1httpd_selinux(8) SELinux Policy httpd httpd_selinux(8)
2
3
4
6 httpd_selinux - Security Enhanced Linux Policy for the httpd processes
7
9 Security-Enhanced Linux secures the httpd processes via flexible manda‐
10 tory access control.
11
12 The httpd processes execute with the httpd_t SELinux type. You can
13 check if you have these processes running by executing the ps command
14 with the -Z qualifier.
15
16 For example:
17
18 ps -eZ | grep httpd_t
19
20
21
23 The httpd_t SELinux type can be entered via the httpd_exec_t file type.
24
25 The default entrypoint paths for the httpd_t domain are the following:
26
27 /usr/sbin/httpd(.worker)?, /usr/sbin/apache(2)?, /usr/lib/apache-
28 ssl/.+, /usr/sbin/apache-ssl(2)?, /usr/sbin/nginx, /usr/sbin/thttpd,
29 /usr/sbin/php-fpm, /usr/sbin/cherokee, /usr/sbin/lighttpd,
30 /usr/bin/mongrel_rails, /usr/sbin/htcacheclean
31
33 SELinux defines process types (domains) for each process running on the
34 system
35
36 You can see the context of a process using the -Z option to ps
37
38 Policy governs the access confined processes have to files. SELinux
39 httpd policy is very flexible allowing users to setup their httpd pro‐
40 cesses in as secure a method as possible.
41
42 The following process types are defined for httpd:
43
44 httpd_collectd_script_t, httpd_cvs_script_t, httpd_rotatelogs_t, httpd_bugzilla_script_t, httpd_smokeping_cgi_script_t, httpd_nagios_script_t, httpd_dirsrvadmin_script_t, httpd_suexec_t, httpd_php_t, httpd_w3c_validator_script_t, httpd_user_script_t, httpd_awstats_script_t, httpd_apcupsd_cgi_script_t, httpd_nutups_cgi_script_t, httpd_munin_script_t, httpd_openshift_script_t, httpd_sys_script_t, httpd_dspam_script_t, httpd_prewikka_script_t, httpd_git_script_t, httpd_unconfined_script_t, httpd_t, httpd_helper_t, httpd_squid_script_t, httpd_cobbler_script_t, httpd_mediawiki_script_t
45
46 Note: semanage permissive -a httpd_t can be used to make the process
47 type httpd_t permissive. SELinux does not deny access to permissive
48 process types, but the AVC (SELinux denials) messages are still gener‐
49 ated.
50
51
53 SELinux policy is customizable based on least access required. httpd
54 policy is extremely flexible and has several booleans that allow you to
55 manipulate the policy and run httpd with the tightest access possible.
56
57
58
59 If you want to allow httpd to use built in scripting (usually php), you
60 must turn on the httpd_builtin_scripting boolean. Enabled by default.
61
62 setsebool -P httpd_builtin_scripting 1
63
64
65
66 If you want to allow http daemon to check spam, you must turn on the
67 httpd_can_check_spam boolean. Disabled by default.
68
69 setsebool -P httpd_can_check_spam 1
70
71
72
73 If you want to allow HTTPD scripts and modules to connect to the net‐
74 work using TCP, you must turn on the httpd_can_network_connect boolean.
75 Disabled by default.
76
77 setsebool -P httpd_can_network_connect 1
78
79
80
81 If you want to allow HTTPD scripts and modules to connect to cobbler
82 over the network, you must turn on the httpd_can_network_connect_cob‐
83 bler boolean. Disabled by default.
84
85 setsebool -P httpd_can_network_connect_cobbler 1
86
87
88
89 If you want to allow HTTPD scripts and modules to connect to databases
90 over the network, you must turn on the httpd_can_network_connect_db
91 boolean. Disabled by default.
92
93 setsebool -P httpd_can_network_connect_db 1
94
95
96
97 If you want to allow httpd to connect to memcache server, you must turn
98 on the httpd_can_network_memcache boolean. Disabled by default.
99
100 setsebool -P httpd_can_network_memcache 1
101
102
103
104 If you want to allow httpd to act as a relay, you must turn on the
105 httpd_can_network_relay boolean. Disabled by default.
106
107 setsebool -P httpd_can_network_relay 1
108
109
110
111 If you want to allow http daemon to send mail, you must turn on the
112 httpd_can_sendmail boolean. Disabled by default.
113
114 setsebool -P httpd_can_sendmail 1
115
116
117
118 If you want to allow Apache to communicate with avahi service via dbus,
119 you must turn on the httpd_dbus_avahi boolean. Disabled by default.
120
121 setsebool -P httpd_dbus_avahi 1
122
123
124
125 If you want to allow Apache to communicate with sssd service via dbus,
126 you must turn on the httpd_dbus_sssd boolean. Disabled by default.
127
128 setsebool -P httpd_dbus_sssd 1
129
130
131
132 If you want to allow httpd cgi support, you must turn on the
133 httpd_enable_cgi boolean. Enabled by default.
134
135 setsebool -P httpd_enable_cgi 1
136
137
138
139 If you want to allow httpd to act as a FTP server by listening on the
140 ftp port, you must turn on the httpd_enable_ftp_server boolean. Dis‐
141 abled by default.
142
143 setsebool -P httpd_enable_ftp_server 1
144
145
146
147 If you want to allow httpd to read home directories, you must turn on
148 the httpd_enable_homedirs boolean. Disabled by default.
149
150 setsebool -P httpd_enable_homedirs 1
151
152
153
154 If you want to allow httpd scripts and modules execmem/execstack, you
155 must turn on the httpd_execmem boolean. Disabled by default.
156
157 setsebool -P httpd_execmem 1
158
159
160
161 If you want to allow httpd processes to manage IPA content, you must
162 turn on the httpd_manage_ipa boolean. Disabled by default.
163
164 setsebool -P httpd_manage_ipa 1
165
166
167
168 If you want to allow httpd to read user content, you must turn on the
169 httpd_read_user_content boolean. Disabled by default.
170
171 setsebool -P httpd_read_user_content 1
172
173
174
175 If you want to allow Apache to run preupgrade, you must turn on the
176 httpd_run_preupgrade boolean. Disabled by default.
177
178 setsebool -P httpd_run_preupgrade 1
179
180
181
182 If you want to allow Apache to run in stickshift mode, not transition
183 to passenger, you must turn on the httpd_run_stickshift boolean. Dis‐
184 abled by default.
185
186 setsebool -P httpd_run_stickshift 1
187
188
189
190 If you want to allow HTTPD scripts and modules to server cobbler files,
191 you must turn on the httpd_serve_cobbler_files boolean. Disabled by
192 default.
193
194 setsebool -P httpd_serve_cobbler_files 1
195
196
197
198 If you want to allow httpd daemon to change system limits, you must
199 turn on the httpd_setrlimit boolean. Disabled by default.
200
201 setsebool -P httpd_setrlimit 1
202
203
204
205 If you want to allow HTTPD to run SSI executables in the same domain as
206 system CGI scripts, you must turn on the httpd_ssi_exec boolean. Dis‐
207 abled by default.
208
209 setsebool -P httpd_ssi_exec 1
210
211
212
213 If you want to allow Apache to execute tmp content, you must turn on
214 the httpd_tmp_exec boolean. Disabled by default.
215
216 setsebool -P httpd_tmp_exec 1
217
218
219
220 If you want to unify HTTPD to communicate with the terminal. Needed for
221 entering the passphrase for certificates at the terminal, you must turn
222 on the httpd_tty_comm boolean. Disabled by default.
223
224 setsebool -P httpd_tty_comm 1
225
226
227
228 If you want to unify HTTPD handling of all content files, you must turn
229 on the httpd_unified boolean. Disabled by default.
