What is the difference between httpd_read_user_content and httpd_enable_homedirs?

apache-2.2 selinux

httpd_read_user_content allows any confined web server to read files in user home directories in /home.

httpd_enable_homedirs allows Apache to use its UserDir directive (i.e. URLs that look like http://www.example.com/~username/).

If you are just mapping domain names to users' directories, it should be sufficient to enable the first one, httpd_read_user_content, but if you want to use Apache user directories, you should enable both.


After doing some research myself, I investigated the differences between them using sesearch command:

$ sesearch --allow -s httpd_t -b httpd_read_user_content
Found 5 semantic av rules:
   allow httpd_t user_home_dir_t : dir { ioctl read getattr lock search open } ; 
   allow httpd_t user_home_t : file { ioctl read getattr lock open } ; 
   allow httpd_t user_home_t : dir { ioctl read getattr lock search open } ; 
   allow httpd_t home_root_t : dir { getattr search open } ; 
   allow httpd_t home_root_t : lnk_file { read getattr } ;
$ sesearch --allow -s httpd_t -b httpd_enable_homedirs
Found 15 semantic av rules:
   allow httpd_t user_home_dir_t : dir { ioctl read getattr lock search open } ; 
   allow httpd_t user_home_dir_t : lnk_file { read getattr } ; 
   allow httpd_t autofs_t : dir { ioctl read getattr lock search open } ; 
   allow httpd_t cifs_t : file { ioctl read getattr lock open } ; 
   allow httpd_t cifs_t : dir { ioctl read getattr lock search open } ; 
   allow httpd_t cifs_t : lnk_file { read getattr } ; 
   allow httpd_t nfs_t : file { ioctl read getattr lock open } ; 
   allow httpd_t nfs_t : dir { ioctl read getattr lock search open } ; 
   allow httpd_t nfs_t : lnk_file { read getattr } ; 
   allow httpd_t user_home_t : file { ioctl read getattr lock open } ; 
   allow httpd_t user_home_t : dir { ioctl read getattr lock search open } ; 
   allow httpd_t user_home_type : dir { getattr search open } ; 
   allow httpd_t user_home_type : lnk_file { read getattr } ; 
   allow httpd_t home_root_t : dir { ioctl read getattr lock search open } ; 
   allow httpd_t home_root_t : lnk_file { read getattr } ;

All rules of the http_read_user_content are included in the httpd_t -b httpd_enable_homedirs. That is, the scope of the latter is wider than the former.

As Michael said correctly, we should enable only the first one if we just want to place the document root on the home directory of a user.

Related

SSH port forwarding
Editing sudoers file to restrict a user's commands
Convert and redirect URL in uppercase to lowercase using .htaccess
HP SmartArray P400: How to repair failed logical drive?
How to convert an NSString into an NSNumber
UIScrollView Scrollable Content Size Ambiguity
How can I wait In Node.js (JavaScript)? l need to pause for a period of time
"Uncaught SyntaxError: Cannot use import statement outside a module" when importing ECMAScript 6
Is there anything like .NET's NotImplementedException in Java?
How do I run a node.js app as a background service?
What does on_delete do on Django models?
Heroku + node.js error (Web process failed to bind to $PORT within 60 seconds of launch)