httpd_selinux(8)

1httpd_selinux(8)             SELinux Policy httpd             httpd_selinux(8)
2
3
4

NAME

6       httpd_selinux - Security Enhanced Linux Policy for the httpd processes
7

DESCRIPTION

9       Security-Enhanced Linux secures the httpd processes via flexible manda‐
10       tory access control.
11
12       The httpd processes execute with the  httpd_t  SELinux  type.  You  can
13       check  if  you have these processes running by executing the ps command
14       with the -Z qualifier.
15
16       For example:
17
18       ps -eZ | grep httpd_t
19
20
21

ENTRYPOINTS

23       The httpd_t SELinux type can be entered via the httpd_exec_t file type.
24
25       The default entrypoint paths for the httpd_t domain are the following:
26
27       /usr/sbin/httpd(.worker)?,    /usr/sbin/apache(2)?,    /usr/lib/apache-
28       ssl/.+,  /usr/sbin/apache-ssl(2)?,  /usr/sbin/nginx,  /usr/sbin/thttpd,
29       /usr/sbin/php-fpm,       /usr/sbin/cherokee,        /usr/sbin/lighttpd,
30       /usr/bin/mongrel_rails, /usr/sbin/htcacheclean
31

PROCESS TYPES

33       SELinux defines process types (domains) for each process running on the
34       system
35
36       You can see the context of a process using the -Z option to ps
37
38       Policy governs the access confined processes have  to  files.   SELinux
39       httpd  policy is very flexible allowing users to setup their httpd pro‐
40       cesses in as secure a method as possible.
41
42       The following process types are defined for httpd:
43
44       httpd_collectd_script_t, httpd_cvs_script_t, httpd_rotatelogs_t, httpd_bugzilla_script_t, httpd_smokeping_cgi_script_t, httpd_nagios_script_t, httpd_dirsrvadmin_script_t, httpd_suexec_t, httpd_php_t, httpd_w3c_validator_script_t, httpd_user_script_t, httpd_awstats_script_t, httpd_apcupsd_cgi_script_t, httpd_nutups_cgi_script_t, httpd_munin_script_t, httpd_openshift_script_t, httpd_sys_script_t, httpd_dspam_script_t, httpd_prewikka_script_t, httpd_git_script_t, httpd_unconfined_script_t, httpd_t, httpd_helper_t, httpd_squid_script_t, httpd_cobbler_script_t, httpd_mediawiki_script_t
45
46       Note: semanage permissive -a httpd_t can be used to  make  the  process
47       type  httpd_t  permissive.  SELinux  does not deny access to permissive
48       process types, but the AVC (SELinux denials) messages are still  gener‐
49       ated.
50
51