230
231 setsebool -P httpd_unified 1
232
233
234
235 If you want to allow httpd to access cifs file systems, you must turn
236 on the httpd_use_cifs boolean. Disabled by default.
237
238 setsebool -P httpd_use_cifs 1
239
240
241
242 If you want to allow httpd to access FUSE file systems, you must turn
243 on the httpd_use_fusefs boolean. Disabled by default.
244
245 setsebool -P httpd_use_fusefs 1
246
247
248
249 If you want to allow httpd to run gpg in gpg-web domain, you must turn
250 on the httpd_use_gpg boolean. Disabled by default.
251
252 setsebool -P httpd_use_gpg 1
253
254
255
256 If you want to allow httpd to access nfs file systems, you must turn on
257 the httpd_use_nfs boolean. Disabled by default.
258
259 setsebool -P httpd_use_nfs 1
260
261
262
263 If you want to allow Apache to query NS records, you must turn on the
264 httpd_verify_dns boolean. Disabled by default.
265
266 setsebool -P httpd_verify_dns 1
267
268
269
270 If you want to allow all daemons to write corefiles to /, you must turn
271 on the allow_daemons_dump_core boolean. Disabled by default.
272
273 setsebool -P allow_daemons_dump_core 1
274
275
276
277 If you want to allow all daemons to use tcp wrappers, you must turn on
278 the allow_daemons_use_tcp_wrapper boolean. Disabled by default.
279
280 setsebool -P allow_daemons_use_tcp_wrapper 1
281
282
283
284 If you want to allow all daemons the ability to read/write terminals,
285 you must turn on the allow_daemons_use_tty boolean. Disabled by
286 default.
287
288 setsebool -P allow_daemons_use_tty 1
289
290
291
292 If you want to allow all domains to use other domains file descriptors,
293 you must turn on the allow_domain_fd_use boolean. Enabled by default.
294
295 setsebool -P allow_domain_fd_use 1
296
297
298
299 If you want to allow Apache to use mod_auth_ntlm_winbind, you must turn
300 on the allow_httpd_mod_auth_ntlm_winbind boolean. Disabled by default.
301
302 setsebool -P allow_httpd_mod_auth_ntlm_winbind 1
303
304
305
306 If you want to allow Apache to use mod_auth_pam, you must turn on the
307 allow_httpd_mod_auth_pam boolean. Disabled by default.
308
309 setsebool -P allow_httpd_mod_auth_pam 1
310
311
312
313 If you want to allow confined applications to run with kerberos, you
314 must turn on the allow_kerberos boolean. Enabled by default.
315
316 setsebool -P allow_kerberos 1
317
318
319
320 If you want to allow sysadm to debug or ptrace all processes, you must
321 turn on the allow_ptrace boolean. Disabled by default.
322
323 setsebool -P allow_ptrace 1
324
325
326
327 If you want to allow system to run with NIS, you must turn on the
328 allow_ypbind boolean. Disabled by default.
329
330 setsebool -P allow_ypbind 1
331
332
333
334 If you want to enable cluster mode for daemons, you must turn on the
335 daemons_enable_cluster_mode boolean. Disabled by default.
336
337 setsebool -P daemons_enable_cluster_mode 1
338
339
340
341 If you want to allow all domains to have the kernel load modules, you
342 must turn on the domain_kernel_load_modules boolean. Disabled by
343 default.
344
345 setsebool -P domain_kernel_load_modules 1
346
347
348
349 If you want to allow all domains to execute in fips_mode, you must turn
350 on the fips_mode boolean. Enabled by default.
351
352 setsebool -P fips_mode 1
353
354
355
356 If you want to determine whether Git system daemon can access cifs file
357 systems, you must turn on the git_system_use_cifs boolean. Disabled by
358 default.
359
360 setsebool -P git_system_use_cifs 1
361
362
363
364 If you want to determine whether Git system daemon can access nfs file
365 systems, you must turn on the git_system_use_nfs boolean. Disabled by
366 default.
367
368 setsebool -P git_system_use_nfs 1
369
370
371
372 If you want to enable reading of urandom for all domains, you must turn
373 on the global_ssp boolean. Disabled by default.
374
375 setsebool -P global_ssp 1
376
377
378
379 If you want to enable support for upstart as the init program, you must
380 turn on the init_upstart boolean. Enabled by default.
381
382 setsebool -P init_upstart 1
383
384
385
386 If you want to allow confined applications to use nscd shared memory,
387 you must turn on the nscd_use_shm boolean. Enabled by default.
388
389 setsebool -P nscd_use_shm 1
390
391
392
393 If you want to allow unprivileged users to execute DDL statement, you
394 must turn on the sepgsql_enable_users_ddl boolean. Enabled by default.
395
396 setsebool -P sepgsql_enable_users_ddl 1
397
398
399
400 If you want to support NFS home directories, you must turn on the
401 use_nfs_home_dirs boolean. Disabled by default.
402
403 setsebool -P use_nfs_home_dirs 1
404
405
406
407 If you want to support SAMBA home directories, you must turn on the
408 use_samba_home_dirs boolean. Disabled by default.
409
410 setsebool -P use_samba_home_dirs 1
411
412
413
415 SELinux defines port types to represent TCP and UDP ports.
416
417 You can see the types associated with a port by using the following
418 command:
419
420 semanage port -l
421
422
423 Policy governs the access confined processes have to these ports.
424 SELinux httpd policy is very flexible allowing users to setup their
425 httpd processes in as secure a method as possible.
426
427 The following port types are defined for httpd:
428
429
430 http_cache_port_t
431
432
433
434 Default Defined Ports:
435 tcp 3128,8080,8118,8123,10001-10010
436 udp 3130
437
438
439 http_port_t
440
441
442
443 Default Defined Ports:
444 tcp 80,81,443,488,8008,8009,8443,9000
445
447 The SELinux process type httpd_t can manage files labeled with the fol‐
448 lowing file types. The paths listed are the default paths for these
449 file types. Note the processes UID still need to have DAC permissions.
450
451 cifs_t
452
453
454 cluster_conf_t
455
456 /etc/cluster(/.*)?
457
458 cluster_var_lib_t
459
460 /var/lib(64)?/openais(/.*)?
461 /var/lib(64)?/pengine(/.*)?
462 /var/lib(64)?/corosync(/.*)?
463 /usr/lib(64)?/heartbeat(/.*)?
464 /var/lib(64)?/heartbeat(/.*)?
465 /var/lib(64)?/pacemaker(/.*)?
466 /var/lib/cluster(/.*)?
467
468 cluster_var_run_t
469
470 /var/run/crm(/.*)?
471 /var/run/cman_.*
472 /var/run/rsctmp(/.*)?
473 /var/run/aisexec.*
474 /var/run/heartbeat(/.*)?
475 /var/run/cpglockd.pid
476 /var/run/corosync.pid
477 /var/run/rgmanager.pid
478 /var/run/cluster/rgmanager.sk
479
480 cobbler_var_lib_t
481
482 /var/lib/cobbler(/.*)?
483 /var/www/cobbler/pub(/.*)?
484 /var/lib/tftpboot/etc(/.*)?
485 /var/lib/tftpboot/ppc(/.*)?
486 /var/lib/tftpboot/grub(/.*)?
487 /var/www/cobbler/links(/.*)?
488 /var/lib/tftpboot/s390x(/.*)?
489 /var/www/cobbler/images(/.*)?
490 /var/lib/tftpboot/images(2)?(/.*)?
491 /var/lib/tftpboot/aarch64(/.*)?
492 /var/www/cobbler/rendered(/.*)?
493 /var/www/cobbler/ks_mirror(/.*)?
