httpd_sys_script_selinux(8)

1httpd_sys_script_selinux(S8E)Linux Policy httpd_sys_scrhitpttpd_sys_script_selinux(8)
2
3
4

NAME

6       httpd_sys_script_selinux  -  Security  Enhanced  Linux  Policy  for the
7       httpd_sys_script processes
8

DESCRIPTION

10       Security-Enhanced Linux  secures  the  httpd_sys_script  processes  via
11       flexible mandatory access control.
12
13       The  httpd_sys_script  processes  execute  with  the httpd_sys_script_t
14       SELinux type. You can check if you have these processes running by exe‐
15       cuting the ps command with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep httpd_sys_script_t
20
21
22

ENTRYPOINTS

24       The   httpd_sys_script_t   SELinux   type   can   be  entered  via  the
25       httpd_sys_content_t, cifs_t, nfs_t, httpd_sys_script_exec_t,  httpdcon‐
26       tent file types.
27
28       The  default entrypoint paths for the httpd_sys_script_t domain are the
29       following:
30
31       /srv/([^/]*/)?www(/.*)?,       /var/www(/.*)?,        /etc/htdig(/.*)?,
32       /srv/gallery2(/.*)?,     /var/lib/trac(/.*)?,     /var/lib/htdig(/.*)?,
33       /var/www/icons(/.*)?,  /usr/share/glpi(/.*)?,   /usr/share/htdig(/.*)?,
34       /usr/share/drupal.*,  /usr/share/z-push(/.*)?, /var/www/svn/conf(/.*)?,
35       /usr/share/icecast(/.*)?,                     /var/lib/cacti/rra(/.*)?,
36       /usr/share/ntop/html(/.*)?,                /usr/share/nginx/html(/.*)?,
37       /usr/share/doc/ghc/html(/.*)?,          /usr/share/openca/htdocs(/.*)?,
38       /usr/share/selinux-policy[^/]*/html(/.*)?,   /opt/.*.cgi,  /usr/.*.cgi,
39       /var/www/[^/]*/cgi-bin(/.*)?,                      /var/www/perl(/.*)?,
40       /var/www/html/[^/]*/cgi-bin(/.*)?,              /usr/lib/cgi-bin(/.*)?,
41       /var/www/cgi-bin(/.*)?,   /var/www/svn/hooks(/.*)?,    /usr/share/word‐
42       press/.*.php,   /usr/local/nagios/sbin(/.*)?,  /usr/share/wordpress/wp-
43       includes/.*.php, /usr/share/wordpress-mu/wp-config.php
44

PROCESS TYPES

46       SELinux defines process types (domains) for each process running on the
47       system
48
49       You can see the context of a process using the -Z option to ps
50
51       Policy  governs  the  access confined processes have to files.  SELinux
52       httpd_sys_script policy is very flexible allowing users to setup  their
53       httpd_sys_script processes in as secure a method as possible.
54
55       The following process types are defined for httpd_sys_script:
56
57       httpd_sys_script_t
58
59       Note: semanage permissive -a httpd_sys_script_t can be used to make the
60       process type  httpd_sys_script_t  permissive.  SELinux  does  not  deny
61       access  to permissive process types, but the AVC (SELinux denials) mes‐
62       sages are still generated.
63
64

