SELinux Booleans Explained: httpd_read_user_content vs httpd_enable_homedirs for Apache Home Directory Access


4 views

When configuring Apache web server under SELinux, two critical boolean parameters often cause confusion:

httpd_read_user_content (default: off)
httpd_enable_homedirs (default: off)

httpd_read_user_content: Controls whether httpd can read user content in generic directories (not just home directories) that have the user_home_t SELinux context.

httpd_enable_homedirs: Specifically governs access to user home directories (/home/username) and their contents when configured as ~user aliases in Apache.

For your specific case of accessing /home/foo:

# Required minimum configuration
setsebool -P httpd_enable_homedirs=1

# Additional context setting may be needed
chcon -R -t httpd_sys_content_t /home/foo/public_html

Use httpd_enable_homedirs when:
• Serving content from ~user URLs
• Accessing standard home directory structure
• Working with user public_html folders

Use httpd_read_user_content when:
• Accessing non-standard locations with user_home_t context
• Reading files not in traditional home directories
• Dealing with custom content repositories

For a typical home directory web setup:

<VirtualHost *:80>
    ServerName user.example.com
    DocumentRoot /home/foo/public_html
    <Directory "/home/foo/public_html">
        Require all granted
        Options Indexes FollowSymLinks
    </Directory>
</VirtualHost>

Then apply SELinux settings:

# Set the boolean
sudo setsebool -P httpd_enable_homedirs=1

# Apply proper context
sudo semanage fcontext -a -t httpd_sys_content_t "/home/foo/public_html(/.*)?"
sudo restorecon -Rv /home/foo/public_html

If access issues persist:

# Check SELinux denials
sudo ausearch -m avc -ts recent

# Verify contexts
ls -Z /home/foo/public_html

Remember that both booleans might be needed in complex scenarios where content spans multiple location types.

When configuring Apache (httpd) on SELinux-enabled systems, two frequently encountered boolean parameters are httpd_read_user_content and httpd_enable_homedirs. While they appear similar at first glance, their use cases differ significantly in security contexts.

The httpd_enable_homedirs boolean controls whether Apache can access user home directories (/home/username) through the ~username syntax. When enabled:

setsebool -P httpd_enable_homedirs=1

In contrast, httpd_read_user_content governs access to files with the user_home_t SELinux context, typically found in:

  • /home/username/public_html
  • Custom content directories outside home folders

For your specific case of accessing /home/foo, you would need:

# For basic home directory access:
setsebool -P httpd_enable_homedirs=1

# If serving content from /home/foo/public_html:
setsebool -P httpd_read_user_content=1
chcon -R -t httpd_sys_content_t /home/foo/public_html

When enabling these booleans, consider these security best practices:

  1. Always use the most restrictive boolean that meets your requirements
  2. Audit access patterns with: 
    ausearch -m avc -ts recent
  3. Consider creating specific SELinux file contexts rather than enabling broad access

If you encounter permission denied errors despite correct boolean settings, check:

# Verify current contexts:
ls -Z /home/foo

# Check active booleans:
getsebool -a | grep httpd