494 /var/www/cobbler/localmirror(/.*)?
495 /var/www/cobbler/repo_mirror(/.*)?
496 /var/lib/tftpboot/pxelinux.cfg(/.*)?
497 /var/lib/tftpboot/yaboot
498 /var/lib/tftpboot/memdisk
499 /var/lib/tftpboot/menu.c32
500 /var/lib/tftpboot/pxelinux.0
501
502 dirsrv_config_t
503
504 /etc/dirsrv(/.*)?
505
506 dirsrv_var_log_t
507
508 /var/log/dirsrv(/.*)?
509
510 dirsrv_var_run_t
511
512 /var/run/slapd.*
513 /var/run/dirsrv(/.*)?
514
515 dirsrvadmin_config_t
516
517 /etc/dirsrv/dsgw(/.*)?
518 /etc/dirsrv/admin-serv(/.*)?
519
520 dirsrvadmin_tmp_t
521
522
523 fusefs_t
524
525
526 httpd_apcupsd_cgi_rw_content_t
527
528
529 httpd_awstats_rw_content_t
530
531
532 httpd_bugzilla_rw_content_t
533
534 /var/lib/bugzilla(/.*)?
535
536 httpd_cache_t
537
538 /var/cache/rt3(/.*)?
539 /var/cache/ssl.*.sem
540 /var/cache/mod_.*
541 /var/cache/php-.*
542 /var/cache/httpd(/.*)?
543 /var/cache/mason(/.*)?
544 /var/cache/mod_ssl(/.*)?
545 /var/cache/lighttpd(/.*)?
546 /var/cache/mediawiki(/.*)?
547 /var/cache/mod_proxy(/.*)?
548 /var/cache/mod_gnutls(/.*)?
549 /var/cache/php-mmcache(/.*)?
550 /var/cache/php-eaccelerator(/.*)?
551
552 httpd_cobbler_rw_content_t
553
554
555 httpd_collectd_rw_content_t
556
557
558 httpd_cvs_rw_content_t
559
560
561 httpd_dirsrvadmin_rw_content_t
562
563
564 httpd_dspam_rw_content_t
565
566 /var/lib/dspam/data(/.*)?
567
568 httpd_git_rw_content_t
569
570 /var/cache/cgit(/.*)?
571 /var/cache/gitweb-caching(/.*)?
572
573 httpd_lock_t
574
575
576 httpd_mediawiki_rw_content_t
577
578 /var/www/wiki(/.*)?
579
580 httpd_munin_rw_content_t
581
582
583 httpd_nagios_rw_content_t
584
585
586 httpd_nutups_cgi_rw_content_t
587
588
589 httpd_openshift_rw_content_t
590
591
592 httpd_prewikka_rw_content_t
593
594
595 httpd_smokeping_cgi_rw_content_t
596
597
598 httpd_squid_rw_content_t
599
600
601 httpd_squirrelmail_t
602
603 /var/lib/squirrelmail/prefs(/.*)?
604
605 httpd_sys_rw_content_t
606
607 /etc/drupal.*
608 /var/lib/svn(/.*)?
609 /var/www/svn(/.*)?
610 /etc/dokuwiki(/.*)?
611 /etc/owncloud(/.*)?
612 /var/lib/koji(/.*)?
613 /etc/mock/koji(/.*)?
614 /var/www/html/[^/]*/sites/default/files(/.*)?
615 /var/www/html/[^/]*/sites/default/settings.php
616 /var/lib/drupal.*
617 /etc/zabbix/web(/.*)?
618 /var/log/z-push(/.*)?
619 /var/spool/gosa(/.*)?
620 /var/www/moodle(/.*)?
621 /var/lib/dokuwiki(/.*)?
622 /var/lib/owncloud(/.*)?
623 /var/spool/viewvc(/.*)?
624 /var/www/moodledata(/.*)?
625 /var/www/gallery/albums(/.*)?
626 /var/www/html/owncloud/data(/.*)?
627 /usr/share/wordpress-mu/wp-content(/.*)?
628 /usr/share/wordpress/wp-content/uploads(/.*)?
629 /usr/share/wordpress/wp-content/upgrade(/.*)?
630 /var/www/html/configuration.php
631
632 httpd_tmp_t
633
634 /var/www/openshift/console/tmp(/.*)?
635
636 httpd_tmpfs_t
637
638
639 httpd_user_rw_content_t
640
641
642 httpd_var_lib_t
643
644 /var/lib/dav(/.*)?
645 /var/lib/httpd(/.*)?
646 /var/lib/nginx(/.*)?
647 /var/lib/z-push(/.*)?
648 /var/lib/cherokee(/.*)?
649 /var/lib/roundcubemail(/.*)?
650 /var/lib/rt3/data/RT-Shredder(/.*)?
651
652 httpd_var_run_t
653
654 /var/run/mod_.*
655 /var/run/wsgi.*
656 /var/run/httpd.*
657 /var/run/nginx.*
658 /var/run/apache.*
659 /var/run/php-fpm(/.*)?
660 /var/run/lighttpd(/.*)?
661 /var/lib/php/session(/.*)?
662 /var/run/thttpd.pid
663 /var/run/gcache_port
664
665 httpd_w3c_validator_rw_content_t
666
667
668 httpdcontent
669
670
671 initrc_tmp_t
672
673
674 memcached_var_run_t
675
676 /var/run/memcached(/.*)?
677 /var/run/ipa_memcached(/.*)?
678
679 mirrormanager_var_run_t
680
681 /var/run/mirrormanager(/.*)?
682
683 mnt_t
684
685 /mnt(/[^/]*)
686 /mnt(/[^/]*)?
687 /rhev(/[^/]*)?
688 /media(/[^/]*)
689 /media(/[^/]*)?
690 /etc/rhgb(/.*)?
691 /media/.hal-.*
692 /net
693 /afs
694 /rhev
695 /misc
696
697 nfs_t
698
699
700 passenger_tmp_t
701
702
703 passenger_var_lib_t
704
705 /var/lib(64)?/passenger(/.*)?
706 /var/lib/passenger(/.*)?
707
708 passenger_var_run_t
709
710 /var/run/passenger(/.*)?
711
712 postfix_spool_maildrop_t
713
714 /var/spool/postfix/defer(/.*)?
715 /var/spool/postfix/deferred(/.*)?
716 /var/spool/postfix/maildrop(/.*)?
717
718 preupgrade_data_t
719
720 /var/lib/preupgrade(/.*)?
721 /var/log/preupgrade(/.*)?
722
723 public_content_rw_t
724
725 /var/spool/abrt-upload(/.*)?
726
727 root_t
728
729 /
730 /initrd
731
732 squirrelmail_spool_t
733
734 /var/spool/squirrelmail(/.*)?
735
736 tmp_t
737
738 /tmp
739 /usr/tmp
740 /var/tmp
741 /tmp-inst
742 /var/tmp-inst
743 /var/tmp/vi.recover
744
745 zarafa_var_lib_t
746
747 /var/lib/zarafa(/.*)?
748 /var/lib/zarafa-webapp(/.*)?
749 /var/lib/zarafa-webaccess(/.*)?
750
751
753 SELinux requires files to have an extended attribute to define the file
754 type.
755
756 You can see the context of a file using the -Z option to ls
757
758 Policy governs the access confined processes have to these files.
759 SELinux httpd policy is very flexible allowing users to setup their
760 httpd processes in as secure a method as possible.