BOOLEANS

66       SELinux  policy  is  customizable  based  on  least  access   required.
67       httpd_sys_script  policy is extremely flexible and has several booleans
68       that allow you to manipulate the policy and run  httpd_sys_script  with
69       the tightest access possible.
70
71
72
73       If you want to allow all domains to execute in fips_mode, you must turn
74       on the fips_mode boolean. Enabled by default.
75
76       setsebool -P fips_mode 1
77
78
79
80       If you want to allow httpd to manage the courier spool sock files,  you
81       must  turn  on  the httpd_can_manage_courier_spool boolean. Disabled by
82       default.
83
84       setsebool -P httpd_can_manage_courier_spool 1
85
86
87
88       If you want to allow HTTPD scripts and modules to connect to  databases
89       over  the  network,  you  must turn on the httpd_can_network_connect_db
90       boolean. Disabled by default.
91
92       setsebool -P httpd_can_network_connect_db 1
93
94
95
96       If you want to allow http daemon to send mail, you  must  turn  on  the
97       httpd_can_sendmail boolean. Disabled by default.
98
99       setsebool -P httpd_can_sendmail 1
100
101
102
103       If  you  want  to  allow  httpd  cgi  support,  you  must  turn  on the
104       httpd_enable_cgi boolean. Enabled by default.
105
106       setsebool -P httpd_enable_cgi 1
107
108
109
110       If you want to allow httpd to read home directories, you must  turn  on
111       the httpd_enable_homedirs boolean. Disabled by default.
112
113       setsebool -P httpd_enable_homedirs 1
114
115
116
117       If  you  want to allow httpd scripts and modules execmem/execstack, you
118       must turn on the httpd_execmem boolean. Disabled by default.
119
120       setsebool -P httpd_execmem 1
121
122
123
124       If you want to allow httpd to read user content, you must turn  on  the
125       httpd_read_user_content boolean. Disabled by default.
126
127       setsebool -P httpd_read_user_content 1
128
129
130
131       If you want to allow HTTPD to run SSI executables in the same domain as
132       system CGI scripts, you must turn on the httpd_ssi_exec  boolean.  Dis‐
133       abled by default.
134
135       setsebool -P httpd_ssi_exec 1
136
137
138
139       If  you  want to allow httpd to access cifs file systems, you must turn
140       on the httpd_use_cifs boolean. Disabled by default.
141
142       setsebool -P httpd_use_cifs 1
143
144
145
146       If you want to allow httpd to access FUSE file systems, you  must  turn
147       on the httpd_use_fusefs boolean. Disabled by default.
148
149       setsebool -P httpd_use_fusefs 1
150
151
152
153       If you want to allow httpd to access nfs file systems, you must turn on
154       the httpd_use_nfs boolean. Disabled by default.
155
156       setsebool -P httpd_use_nfs 1
157
158
159
160       If you want to allow httpd to access openstack ports, you must turn  on
161       the httpd_use_openstack boolean. Disabled by default.
162
163       setsebool -P httpd_use_openstack 1
164
165
166
167       If  you  want  to  allow  system  to run with NIS, you must turn on the
168       nis_enabled boolean. Disabled by default.
169
170       setsebool -P nis_enabled 1
171
172
173

MANAGED FILES

175       The SELinux process type httpd_sys_script_t can  manage  files  labeled
176       with  the following file types.  The paths listed are the default paths
177       for these file types.  Note the processes UID still need  to  have  DAC
178       permissions.
179
180       anon_inodefs_t
181
182
183       fusefs_t
184
185            /var/run/user/[^/]*/gvfs
186
187       httpd_sys_rw_content_t
188
189            /etc/rt(/.*)?
190            /etc/glpi(/.*)?
191            /etc/horde(/.*)?
192            /etc/drupal.*
193            /etc/z-push(/.*)?
194            /var/lib/svn(/.*)?
195            /var/www/svn(/.*)?
196            /etc/owncloud(/.*)?
197            /var/www/html(/.*)?/uploads(/.*)?
198            /var/www/html(/.*)?/wp-content(/.*)?
199            /var/www/html(/.*)?/wp_backups(/.*)?
200            /var/www/html(/.*)?/sites/default/files(/.*)?
201            /var/www/html(/.*)?/sites/default/settings.php
202            /etc/mock/koji(/.*)?
203            /etc/nextcloud(/.*)?
204            /var/lib/drupal.*
205            /etc/zabbix/web(/.*)?
206            /var/lib/moodle(/.*)?
207            /var/log/z-push(/.*)?
208            /var/spool/gosa(/.*)?
209            /etc/WebCalendar(/.*)?
210            /usr/share/joomla(/.*)?
211            /var/lib/dokuwiki(/.*)?
212            /var/lib/owncloud(/.*)?
213            /var/spool/viewvc(/.*)?
214            /var/lib/nextcloud(/.*)?
215            /var/lib/pootle/po(/.*)?
216            /var/lib/phpMyAdmin(/.*)?
217            /var/www/moodledata(/.*)?
218            /srv/gallery2/smarty(/.*)?
219            /var/www/moodle/data(/.*)?
220            /var/lib/graphite-web(/.*)?
221            /var/log/shibboleth-www(/.*)?
222            /var/www/gallery/albums(/.*)?
223            /var/www/html/owncloud/data(/.*)?
224            /var/www/html/nextcloud/data(/.*)?
225            /usr/share/wordpress-mu/wp-content(/.*)?
226            /usr/share/wordpress/wp-content/upgrade(/.*)?
227            /usr/share/wordpress/wp-content/uploads(/.*)?
228            /var/www/html/configuration.php
229
230       httpdcontent
231
232
233

