content_t:s0
    
  5. For this example, edit the /etc/httpd/conf/httpd.conf file as root. Comment out the existing DocumentRoot option. Add a DocumentRoot "/mywebsite" option. After editing, these options should look as follows:
    #DocumentRoot "/var/www/html"
    DocumentRoot "/mywebsite"
    
  6. Run the following command as root to see the status of the Apache HTTP Server. If the server is stopped, start it:
    ~]# systemctl status httpd.service
    httpd.service - The Apache HTTP Server
       Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled)
       Active: inactive (dead)
    
    ~]# systemctl start httpd.service
    If the server is running, restart the service by executing the following command as root (this also applies any changes made to httpd.conf):
    ~]# systemctl status httpd.service
    httpd.service - The Apache HTTP Server
       Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled)
       Active: active (running) since Wed 2014-02-05 13:16:46 CET; 2s ago
    
    ~]# systemctl restart httpd.service
  7. Use a web browser to navigate to http://localhost/index.html. The following is displayed:
    index.html from /mywebsite/