BOOLEANS

53       SELinux  policy  is customizable based on least access required.  httpd
54       policy is extremely flexible and has several booleans that allow you to
55       manipulate the policy and run httpd with the tightest access possible.
56
57
58
59       If you want to allow httpd to use built in scripting (usually php), you
60       must turn on the httpd_builtin_scripting boolean. Enabled by default.
61
62       setsebool -P httpd_builtin_scripting 1
63
64
65
66       If you want to allow http daemon to check spam, you must  turn  on  the
67       httpd_can_check_spam boolean. Disabled by default.
68
69       setsebool -P httpd_can_check_spam 1
70
71
72
73       If  you  want to allow HTTPD scripts and modules to connect to the net‐
74       work using TCP, you must turn on the httpd_can_network_connect boolean.
75       Disabled by default.
76
77       setsebool -P httpd_can_network_connect 1
78
79
80
81       If  you  want  to allow HTTPD scripts and modules to connect to cobbler
82       over the network, you must turn on  the  httpd_can_network_connect_cob‐
83       bler boolean. Disabled by default.
84
85       setsebool -P httpd_can_network_connect_cobbler 1
86
87
88
89       If  you want to allow HTTPD scripts and modules to connect to databases
90       over the network, you must  turn  on  the  httpd_can_network_connect_db
91       boolean. Disabled by default.
92
93       setsebool -P httpd_can_network_connect_db 1
94
95
96
97       If you want to allow httpd to connect to memcache server, you must turn
98       on the httpd_can_network_memcache boolean. Disabled by default.
99
100       setsebool -P httpd_can_network_memcache 1
101
102
103
104       If you want to allow httpd to act as a relay,  you  must  turn  on  the
105       httpd_can_network_relay boolean. Disabled by default.
106
107       setsebool -P httpd_can_network_relay 1
108
109
110
111       If  you  want  to  allow http daemon to send mail, you must turn on the
112       httpd_can_sendmail boolean. Disabled by default.
113
114       setsebool -P httpd_can_sendmail 1
115
116
117
118       If you want to allow Apache to communicate with avahi service via dbus,
119       you must turn on the httpd_dbus_avahi boolean. Disabled by default.
120
121       setsebool -P httpd_dbus_avahi 1
122
123
124
125       If  you want to allow Apache to communicate with sssd service via dbus,
126       you must turn on the httpd_dbus_sssd boolean. Disabled by default.
127
128       setsebool -P httpd_dbus_sssd 1
129
130
131
132       If you  want  to  allow  httpd  cgi  support,  you  must  turn  on  the
133       httpd_enable_cgi boolean. Enabled by default.
134
135       setsebool -P httpd_enable_cgi 1
136
137
138
139       If  you  want to allow httpd to act as a FTP server by listening on the
140       ftp port, you must turn on the  httpd_enable_ftp_server  boolean.  Dis‐
141       abled by default.
142
143       setsebool -P httpd_enable_ftp_server 1
144
145
146
147       If  you  want to allow httpd to read home directories, you must turn on
148       the httpd_enable_homedirs boolean. Disabled by default.
149
150       setsebool -P httpd_enable_homedirs 1
151
152
153
154       If you want to allow httpd scripts and modules  execmem/execstack,  you
155       must turn on the httpd_execmem boolean. Disabled by default.
156
157       setsebool -P httpd_execmem 1
158
159
160
161       If  you  want  to allow httpd processes to manage IPA content, you must
162       turn on the httpd_manage_ipa boolean. Disabled by default.
163
164       setsebool -P httpd_manage_ipa 1
165
166
167
168       If you want to allow httpd to read user content, you must turn  on  the