FILE CONTEXTS

235       SELinux requires files to have an extended attribute to define the file
236       type.
237
238       You can see the context of a file using the -Z option to ls
239
240       Policy governs the access  confined  processes  have  to  these  files.
241       SELinux httpd_sys_script policy is very flexible allowing users to set‐
242       up their httpd_sys_script processes in as secure a method as possible.
243
244       The following file types are defined for httpd_sys_script:
245
246
247
248       httpd_sys_script_exec_t
249
250       - Set files with the httpd_sys_script_exec_t type, if you want to tran‐
251       sition an executable to the httpd_sys_script_t domain.
252
253
254       Paths:
255            /opt/.*.cgi,       /usr/.*.cgi,      /var/www/[^/]*/cgi-bin(/.*)?,
256            /var/www/perl(/.*)?,            /var/www/html/[^/]*/cgi-bin(/.*)?,
257            /usr/lib/cgi-bin(/.*)?,                    /var/www/cgi-bin(/.*)?,
258            /var/www/svn/hooks(/.*)?,             /usr/share/wordpress/.*.php,
259            /usr/local/nagios/sbin(/.*)?,             /usr/share/wordpress/wp-
260            includes/.*.php, /usr/share/wordpress-mu/wp-config.php
261
262
263       Note: File context can be temporarily modified with the chcon  command.
264       If  you want to permanently change the file context you need to use the
265       semanage fcontext command.  This will modify the SELinux labeling data‐
266       base.  You will need to use restorecon to apply the labels.
267
268

SHARING FILES

270       If  you  want to share files with multiple domains (Apache, FTP, rsync,
271       Samba), you can set a file context of public_content_t and  public_con‐
272       tent_rw_t.   These  context  allow any of the above domains to read the
273       content.  If you want a particular domain to write to  the  public_con‐
274       tent_rw_t domain, you must set the appropriate boolean.
275
276       Allow httpd_sys_script servers to read the /var/httpd_sys_script direc‐
277       tory by adding the public_content_t file type to the directory  and  by
278       restoring the file type.
279
280       semanage fcontext -a -t public_content_t "/var/httpd_sys_script(/.*)?"
281       restorecon -F -R -v /var/httpd_sys_script
282
283       Allow     httpd_sys_script     servers     to     read     and    write
284       /var/httpd_sys_script/incoming by adding the  public_content_rw_t  type
285       to the directory and by restoring the file type.  You also need to turn
286       on the httpd_sys_script_anon_write boolean.
287
288       semanage        fcontext        -a        -t        public_content_rw_t
289       "/var/httpd_sys_script/incoming(/.*)?"
290       restorecon -F -R -v /var/httpd_sys_script/incoming
291       setsebool -P httpd_sys_script_anon_write 1
292
293
294       If  you want to allow apache scripts to write to public content, direc‐
295       tories/files must be labeled public_rw_content_t., you must turn on the
296       httpd_sys_script_anon_write boolean.
297
298       setsebool -P httpd_sys_script_anon_write 1
299
300

COMMANDS

302       semanage  fcontext  can also be used to manipulate default file context
303       mappings.
304
305       semanage permissive can also be used to manipulate  whether  or  not  a
306       process type is permissive.
307
308       semanage  module can also be used to enable/disable/install/remove pol‐
309       icy modules.
310
311       semanage boolean can also be used to manipulate the booleans
312
313
314       system-config-selinux is a GUI tool available to customize SELinux pol‐
315       icy settings.
316
317

AUTHOR

319       This manual page was auto-generated using sepolicy manpage .
320
321