761
762 EQUIVALENCE DIRECTORIES
763
764
765 httpd policy stores data with multiple different file context types
766 under the /var/www directory. If you would like to store the data in a
767 different directory you can use the semanage command to create an
768 equivalence mapping. If you wanted to store this data under the /srv
769 dirctory you would execute the following command:
770
771 semanage fcontext -a -e /var/www /srv/www
772 restorecon -R -v /srv/www
773
774 STANDARD FILE CONTEXT
775
776 SELinux defines the file context types for the httpd, if you wanted to
777 store files with these types in a diffent paths, you need to execute
778 the semanage command to sepecify alternate labeling and then use
779 restorecon to put the labels on disk.
780
781 semanage fcontext -a -t httpd_w3c_validator_tmp_t '/srv/myhttpd_con‐
782 tent(/.*)?'
783 restorecon -R -v /srv/myhttpd_content
784
785 Note: SELinux often uses regular expressions to specify labels that
786 match multiple files.
787
788 The following file types are defined for httpd:
789
790
791
792 httpd_apcupsd_cgi_content_t
793
794 - Set files with the httpd_apcupsd_cgi_content_t type, if you want to
795 treat the files as httpd apcupsd cgi content.
796
797
798
799 httpd_apcupsd_cgi_htaccess_t
800
801 - Set files with the httpd_apcupsd_cgi_htaccess_t type, if you want to
802 treat the file as a httpd apcupsd cgi access file.
803
804
805
806 httpd_apcupsd_cgi_ra_content_t
807
808 - Set files with the httpd_apcupsd_cgi_ra_content_t type, if you want
809 to treat the files as httpd apcupsd cgi read/append content.
810
811
812
813 httpd_apcupsd_cgi_rw_content_t
814
815 - Set files with the httpd_apcupsd_cgi_rw_content_t type, if you want
816 to treat the files as httpd apcupsd cgi read/write content.
817
818
819
820 httpd_apcupsd_cgi_script_exec_t
821
822 - Set files with the httpd_apcupsd_cgi_script_exec_t type, if you want
823 to transition an executable to the httpd_apcupsd_cgi_script_t domain.
824
825
826 Paths:
827 /var/www/cgi-bin/apcgui(/.*)?, /var/www/apcupsd/multimon.cgi,
828 /var/www/apcupsd/upsimage.cgi, /var/www/apcupsd/upsstats.cgi,
829 /var/www/apcupsd/upsfstats.cgi
830
831
832 httpd_awstats_content_t
833
834 - Set files with the httpd_awstats_content_t type, if you want to treat
835 the files as httpd awstats content.
836
837
838
839 httpd_awstats_htaccess_t
840
841 - Set files with the httpd_awstats_htaccess_t type, if you want to
842 treat the file as a httpd awstats access file.
843
844
845
846 httpd_awstats_ra_content_t
847
848 - Set files with the httpd_awstats_ra_content_t type, if you want to
849 treat the files as httpd awstats read/append content.
850
851
852
853 httpd_awstats_rw_content_t
854
855 - Set files with the httpd_awstats_rw_content_t type, if you want to
856 treat the files as httpd awstats read/write content.
857
858
859
860 httpd_awstats_script_exec_t
861
862 - Set files with the httpd_awstats_script_exec_t type, if you want to
863 transition an executable to the httpd_awstats_script_t domain.
864
865
866
867 httpd_bugzilla_content_t
868
869 - Set files with the httpd_bugzilla_content_t type, if you want to
870 treat the files as httpd bugzilla content.
871
872
873
874 httpd_bugzilla_htaccess_t
875
876 - Set files with the httpd_bugzilla_htaccess_t type, if you want to
877 treat the file as a httpd bugzilla access file.
878
879
880
881 httpd_bugzilla_ra_content_t
882
883 - Set files with the httpd_bugzilla_ra_content_t type, if you want to
884 treat the files as httpd bugzilla read/append content.
885
886
887
888 httpd_bugzilla_rw_content_t
889
890 - Set files with the httpd_bugzilla_rw_content_t type, if you want to
891 treat the files as httpd bugzilla read/write content.
892
893
894
895 httpd_bugzilla_script_exec_t
896
897 - Set files with the httpd_bugzilla_script_exec_t type, if you want to
898 transition an executable to the httpd_bugzilla_script_t domain.
899
900
901
902 httpd_bugzilla_tmp_t
903
904 - Set files with the httpd_bugzilla_tmp_t type, if you want to store
905 httpd bugzilla temporary files in the /tmp directories.
906
907
908
909 httpd_cache_t
910
911 - Set files with the httpd_cache_t type, if you want to store the files
912 under the /var/cache directory.
913
914
915 Paths:
916 /var/cache/rt3(/.*)?, /var/cache/ssl.*.sem, /var/cache/mod_.*,
917 /var/cache/php-.*, /var/cache/httpd(/.*)?, /var/cache/mason(/.*)?,
918 /var/cache/mod_ssl(/.*)?, /var/cache/lighttpd(/.*)?,
919 /var/cache/mediawiki(/.*)?, /var/cache/mod_proxy(/.*)?,
920 /var/cache/mod_gnutls(/.*)?, /var/cache/php-mmcache(/.*)?,
921 /var/cache/php-eaccelerator(/.*)?
922
923
924 httpd_cobbler_content_t
925
926 - Set files with the httpd_cobbler_content_t type, if you want to treat
927 the files as httpd cobbler content.
928
929
930
931 httpd_cobbler_htaccess_t
932
933 - Set files with the httpd_cobbler_htaccess_t type, if you want to
934 treat the file as a httpd cobbler access file.
935
936
937
938 httpd_cobbler_ra_content_t
939
940 - Set files with the httpd_cobbler_ra_content_t type, if you want to
941 treat the files as httpd cobbler read/append content.
942
943
944
945 httpd_cobbler_rw_content_t
946
947 - Set files with the httpd_cobbler_rw_content_t type, if you want to
948 treat the files as httpd cobbler read/write content.
949
950
951
952 httpd_cobbler_script_exec_t
953
954 - Set files with the httpd_cobbler_script_exec_t type, if you want to
955 transition an executable to the httpd_cobbler_script_t domain.
956
957
958
959 httpd_collectd_content_t
960
961 - Set files with the httpd_collectd_content_t type, if you want to
962 treat the files as httpd collectd content.
963
964
965
966 httpd_collectd_htaccess_t
967
968 - Set files with the httpd_collectd_htaccess_t type, if you want to
969 treat the file as a httpd collectd access file.
970
971
972
973 httpd_collectd_ra_content_t
974
975 - Set files with the httpd_collectd_ra_content_t type, if you want to
976 treat the files as httpd collectd read/append content.
977
978
979
980 httpd_collectd_rw_content_t
981
982 - Set files with the httpd_collectd_rw_content_t type, if you want to
983 treat the files as httpd collectd read/write content.
984
985
986
987 httpd_collectd_script_exec_t
988
989 - Set files with the httpd_collectd_script_exec_t type, if you want to
990 transition an executable to the httpd_collectd_script_t domain.
991
992
993
994 httpd_config_t
995
996 - Set files with the httpd_config_t type, if you want to treat the
997 files as httpd configuration data, usually stored under the /etc direc‐
998 tory.
999
1000
1001 Paths:
1002 /etc/httpd(/.*)?, /etc/nginx(/.*)?, /etc/apache(2)?(/.*)?,
1003 /etc/cherokee(/.*)?, /etc/lighttpd(/.*)?, /etc/apache-
1004 ssl(2)?(/.*)?, /var/lib/openshift/.httpd.d(/.*)?, /var/lib/stick‐
1005 shift/.httpd.d(/.*)?, /etc/vhosts, /etc/thttpd.conf
1006
1007
1008 httpd_cvs_content_t
1009
1010 - Set files with the httpd_cvs_content_t type, if you want to treat the
1011 files as httpd cvs content.