169       httpd_read_user_content boolean. Disabled by default.
170
171       setsebool -P httpd_read_user_content 1
172
173
174
175       If  you  want  to  allow Apache to run preupgrade, you must turn on the
176       httpd_run_preupgrade boolean. Disabled by default.
177
178       setsebool -P httpd_run_preupgrade 1
179
180
181
182       If you want to allow Apache to run in stickshift mode,  not  transition
183       to  passenger,  you must turn on the httpd_run_stickshift boolean. Dis‐
184       abled by default.
185
186       setsebool -P httpd_run_stickshift 1
187
188
189
190       If you want to allow HTTPD scripts and modules to server cobbler files,
191       you  must  turn  on  the httpd_serve_cobbler_files boolean. Disabled by
192       default.
193
194       setsebool -P httpd_serve_cobbler_files 1
195
196
197
198       If you want to allow httpd daemon to change  system  limits,  you  must
199       turn on the httpd_setrlimit boolean. Disabled by default.
200
201       setsebool -P httpd_setrlimit 1
202
203
204
205       If you want to allow HTTPD to run SSI executables in the same domain as
206       system CGI scripts, you must turn on the httpd_ssi_exec  boolean.  Dis‐
207       abled by default.
208
209       setsebool -P httpd_ssi_exec 1
210
211
212
213       If  you  want  to allow Apache to execute tmp content, you must turn on
214       the httpd_tmp_exec boolean. Disabled by default.
215
216       setsebool -P httpd_tmp_exec 1
217
218
219
220       If you want to unify HTTPD to communicate with the terminal. Needed for
221       entering the passphrase for certificates at the terminal, you must turn
222       on the httpd_tty_comm boolean. Disabled by default.
223
224       setsebool -P httpd_tty_comm 1
225
226
227
228       If you want to unify HTTPD handling of all content files, you must turn
229       on the httpd_unified boolean. Disabled by default.
230
231       setsebool -P httpd_unified 1
232
233
234
235       If  you  want to allow httpd to access cifs file systems, you must turn
236       on the httpd_use_cifs boolean. Disabled by default.
237
238       setsebool -P httpd_use_cifs 1
239
240
241
242       If you want to allow httpd to access FUSE file systems, you  must  turn
243       on the httpd_use_fusefs boolean. Disabled by default.
244
245       setsebool -P httpd_use_fusefs 1
246
247
248
249       If  you want to allow httpd to run gpg in gpg-web domain, you must turn
250       on the httpd_use_gpg boolean. Disabled by default.
251
252       setsebool -P httpd_use_gpg 1
253
254
255
256       If you want to allow httpd to access nfs file systems, you must turn on
257       the httpd_use_nfs boolean. Disabled by default.
258
259       setsebool -P httpd_use_nfs 1
260
261
262
263       If  you  want to allow Apache to query NS records, you must turn on the
264       httpd_verify_dns boolean. Disabled by default.
265
266       setsebool -P httpd_verify_dns 1
267
268
269
270       If you want to allow all daemons to write corefiles to /, you must turn
271       on the allow_daemons_dump_core boolean. Disabled by default.
272
273       setsebool -P allow_daemons_dump_core 1
274
275
276
277       If  you want to allow all daemons to use tcp wrappers, you must turn on
278       the allow_daemons_use_tcp_wrapper boolean. Disabled by default.
279
280       setsebool -P allow_daemons_use_tcp_wrapper 1
281
282
283
284       If you want to allow all daemons the ability to  read/write  terminals,
285       you  must  turn  on  the  allow_daemons_use_tty  boolean.  Disabled  by
286       default.
287
288       setsebool -P allow_daemons_use_tty 1
