Introduction

Web applications are a prime example of where SELinux can prove its effectiveness. They are often facing the (untrusted) Internet and are a popular target to exploit. Securing the web server and web applications is just one of the basic mitigating strategies though—by confining the web server, we are reducing the results of a successful exploit even further.

A well-confined web server will only allow operations towards the operating system that are acceptable behavior for the service. But considering the wide area of services that can be provided through a web server, we must be careful not to open up too many privileges.

Policy developers have foreseen the situation that the web server domain might be too broad in its privileges and have made the web server domain (httpd_t) not only very versatile, but also very configurable. In this chapter, we will look into the domain in more detail.