1012
1013
1014
1015 httpd_cvs_htaccess_t
1016
1017 - Set files with the httpd_cvs_htaccess_t type, if you want to treat
1018 the file as a httpd cvs access file.
1019
1020
1021
1022 httpd_cvs_ra_content_t
1023
1024 - Set files with the httpd_cvs_ra_content_t type, if you want to treat
1025 the files as httpd cvs read/append content.
1026
1027
1028
1029 httpd_cvs_rw_content_t
1030
1031 - Set files with the httpd_cvs_rw_content_t type, if you want to treat
1032 the files as httpd cvs read/write content.
1033
1034
1035
1036 httpd_cvs_script_exec_t
1037
1038 - Set files with the httpd_cvs_script_exec_t type, if you want to tran‐
1039 sition an executable to the httpd_cvs_script_t domain.
1040
1041
1042 Paths:
1043 /var/www/cgi-bin/cvsweb.cgi, /usr/share/cvsweb/cvsweb.cgi
1044
1045
1046 httpd_dirsrvadmin_content_t
1047
1048 - Set files with the httpd_dirsrvadmin_content_t type, if you want to
1049 treat the files as httpd dirsrvadmin content.
1050
1051
1052
1053 httpd_dirsrvadmin_htaccess_t
1054
1055 - Set files with the httpd_dirsrvadmin_htaccess_t type, if you want to
1056 treat the file as a httpd dirsrvadmin access file.
1057
1058
1059
1060 httpd_dirsrvadmin_ra_content_t
1061
1062 - Set files with the httpd_dirsrvadmin_ra_content_t type, if you want
1063 to treat the files as httpd dirsrvadmin read/append content.
1064
1065
1066
1067 httpd_dirsrvadmin_rw_content_t
1068
1069 - Set files with the httpd_dirsrvadmin_rw_content_t type, if you want
1070 to treat the files as httpd dirsrvadmin read/write content.
1071
1072
1073
1074 httpd_dirsrvadmin_script_exec_t
1075
1076 - Set files with the httpd_dirsrvadmin_script_exec_t type, if you want
1077 to transition an executable to the httpd_dirsrvadmin_script_t domain.
1078
1079
1080 Paths:
1081 /usr/lib(64)?/dirsrv/cgi-bin(/.*)?, /usr/lib(64)?/dirsrv/dsgw-cgi-
1082 bin(/.*)?
1083
1084
1085 httpd_dspam_content_t
1086
1087 - Set files with the httpd_dspam_content_t type, if you want to treat
1088 the files as httpd dspam content.
1089
1090
1091
1092 httpd_dspam_htaccess_t
1093
1094 - Set files with the httpd_dspam_htaccess_t type, if you want to treat
1095 the file as a httpd dspam access file.
1096
1097
1098
1099 httpd_dspam_ra_content_t
1100
1101 - Set files with the httpd_dspam_ra_content_t type, if you want to
1102 treat the files as httpd dspam read/append content.
1103
1104
1105
1106 httpd_dspam_rw_content_t
1107
1108 - Set files with the httpd_dspam_rw_content_t type, if you want to
1109 treat the files as httpd dspam read/write content.
1110
1111
1112
1113 httpd_dspam_script_exec_t
1114
1115 - Set files with the httpd_dspam_script_exec_t type, if you want to
1116 transition an executable to the httpd_dspam_script_t domain.
1117
1118
1119 Paths:
1120 /var/www/dspam/.*.cgi, /usr/share/dspam-web/dspam.cgi
1121
1122
1123 httpd_exec_t
1124
1125 - Set files with the httpd_exec_t type, if you want to transition an
1126 executable to the httpd_t domain.
1127
1128
1129 Paths:
1130 /usr/sbin/httpd(.worker)?, /usr/sbin/apache(2)?, /usr/lib/apache-
1131 ssl/.+, /usr/sbin/apache-ssl(2)?, /usr/sbin/nginx,
1132 /usr/sbin/thttpd, /usr/sbin/php-fpm, /usr/sbin/cherokee,
1133 /usr/sbin/lighttpd, /usr/bin/mongrel_rails, /usr/sbin/htcacheclean
1134
1135
1136 httpd_git_content_t
1137
1138 - Set files with the httpd_git_content_t type, if you want to treat the
1139 files as httpd git content.
1140
1141
1142
1143 httpd_git_htaccess_t
1144
1145 - Set files with the httpd_git_htaccess_t type, if you want to treat
1146 the file as a httpd git access file.
1147
1148
1149
1150 httpd_git_ra_content_t
1151
1152 - Set files with the httpd_git_ra_content_t type, if you want to treat
1153 the files as httpd git read/append content.
1154
1155
1156
1157 httpd_git_rw_content_t
1158
1159 - Set files with the httpd_git_rw_content_t type, if you want to treat
1160 the files as httpd git read/write content.
1161
1162
1163 Paths:
1164 /var/cache/cgit(/.*)?, /var/cache/gitweb-caching(/.*)?
1165
1166
1167 httpd_git_script_exec_t
1168
1169 - Set files with the httpd_git_script_exec_t type, if you want to tran‐
1170 sition an executable to the httpd_git_script_t domain.
1171
1172
1173 Paths:
1174 /var/www/git/gitweb.cgi, /var/www/cgi-bin/cgit, /var/www/gitweb-
1175 caching/gitweb.cgi
1176
1177
1178 httpd_helper_exec_t
1179
1180 - Set files with the httpd_helper_exec_t type, if you want to transi‐
1181 tion an executable to the httpd_helper_t domain.
1182
1183
1184
1185 httpd_initrc_exec_t
1186
1187 - Set files with the httpd_initrc_exec_t type, if you want to transi‐
1188 tion an executable to the httpd_initrc_t domain.
1189
1190
1191 Paths:
1192 /etc/rc.d/init.d/php-fpm.*, /etc/init.d/cherokee,
1193 /etc/rc.d/init.d/httpd, /etc/rc.d/init.d/nginx,
1194 /etc/rc.d/init.d/thttpd, /etc/rc.d/init.d/lighttpd,
1195 /etc/rc.d/init.d/htcacheclean
1196
1197
1198 httpd_keytab_t
1199
1200 - Set files with the httpd_keytab_t type, if you want to treat the
1201 files as kerberos keytab files.
1202
1203
1204
1205 httpd_lock_t
1206
1207 - Set files with the httpd_lock_t type, if you want to treat the files
1208 as httpd lock data, stored under the /var/lock directory
1209
1210
1211
1212 httpd_log_t
1213
1214 - Set files with the httpd_log_t type, if you want to treat the data as
1215 httpd log data, usually stored under the /var/log directory.
1216
1217
1218 Paths:
1219 /var/log/cacti(/.*)?, /var/log/httpd(/.*)?, /var/log/nginx(/.*)?,
1220 /var/log/apache(2)?(/.*)?, /var/log/php-fpm(/.*)?, /var/log/chero‐
1221 kee(/.*)?, /var/log/lighttpd(/.*)?, /var/log/thttpd.log.*,
1222 /var/log/apache-ssl(2)?(/.*)?, /var/log/cgiwrap.log.*,
1223 /var/www/stickshift/[^/]*/log(/.*)?, /var/log/roundcubemail(/.*)?,
1224 /var/lib/openshift/.log/httpd(/.*)?, /var/www/openshift/con‐
1225 sole/log(/.*)?, /etc/httpd/logs
1226
1227
1228 httpd_mediawiki_content_t
1229
1230 - Set files with the httpd_mediawiki_content_t type, if you want to
1231 treat the files as httpd mediawiki content.
1232
1233
1234 Paths:
1235 /var/www/wiki/.*.php, /usr/share/mediawiki(/.*)?