289
290
291
292       If you want to allow all domains to use other domains file descriptors,
293       you must turn on the allow_domain_fd_use boolean. Enabled by default.
294
295       setsebool -P allow_domain_fd_use 1
296
297
298
299       If you want to allow Apache to use mod_auth_ntlm_winbind, you must turn
300       on the allow_httpd_mod_auth_ntlm_winbind boolean. Disabled by default.
301
302       setsebool -P allow_httpd_mod_auth_ntlm_winbind 1
303
304
305
306       If you want to allow Apache to use mod_auth_pam, you must turn  on  the
307       allow_httpd_mod_auth_pam boolean. Disabled by default.
308
309       setsebool -P allow_httpd_mod_auth_pam 1
310
311
312
313       If  you  want  to allow confined applications to run with kerberos, you
314       must turn on the allow_kerberos boolean. Enabled by default.
315
316       setsebool -P allow_kerberos 1
317
318
319
320       If you want to allow sysadm to debug or ptrace all processes, you  must
321       turn on the allow_ptrace boolean. Disabled by default.
322
323       setsebool -P allow_ptrace 1
324
325
326
327       If  you  want  to  allow  system  to run with NIS, you must turn on the
328       allow_ypbind boolean. Disabled by default.
329
330       setsebool -P allow_ypbind 1
331
332
333
334       If you want to enable cluster mode for daemons, you must  turn  on  the
335       daemons_enable_cluster_mode boolean. Disabled by default.
336
337       setsebool -P daemons_enable_cluster_mode 1
338
339
340
341       If  you  want to allow all domains to have the kernel load modules, you
342       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
343       default.
344
345       setsebool -P domain_kernel_load_modules 1
346
347
348
349       If you want to allow all domains to execute in fips_mode, you must turn
350       on the fips_mode boolean. Enabled by default.
351
352       setsebool -P fips_mode 1
353
354
355
356       If you want to determine whether Git system daemon can access cifs file
357       systems,  you must turn on the git_system_use_cifs boolean. Disabled by
358       default.
359
360       setsebool -P git_system_use_cifs 1
361
362
363
364       If you want to determine whether Git system daemon can access nfs  file
365       systems,  you  must turn on the git_system_use_nfs boolean. Disabled by
366       default.
367
368       setsebool -P git_system_use_nfs 1
369
370
371
372       If you want to enable reading of urandom for all domains, you must turn
373       on the global_ssp boolean. Disabled by default.
374
375       setsebool -P global_ssp 1
376
377
378
379       If you want to enable support for upstart as the init program, you must
380       turn on the init_upstart boolean. Enabled by default.
381
382       setsebool -P init_upstart 1
383
384
385
386       If you want to allow confined applications to use nscd  shared  memory,
387       you must turn on the nscd_use_shm boolean. Enabled by default.
388
389       setsebool -P nscd_use_shm 1
390
391
392
393       If  you  want to allow unprivileged users to execute DDL statement, you
394       must turn on the sepgsql_enable_users_ddl boolean. Enabled by default.
395
396       setsebool -P sepgsql_enable_users_ddl 1
397
398
399
400       If you want to support NFS home  directories,  you  must  turn  on  the
401       use_nfs_home_dirs boolean. Disabled by default.
402
403       setsebool -P use_nfs_home_dirs 1
404
405
406
407       If  you  want  to  support SAMBA home directories, you must turn on the
408       use_samba_home_dirs boolean. Disabled by default.
409
410       setsebool -P use_samba_home_dirs 1
411
412
413

PORT TYPES

415       SELinux defines port types to represent TCP and UDP ports.
416
417       You can see the types associated with a port  by  using  the  following
418       command:
419
420       semanage port -l
421
422
423       Policy  governs  the  access  confined  processes  have to these ports.
424       SELinux httpd policy is very flexible allowing  users  to  setup  their
425       httpd processes in as secure a method as possible.
426
427       The following port types are defined for httpd:
428
429
430       http_cache_port_t
431
432
433
434       Default Defined Ports:
435                 tcp 3128,8080,8118,8123,10001-10010
436                 udp 3130
437
438
439       http_port_t
440
441
442
443       Default Defined Ports:
444                 tcp 80,81,443,488,8008,8009,8443,9000
445

MANAGED FILES

447       The SELinux process type httpd_t can manage files labeled with the fol‐
448       lowing file types.  The paths listed are the default  paths  for  these
449       file types.  Note the processes UID still need to have DAC permissions.
450
451       cifs_t
452
453
454       cluster_conf_t
455
456            /etc/cluster(/.*)?
457
458       cluster_var_lib_t
459
460            /var/lib(64)?/openais(/.*)?
461            /var/lib(64)?/pengine(/.*)?
462            /var/lib(64)?/corosync(/.*)?
463            /usr/lib(64)?/heartbeat(/.*)?
464            /var/lib(64)?/heartbeat(/.*)?
465            /var/lib(64)?/pacemaker(/.*)?
466            /var/lib/cluster(/.*)?
467
468       cluster_var_run_t
469
470            /var/run/crm(/.*)?
471            /var/run/cman_.*
472            /var/run/rsctmp(/.*)?
473            /var/run/aisexec.*
474            /var/run/heartbeat(/.*)?
475            /var/run/cpglockd.pid
476            /var/run/corosync.pid
477            /var/run/rgmanager.pid
478            /var/run/cluster/rgmanager.sk
479
480       cobbler_var_lib_t
481
482            /var/lib/cobbler(/.*)?
483            /var/www/cobbler/pub(/.*)?
484            /var/lib/tftpboot/etc(/.*)?
485            /var/lib/tftpboot/ppc(/.*)?
486            /var/lib/tftpboot/grub(/.*)?
487            /var/www/cobbler/links(/.*)?
488            /var/lib/tftpboot/s390x(/.*)?
489            /var/www/cobbler/images(/.*)?
490            /var/lib/tftpboot/images(2)?(/.*)?
491            /var/lib/tftpboot/aarch64(/.*)?
492            /var/www/cobbler/rendered(/.*)?
493            /var/www/cobbler/ks_mirror(/.*)?
494            /var/www/cobbler/localmirror(/.*)?
495            /var/www/cobbler/repo_mirror(/.*)?
496            /var/lib/tftpboot/pxelinux.cfg(/.*)?
497            /var/lib/tftpboot/yaboot
498            /var/lib/tftpboot/memdisk
499            /var/lib/tftpboot/menu.c32
500            /var/lib/tftpboot/pxelinux.0
501
502       dirsrv_config_t
503
504            /etc/dirsrv(/.*)?
505
506       dirsrv_var_log_t
507
508            /var/log/dirsrv(/.*)?
509
510       dirsrv_var_run_t
511
512            /var/run/slapd.*
513            /var/run/dirsrv(/.*)?
514
515       dirsrvadmin_config_t
516
517            /etc/dirsrv/dsgw(/.*)?
518            /etc/dirsrv/admin-serv(/.*)?
519
520       dirsrvadmin_tmp_t
521
522
523       fusefs_t
524
525
526       httpd_apcupsd_cgi_rw_content_t
527
528
529       httpd_awstats_rw_content_t
530
531
532       httpd_bugzilla_rw_content_t
533
534            /var/lib/bugzilla(/.*)?
535
536       httpd_cache_t
537
538            /var/cache/rt3(/.*)?
539            /var/cache/ssl.*.sem
540            /var/cache/mod_.*
541            /var/cache/php-.*
542            /var/cache/httpd(/.*)?
543            /var/cache/mason(/.*)?
544            /var/cache/mod_ssl(/.*)?
545            /var/cache/lighttpd(/.*)?
546            /var/cache/mediawiki(/.*)?
547            /var/cache/mod_proxy(/.*)?
548            /var/cache/mod_gnutls(/.*)?
549            /var/cache/php-mmcache(/.*)?
550            /var/cache/php-eaccelerator(/.*)?
551
552       httpd_cobbler_rw_content_t
553
554
555       httpd_collectd_rw_content_t
556
557
558       httpd_cvs_rw_content_t
559
560
561       httpd_dirsrvadmin_rw_content_t
562
563
564       httpd_dspam_rw_content_t
565
566            /var/lib/dspam/data(/.*)?
567
568       httpd_git_rw_content_t
569
570            /var/cache/cgit(/.*)?