1236
1237
1238 httpd_mediawiki_htaccess_t
1239
1240 - Set files with the httpd_mediawiki_htaccess_t type, if you want to
1241 treat the file as a httpd mediawiki access file.
1242
1243
1244
1245 httpd_mediawiki_ra_content_t
1246
1247 - Set files with the httpd_mediawiki_ra_content_t type, if you want to
1248 treat the files as httpd mediawiki read/append content.
1249
1250
1251
1252 httpd_mediawiki_rw_content_t
1253
1254 - Set files with the httpd_mediawiki_rw_content_t type, if you want to
1255 treat the files as httpd mediawiki read/write content.
1256
1257
1258
1259 httpd_mediawiki_script_exec_t
1260
1261 - Set files with the httpd_mediawiki_script_exec_t type, if you want to
1262 transition an executable to the httpd_mediawiki_script_t domain.
1263
1264
1265 Paths:
1266 /usr/lib(64)?/mediawiki/math/texvc, /usr/lib(64)?/medi‐
1267 awiki/math/texvc_tex, /usr/lib(64)?/mediawiki/math/texvc_tes
1268
1269
1270 httpd_mediawiki_tmp_t
1271
1272 - Set files with the httpd_mediawiki_tmp_t type, if you want to store
1273 httpd mediawiki temporary files in the /tmp directories.
1274
1275
1276
1277 httpd_modules_t
1278
1279 - Set files with the httpd_modules_t type, if you want to treat the
1280 files as httpd modules.
1281
1282
1283 Paths:
1284 /usr/lib(64)?/httpd(/.*)?, /usr/lib(64)?/apache(/.*)?,
1285 /usr/lib(64)?/cherokee(/.*)?, /usr/lib(64)?/lighttpd(/.*)?,
1286 /usr/lib(64)?/apache2/modules(/.*)?, /etc/httpd/modules
1287
1288
1289 httpd_munin_content_t
1290
1291 - Set files with the httpd_munin_content_t type, if you want to treat
1292 the files as httpd munin content.
1293
1294
1295
1296 httpd_munin_htaccess_t
1297
1298 - Set files with the httpd_munin_htaccess_t type, if you want to treat
1299 the file as a httpd munin access file.
1300
1301
1302
1303 httpd_munin_ra_content_t
1304
1305 - Set files with the httpd_munin_ra_content_t type, if you want to
1306 treat the files as httpd munin read/append content.
1307
1308
1309
1310 httpd_munin_rw_content_t
1311
1312 - Set files with the httpd_munin_rw_content_t type, if you want to
1313 treat the files as httpd munin read/write content.
1314
1315
1316
1317 httpd_munin_script_exec_t
1318
1319 - Set files with the httpd_munin_script_exec_t type, if you want to
1320 transition an executable to the httpd_munin_script_t domain.
1321
1322
1323 Paths:
1324 /var/www/cgi-bin/munin.*, /var/www/html/cgi/munin.*,
1325 /var/www/html/munin/cgi(/.*)?
1326
1327
1328 httpd_munin_script_tmp_t
1329
1330 - Set files with the httpd_munin_script_tmp_t type, if you want to
1331 store httpd munin script temporary files in the /tmp directories.
1332
1333
1334
1335 httpd_nagios_content_t
1336
1337 - Set files with the httpd_nagios_content_t type, if you want to treat
1338 the files as httpd nagios content.
1339
1340
1341
1342 httpd_nagios_htaccess_t
1343
1344 - Set files with the httpd_nagios_htaccess_t type, if you want to treat
1345 the file as a httpd nagios access file.
1346
1347
1348
1349 httpd_nagios_ra_content_t
1350
1351 - Set files with the httpd_nagios_ra_content_t type, if you want to
1352 treat the files as httpd nagios read/append content.
1353
1354
1355
1356 httpd_nagios_rw_content_t
1357
1358 - Set files with the httpd_nagios_rw_content_t type, if you want to
1359 treat the files as httpd nagios read/write content.
1360
1361
1362
1363 httpd_nagios_script_exec_t
1364
1365 - Set files with the httpd_nagios_script_exec_t type, if you want to
1366 transition an executable to the httpd_nagios_script_t domain.
1367
1368
1369 Paths:
1370 /usr/lib(64)?/nagios/cgi(/.*)?, /usr/lib(64)?/cgi-
1371 bin/nagios(/.+)?, /usr/lib(64)?/nagios/cgi-bin(/.*)?,
1372 /usr/lib(64)?/cgi-bin/netsaint(/.*)?
1373
1374
1375 httpd_nutups_cgi_content_t
1376
1377 - Set files with the httpd_nutups_cgi_content_t type, if you want to
1378 treat the files as httpd nutups cgi content.
1379
1380
1381
1382 httpd_nutups_cgi_htaccess_t
1383
1384 - Set files with the httpd_nutups_cgi_htaccess_t type, if you want to
1385 treat the file as a httpd nutups cgi access file.
1386
1387
1388
1389 httpd_nutups_cgi_ra_content_t
1390
1391 - Set files with the httpd_nutups_cgi_ra_content_t type, if you want to
1392 treat the files as httpd nutups cgi read/append content.
1393
1394
1395
1396 httpd_nutups_cgi_rw_content_t
1397
1398 - Set files with the httpd_nutups_cgi_rw_content_t type, if you want to
1399 treat the files as httpd nutups cgi read/write content.
1400
1401
1402
1403 httpd_nutups_cgi_script_exec_t
1404
1405 - Set files with the httpd_nutups_cgi_script_exec_t type, if you want
1406 to transition an executable to the httpd_nutups_cgi_script_t domain.
1407
1408
1409 Paths:
1410 /var/www/nut-cgi-bin/upsset.cgi, /var/www/nut-cgi-bin/upsim‐
1411 age.cgi, /var/www/nut-cgi-bin/upsstats.cgi
1412
1413
1414 httpd_openshift_content_t
1415
1416 - Set files with the httpd_openshift_content_t type, if you want to
1417 treat the files as httpd openshift content.
1418
1419
1420
1421 httpd_openshift_htaccess_t
1422
1423 - Set files with the httpd_openshift_htaccess_t type, if you want to
1424 treat the file as a httpd openshift access file.
1425
1426
1427
1428 httpd_openshift_ra_content_t
1429
1430 - Set files with the httpd_openshift_ra_content_t type, if you want to
1431 treat the files as httpd openshift read/append content.
1432
1433
1434
1435 httpd_openshift_rw_content_t
1436
1437 - Set files with the httpd_openshift_rw_content_t type, if you want to
1438 treat the files as httpd openshift read/write content.
1439
1440
1441
1442 httpd_openshift_script_exec_t
1443
1444 - Set files with the httpd_openshift_script_exec_t type, if you want to
1445 transition an executable to the httpd_openshift_script_t domain.
1446
1447
1448
1449 httpd_php_exec_t
1450
1451 - Set files with the httpd_php_exec_t type, if you want to transition
1452 an executable to the httpd_php_t domain.
1453
1454
1455
1456 httpd_php_tmp_t
1457
1458 - Set files with the httpd_php_tmp_t type, if you want to store httpd
1459 php temporary files in the /tmp directories.
1460
1461
1462
1463 httpd_prewikka_content_t
1464
1465 - Set files with the httpd_prewikka_content_t type, if you want to
1466 treat the files as httpd prewikka content.
1467
1468
1469
1470 httpd_prewikka_htaccess_t
1471
1472 - Set files with the httpd_prewikka_htaccess_t type, if you want to
1473 treat the file as a httpd prewikka access file.
1474
1475
1476
1477 httpd_prewikka_ra_content_t
1478
1479 - Set files with the httpd_prewikka_ra_content_t type, if you want to
1480 treat the files as httpd prewikka read/append content.
1481
1482
1483
1484 httpd_prewikka_rw_content_t
1485
1486 - Set files with the httpd_prewikka_rw_content_t type, if you want to
1487 treat the files as httpd prewikka read/write content.
1488
1489
1490
1491 httpd_prewikka_script_exec_t
1492
1493 - Set files with the httpd_prewikka_script_exec_t type, if you want to
1494 transition an executable to the httpd_prewikka_script_t domain.
1495
1496
1497
1498 httpd_rotatelogs_exec_t
1499
1500 - Set files with the httpd_rotatelogs_exec_t type, if you want to tran‐
1501 sition an executable to the httpd_rotatelogs_t domain.
1502
1503
1504
1505 httpd_smokeping_cgi_content_t
1506
1507 - Set files with the httpd_smokeping_cgi_content_t type, if you want to
1508 treat the files as httpd smokeping cgi content.
1509
1510
1511
1512 httpd_smokeping_cgi_htaccess_t
1513
1514 - Set files with the httpd_smokeping_cgi_htaccess_t type, if you want
1515 to treat the file as a httpd smokeping cgi access file.
1516
1517
1518
1519 httpd_smokeping_cgi_ra_content_t
1520
1521 - Set files with the httpd_smokeping_cgi_ra_content_t type, if you want
1522 to treat the files as httpd smokeping cgi read/append content.
1523
1524
1525
1526 httpd_smokeping_cgi_rw_content_t
1527
1528 - Set files with the httpd_smokeping_cgi_rw_content_t type, if you want
1529 to treat the files as httpd smokeping cgi read/write content.
1530
1531
1532
1533 httpd_smokeping_cgi_script_exec_t
1534
1535 - Set files with the httpd_smokeping_cgi_script_exec_t type, if you
1536 want to transition an executable to the httpd_smokeping_cgi_script_t
1537 domain.
1538
1539
1540
1541 httpd_squid_content_t
1542
1543 - Set files with the httpd_squid_content_t type, if you want to treat
1544 the files as httpd squid content.
1545
1546
1547
1548 httpd_squid_htaccess_t
1549
1550 - Set files with the httpd_squid_htaccess_t type, if you want to treat
1551 the file as a httpd squid access file.
1552
1553
1554
1555 httpd_squid_ra_content_t
1556
1557 - Set files with the httpd_squid_ra_content_t type, if you want to
1558 treat the files as httpd squid read/append content.
1559
1560
1561
1562 httpd_squid_rw_content_t
1563
1564 - Set files with the httpd_squid_rw_content_t type, if you want to
1565 treat the files as httpd squid read/write content.
1566
1567
1568
1569 httpd_squid_script_exec_t
1570
1571 - Set files with the httpd_squid_script_exec_t type, if you want to
1572 transition an executable to the httpd_squid_script_t domain.
1573
1574
1575 Paths:
1576 /usr/lib/squid/cachemgr.cgi, /usr/lib64/squid/cachemgr.cgi
1577
1578
1579 httpd_squirrelmail_t
1580
1581 - Set files with the httpd_squirrelmail_t type, if you want to treat
1582 the files as httpd squirrelmail data.
1583
1584
1585
1586 httpd_suexec_exec_t
1587
1588 - Set files with the httpd_suexec_exec_t type, if you want to transi‐
1589 tion an executable to the httpd_suexec_t domain.
1590
1591
1592 Paths:
1593 /usr/lib(64)?/apache(2)?/suexec(2)?, /usr/lib(64)?/cgi-
1594 bin/(nph-)?cgiwrap(d)?, /usr/sbin/suexec
1595
1596
1597 httpd_suexec_tmp_t
1598
1599 - Set files with the httpd_suexec_tmp_t type, if you want to store
1600 httpd suexec temporary files in the /tmp directories.
1601
1602
1603
1604 httpd_sys_content_t
1605
1606 - Set files with the httpd_sys_content_t type, if you want to treat the
1607 files as httpd sys content.
1608
1609
1610 Paths:
1611 /srv/([^/]*/)?www(/.*)?, /var/www(/.*)?, /etc/htdig(/.*)?,
1612 /srv/gallery2(/.*)?, /var/lib/trac(/.*)?, /var/lib/htdig(/.*)?,
1613 /var/www/icons(/.*)?, /usr/share/htdig(/.*)?, /usr/share/drupal.*,
1614 /var/www/svn/conf(/.*)?, /usr/share/icecast(/.*)?,
1615 /usr/share/mythweb(/.*)?, /var/lib/cacti/rra(/.*)?,
1616 /usr/share/ntop/html(/.*)?, /var/lib/graphite-web(/.*),
1617 /usr/share/mythtv/data(/.*)?, /usr/share/openca/htdocs(/.*)?,
1618 /usr/share/selinux-policy[^/]*/html(/.*)?
1619
1620
1621 httpd_sys_htaccess_t
1622
1623 - Set files with the httpd_sys_htaccess_t type, if you want to treat
1624 the file as a httpd sys access file.
1625
1626
1627
1628 httpd_sys_ra_content_t
1629
1630 - Set files with the httpd_sys_ra_content_t type, if you want to treat
1631 the files as httpd sys read/append content.
1632
1633
1634
1635 httpd_sys_rw_content_t
1636
1637 - Set files with the httpd_sys_rw_content_t type, if you want to treat
1638 the files as httpd sys read/write content.
1639
1640
1641 Paths:
1642 /etc/drupal.*, /var/lib/svn(/.*)?, /var/www/svn(/.*)?,
1643 /etc/dokuwiki(/.*)?, /etc/owncloud(/.*)?, /var/lib/koji(/.*)?,
1644 /etc/mock/koji(/.*)?,
1645 /var/www/html/[^/]*/sites/default/files(/.*)?,
1646 /var/www/html/[^/]*/sites/default/settings.php, /var/lib/drupal.*,
1647 /etc/zabbix/web(/.*)?, /var/log/z-push(/.*)?,
1648 /var/spool/gosa(/.*)?, /var/www/moodle(/.*)?,
1649 /var/lib/dokuwiki(/.*)?, /var/lib/owncloud(/.*)?,
1650 /var/spool/viewvc(/.*)?, /var/www/moodledata(/.*)?,
1651 /var/www/gallery/albums(/.*)?, /var/www/html/owncloud/data(/.*)?,
1652 /usr/share/wordpress-mu/wp-content(/.*)?, /usr/share/wordpress/wp-
1653 content/uploads(/.*)?, /usr/share/wordpress/wp-con‐
1654 tent/upgrade(/.*)?, /var/www/html/configuration.php
1655
1656
1657 httpd_sys_script_exec_t
1658
1659 - Set files with the httpd_sys_script_exec_t type, if you want to tran‐
1660 sition an executable to the httpd_sys_script_t domain.
1661
1662
1663 Paths:
1664 /var/www/[^/]*/cgi-bin(/.*)?, /var/www/perl(/.*)?,
1665 /var/www/html/[^/]*/cgi-bin(/.*)?, /usr/lib/cgi-bin(/.*)?,
1666 /var/www/cgi-bin(/.*)?, /var/www/svn/hooks(/.*)?, /usr/share/word‐
1667 press/.*.php, /usr/share/wordpress/wp-includes/.*.php,
1668 /usr/share/mythtv/mythweather/scripts(/.*)?, /usr/share/myth‐
1669 web/mythweb.pl, /usr/share/wordpress-mu/wp-config.php
1670
1671
1672 httpd_tmp_t
1673
1674 - Set files with the httpd_tmp_t type, if you want to store httpd tem‐
1675 porary files in the /tmp directories.