571            /var/cache/gitweb-caching(/.*)?
572
573       httpd_lock_t
574
575
576       httpd_mediawiki_rw_content_t
577
578            /var/www/wiki(/.*)?
579
580       httpd_munin_rw_content_t
581
582
583       httpd_nagios_rw_content_t
584
585
586       httpd_nutups_cgi_rw_content_t
587
588
589       httpd_openshift_rw_content_t
590
591
592       httpd_prewikka_rw_content_t
593
594
595       httpd_smokeping_cgi_rw_content_t
596
597
598       httpd_squid_rw_content_t
599
600
601       httpd_squirrelmail_t
602
603            /var/lib/squirrelmail/prefs(/.*)?
604
605       httpd_sys_rw_content_t
606
607            /etc/drupal.*
608            /var/lib/svn(/.*)?
609            /var/www/svn(/.*)?
610            /etc/dokuwiki(/.*)?
611            /etc/owncloud(/.*)?
612            /var/lib/koji(/.*)?
613            /etc/mock/koji(/.*)?
614            /var/www/html/[^/]*/sites/default/files(/.*)?
615            /var/www/html/[^/]*/sites/default/settings.php
616            /var/lib/drupal.*
617            /etc/zabbix/web(/.*)?
618            /var/log/z-push(/.*)?
619            /var/spool/gosa(/.*)?
620            /var/www/moodle(/.*)?
621            /var/lib/dokuwiki(/.*)?
622            /var/lib/owncloud(/.*)?
623            /var/spool/viewvc(/.*)?
624            /var/www/moodledata(/.*)?
625            /var/www/gallery/albums(/.*)?
626            /var/www/html/owncloud/data(/.*)?
627            /usr/share/wordpress-mu/wp-content(/.*)?
628            /usr/share/wordpress/wp-content/uploads(/.*)?
629            /usr/share/wordpress/wp-content/upgrade(/.*)?
630            /var/www/html/configuration.php
631
632       httpd_tmp_t
633
634            /var/www/openshift/console/tmp(/.*)?
635
636       httpd_tmpfs_t
637
638
639       httpd_user_rw_content_t
640
641
642       httpd_var_lib_t
643
644            /var/lib/dav(/.*)?
645            /var/lib/httpd(/.*)?
646            /var/lib/nginx(/.*)?
647            /var/lib/z-push(/.*)?
648            /var/lib/cherokee(/.*)?
649            /var/lib/roundcubemail(/.*)?
650            /var/lib/rt3/data/RT-Shredder(/.*)?
651
652       httpd_var_run_t
653
654            /var/run/mod_.*
655            /var/run/wsgi.*
656            /var/run/httpd.*
657            /var/run/nginx.*
658            /var/run/apache.*
659            /var/run/php-fpm(/.*)?
660            /var/run/lighttpd(/.*)?
661            /var/lib/php/session(/.*)?
662            /var/run/thttpd.pid
663            /var/run/gcache_port
664
665       httpd_w3c_validator_rw_content_t
666
667
668       httpdcontent
669
670
671       initrc_tmp_t
672
673
674       memcached_var_run_t
675
676            /var/run/memcached(/.*)?
677            /var/run/ipa_memcached(/.*)?
678
679       mirrormanager_var_run_t
680
681            /var/run/mirrormanager(/.*)?
682
683       mnt_t
684
685            /mnt(/[^/]*)
686            /mnt(/[^/]*)?
687            /rhev(/[^/]*)?
688            /media(/[^/]*)
689            /media(/[^/]*)?
690            /etc/rhgb(/.*)?
691            /media/.hal-.*
692            /net
693            /afs
694            /rhev
695            /misc
696
697       nfs_t
698
699
700       passenger_tmp_t
701
702
703       passenger_var_lib_t
704
705            /var/lib(64)?/passenger(/.*)?
706            /var/lib/passenger(/.*)?
707
708       passenger_var_run_t
709
710            /var/run/passenger(/.*)?
711
712       postfix_spool_maildrop_t
713
714            /var/spool/postfix/defer(/.*)?
715            /var/spool/postfix/deferred(/.*)?
716            /var/spool/postfix/maildrop(/.*)?
717
718       preupgrade_data_t
719
720            /var/lib/preupgrade(/.*)?
721            /var/log/preupgrade(/.*)?
722
723       public_content_rw_t
724
725            /var/spool/abrt-upload(/.*)?
726
727       root_t
728
729            /
730            /initrd
731
732       squirrelmail_spool_t
733
734            /var/spool/squirrelmail(/.*)?
735
736       tmp_t
737
738            /tmp
739            /usr/tmp
740            /var/tmp
741            /tmp-inst
742            /var/tmp-inst
743            /var/tmp/vi.recover
744
745       zarafa_var_lib_t
746
747            /var/lib/zarafa(/.*)?
748            /var/lib/zarafa-webapp(/.*)?
749            /var/lib/zarafa-webaccess(/.*)?
750
751