1676
1677
1678
1679 httpd_tmpfs_t
1680
1681 - Set files with the httpd_tmpfs_t type, if you want to store httpd
1682 files on a tmpfs file system.
1683
1684
1685
1686 httpd_unconfined_script_exec_t
1687
1688 - Set files with the httpd_unconfined_script_exec_t type, if you want
1689 to transition an executable to the httpd_unconfined_script_t domain.
1690
1691
1692
1693 httpd_user_content_t
1694
1695 - Set files with the httpd_user_content_t type, if you want to treat
1696 the files as httpd user content.
1697
1698
1699 Paths:
1700 /home/[^/]*/((www)|(web)|(public_html))(/.+)?,
1701 /home/staff/((www)|(web)|(public_html))(/.+)?
1702
1703
1704 httpd_user_htaccess_t
1705
1706 - Set files with the httpd_user_htaccess_t type, if you want to treat
1707 the file as a httpd user access file.
1708
1709
1710
1711 httpd_user_ra_content_t
1712
1713 - Set files with the httpd_user_ra_content_t type, if you want to treat
1714 the files as httpd user read/append content.
1715
1716
1717
1718 httpd_user_rw_content_t
1719
1720 - Set files with the httpd_user_rw_content_t type, if you want to treat
1721 the files as httpd user read/write content.
1722
1723
1724
1725 httpd_user_script_exec_t
1726
1727 - Set files with the httpd_user_script_exec_t type, if you want to
1728 transition an executable to the httpd_user_script_t domain.
1729
1730
1731
1732 httpd_var_lib_t
1733
1734 - Set files with the httpd_var_lib_t type, if you want to store the
1735 httpd files under the /var/lib directory.
1736
1737
1738 Paths:
1739 /var/lib/dav(/.*)?, /var/lib/httpd(/.*)?, /var/lib/nginx(/.*)?,
1740 /var/lib/z-push(/.*)?, /var/lib/cherokee(/.*)?, /var/lib/round‐
1741 cubemail(/.*)?, /var/lib/rt3/data/RT-Shredder(/.*)?
1742
1743
1744 httpd_var_run_t
1745
1746 - Set files with the httpd_var_run_t type, if you want to store the
1747 httpd files under the /run or /var/run directory.
1748
1749
1750 Paths:
1751 /var/run/mod_.*, /var/run/wsgi.*, /var/run/httpd.*,
1752 /var/run/nginx.*, /var/run/apache.*, /var/run/php-fpm(/.*)?,
1753 /var/run/lighttpd(/.*)?, /var/lib/php/session(/.*)?,
1754 /var/run/thttpd.pid, /var/run/gcache_port
1755
1756
1757 httpd_w3c_validator_content_t
1758
1759 - Set files with the httpd_w3c_validator_content_t type, if you want to
1760 treat the files as httpd w3c validator content.
1761
1762
1763
1764 httpd_w3c_validator_htaccess_t
1765
1766 - Set files with the httpd_w3c_validator_htaccess_t type, if you want
1767 to treat the file as a httpd w3c validator access file.
1768
1769
1770
1771 httpd_w3c_validator_ra_content_t
1772
1773 - Set files with the httpd_w3c_validator_ra_content_t type, if you want
1774 to treat the files as httpd w3c validator read/append content.
1775
1776
1777
1778 httpd_w3c_validator_rw_content_t
1779
1780 - Set files with the httpd_w3c_validator_rw_content_t type, if you want
1781 to treat the files as httpd w3c validator read/write content.
1782
1783
1784
1785 httpd_w3c_validator_script_exec_t
1786
1787 - Set files with the httpd_w3c_validator_script_exec_t type, if you
1788 want to transition an executable to the httpd_w3c_validator_script_t
1789 domain.
1790
1791
1792 Paths:
1793 /usr/share/w3c-markup-validator/cgi-bin(/.*)?, /usr/lib/cgi-
1794 bin/check
1795
1796
1797 httpd_w3c_validator_tmp_t
1798
1799 - Set files with the httpd_w3c_validator_tmp_t type, if you want to
1800 store httpd w3c validator temporary files in the /tmp directories.
1801
1802
1803
1804 Note: File context can be temporarily modified with the chcon command.
1805 If you want to permanently change the file context you need to use the
1806 semanage fcontext command. This will modify the SELinux labeling data‐
1807 base. You will need to use restorecon to apply the labels.
1808
1809
1811 If you want to share files with multiple domains (Apache, FTP, rsync,
1812 Samba), you can set a file context of public_content_t and public_con‐
1813 tent_rw_t. These context allow any of the above domains to read the
1814 content. If you want a particular domain to write to the public_con‐
1815 tent_rw_t domain, you must set the appropriate boolean.
1816
1817 Allow httpd servers to read the /var/httpd directory by adding the pub‐
1818 lic_content_t file type to the directory and by restoring the file
1819 type.
1820
1821 semanage fcontext -a -t public_content_t "/var/httpd(/.*)?"
1822 restorecon -F -R -v /var/httpd
1823
1824 Allow httpd servers to read and write /var/httpd/incoming by adding the
1825 public_content_rw_t type to the directory and by restoring the file
1826 type. You also need to turn on the httpd_anon_write boolean.
1827
1828 semanage fcontext -a -t public_content_rw_t "/var/httpd/incoming(/.*)?"
1829 restorecon -F -R -v /var/httpd/incoming
1830 setsebool -P httpd_anon_write 1
1831
1832
1833 If you want to allow Apache to modify public files used for public file
1834 transfer services. Directories/Files must be labeled public_rw_con‐
1835 tent_t., you must turn on the allow_httpd_anon_write boolean.
1836
1837 setsebool -P allow_httpd_anon_write 1
1838
1839
1841 semanage fcontext can also be used to manipulate default file context
1842 mappings.
1843
1844 semanage permissive can also be used to manipulate whether or not a
1845 process type is permissive.
1846
1847 semanage module can also be used to enable/disable/install/remove pol‐
1848 icy modules.
1849
1850 semanage port can also be used to manipulate the port definitions
1851
1852 semanage boolean can also be used to manipulate the booleans
1853
1854
1855 system-config-selinux is a GUI tool available to customize SELinux pol‐
1856 icy settings.
1857
1858
1860 This manual page was auto-generated using sepolicy manpage .
1861
1862
1864 selinux(8), httpd(8), semanage(8), restorecon(8), chcon(1) , setse‐
1865 bool(8), httpd_apcupsd_cgi_script_selinux(8),
1866 httpd_awstats_script_selinux(8), httpd_bugzilla_script_selinux(8),
1867 httpd_cobbler_script_selinux(8), httpd_collectd_script_selinux(8),
1868 httpd_cvs_script_selinux(8), httpd_dirsrvadmin_script_selinux(8),
1869 httpd_dspam_script_selinux(8), httpd_git_script_selinux(8),
1870 httpd_helper_selinux(8), httpd_mediawiki_script_selinux(8),
1871 httpd_munin_script_selinux(8), httpd_nagios_script_selinux(8),
1872 httpd_nutups_cgi_script_selinux(8), httpd_openshift_script_selinux(8),
1873 httpd_php_selinux(8), httpd_prewikka_script_selinux(8), httpd_rotatel‐
1874 ogs_selinux(8), httpd_smokeping_cgi_script_selinux(8),
1875 httpd_squid_script_selinux(8), httpd_suexec_selinux(8),
1876 httpd_sys_script_selinux(8), httpd_unconfined_script_selinux(8),
1877 httpd_user_script_selinux(8), httpd_w3c_validator_script_selinux(8)
1878
1879
1880
1881httpd 15-06-03 httpd_selinux(8)