FILE CONTEXTS

753       SELinux requires files to have an extended attribute to define the file
754       type.
755
756       You can see the context of a file using the -Z option to ls
757
758       Policy governs the access  confined  processes  have  to  these  files.
759       SELinux  httpd  policy  is  very flexible allowing users to setup their
760       httpd processes in as secure a method as possible.
761
762       EQUIVALENCE DIRECTORIES
763
764
765       httpd policy stores data with multiple  different  file  context  types
766       under the /var/www directory.  If you would like to store the data in a
767       different directory you can use  the  semanage  command  to  create  an
768       equivalence  mapping.   If you wanted to store this data under the /srv
769       dirctory you would execute the following command:
770
771       semanage fcontext -a -e /var/www /srv/www
772       restorecon -R -v /srv/www
773
774       STANDARD FILE CONTEXT
775
776       SELinux defines the file context types for the httpd, if you wanted  to
777       store  files  with  these types in a diffent paths, you need to execute
778       the semanage command  to  sepecify  alternate  labeling  and  then  use
779       restorecon to put the labels on disk.
780
781       semanage  fcontext  -a  -t httpd_w3c_validator_tmp_t '/srv/myhttpd_con‐
782       tent(/.*)?'
783       restorecon -R -v /srv/myhttpd_content
784
785       Note: SELinux often uses regular expressions  to  specify  labels  that
786       match multiple files.
787
788       The following file types are defined for httpd:
789
790
791
792       httpd_apcupsd_cgi_content_t
793
794       -  Set  files with the httpd_apcupsd_cgi_content_t type, if you want to
795       treat the files as httpd apcupsd cgi content.
796
797
798
799       httpd_apcupsd_cgi_htaccess_t
800
801       - Set files with the httpd_apcupsd_cgi_htaccess_t type, if you want  to
802       treat the file as a httpd apcupsd cgi access file.
803
804
805
806       httpd_apcupsd_cgi_ra_content_t
807
808       -  Set  files with the httpd_apcupsd_cgi_ra_content_t type, if you want
809       to treat the files as httpd apcupsd cgi  read/append content.
810
811
812
813       httpd_apcupsd_cgi_rw_content_t
814
815       - Set files with the httpd_apcupsd_cgi_rw_content_t type, if  you  want
816       to treat the files as httpd apcupsd cgi read/write content.
817
818
819
820       httpd_apcupsd_cgi_script_exec_t
821
822       -  Set files with the httpd_apcupsd_cgi_script_exec_t type, if you want
823       to transition an executable to the httpd_apcupsd_cgi_script_t domain.
824
825
826       Paths:
827            /var/www/cgi-bin/apcgui(/.*)?,      /var/www/apcupsd/multimon.cgi,
828            /var/www/apcupsd/upsimage.cgi,      /var/www/apcupsd/upsstats.cgi,
829            /var/www/apcupsd/upsfstats.cgi
830
831
832       httpd_awstats_content_t
833
834       - Set files with the httpd_awstats_content_t type, if you want to treat
835       the files as httpd awstats content.
836
837
838
839       httpd_awstats_htaccess_t
840
841       -  Set  files  with  the  httpd_awstats_htaccess_t type, if you want to
842       treat the file as a httpd awstats access file.
843
844
845
846       httpd_awstats_ra_content_t
847
848       - Set files with the httpd_awstats_ra_content_t type, if  you  want  to
849       treat the files as httpd awstats  read/append content.
850
851
852
853       httpd_awstats_rw_content_t
854
855       -  Set  files  with the httpd_awstats_rw_content_t type, if you want to
856       treat the files as httpd awstats read/write content.
857
858
859
860       httpd_awstats_script_exec_t
861
862       - Set files with the httpd_awstats_script_exec_t type, if you  want  to
863       transition an executable to the httpd_awstats_script_t domain.
864
865
866
867       httpd_bugzilla_content_t
868
869       -  Set  files  with  the  httpd_bugzilla_content_t type, if you want to
870       treat the files as httpd bugzilla content.
871
872
873
874       httpd_bugzilla_htaccess_t
875
876       - Set files with the httpd_bugzilla_htaccess_t type,  if  you  want  to
877       treat the file as a httpd bugzilla access file.
878
879
880
881       httpd_bugzilla_ra_content_t
882
883       -  Set  files with the httpd_bugzilla_ra_content_t type, if you want to
884       treat the files as httpd bugzilla  read/append content.
885
886
887
888       httpd_bugzilla_rw_content_t
889
890       - Set files with the httpd_bugzilla_rw_content_t type, if you  want  to
891       treat the files as httpd bugzilla read/write content.
892
893
894
895       httpd_bugzilla_script_exec_t
896
897       -  Set files with the httpd_bugzilla_script_exec_t type, if you want to
898       transition an executable to the httpd_bugzilla_script_t domain.
899
900
901
902       httpd_bugzilla_tmp_t
903
904       - Set files with the httpd_bugzilla_tmp_t type, if you  want  to  store
905       httpd bugzilla temporary files in the /tmp directories.
906
907
908
909       httpd_cache_t
910
911       - Set files with the httpd_cache_t type, if you want to store the files
912       under the /var/cache directory.
913
914
915       Paths:
916            /var/cache/rt3(/.*)?,   /var/cache/ssl.*.sem,   /var/cache/mod_.*,
917            /var/cache/php-.*, /var/cache/httpd(/.*)?, /var/cache/mason(/.*)?,
918            /var/cache/mod_ssl(/.*)?,               /var/cache/lighttpd(/.*)?,
919            /var/cache/mediawiki(/.*)?,            /var/cache/mod_proxy(/.*)?,
920            /var/cache/mod_gnutls(/.*)?,         /var/cache/php-mmcache(/.*)?,
921            /var/cache/php-eaccelerator(/.*)?
922
923
924       httpd_cobbler_content_t
925
926       - Set files with the httpd_cobbler_content_t type, if you want to treat
927       the files as httpd cobbler content.
928
929
930
931       httpd_cobbler_htaccess_t
932
933       - Set files with the httpd_cobbler_htaccess_t  type,  if  you  want  to
934       treat the file as a httpd cobbler access file.
935
936
937
938       httpd_cobbler_ra_content_t
939
940       -  Set  files  with the httpd_cobbler_ra_content_t type, if you want to
941       treat the files as httpd cobbler  read/append content.
942
943
944
945       httpd_cobbler_rw_content_t
946
947       - Set files with the httpd_cobbler_rw_content_t type, if  you  want  to
948       treat the files as httpd cobbler read/write content.
949
950
951
952       httpd_cobbler_script_exec_t
953
954       -  Set  files with the httpd_cobbler_script_exec_t type, if you want to
955       transition an executable to the httpd_cobbler_script_t domain.
956
957
958
959       httpd_collectd_content_t
960
961       - Set files with the httpd_collectd_content_t  type,  if  you  want  to
962       treat the files as httpd collectd content.
963
964
965
966       httpd_collectd_htaccess_t
967
968       -  Set  files  with  the httpd_collectd_htaccess_t type, if you want to
969       treat the file as a httpd collectd access file.
970
971
972
973       httpd_collectd_ra_content_t
974
975       - Set files with the httpd_collectd_ra_content_t type, if you  want  to
976       treat the files as httpd collectd  read/append content.
977
978
979
980       httpd_collectd_rw_content_t
981
982       -  Set  files with the httpd_collectd_rw_content_t type, if you want to
983       treat the files as httpd collectd read/write content.
984
985
986
987       httpd_collectd_script_exec_t
988
989       - Set files with the httpd_collectd_script_exec_t type, if you want  to
990       transition an executable to the httpd_collectd_script_t domain.
991
992
993
994       httpd_config_t
995
996       -  Set  files  with  the  httpd_config_t type, if you want to treat the
997       files as httpd configuration data, usually stored under the /etc direc‐
998       tory.
999
1000
1001       Paths:
1002            /etc/httpd(/.*)?,     /etc/nginx(/.*)?,     /etc/apache(2)?(/.*)?,
1003            /etc/cherokee(/.*)?,       /etc/lighttpd(/.*)?,       /etc/apache-
1004            ssl(2)?(/.*)?,  /var/lib/openshift/.httpd.d(/.*)?, /var/lib/stick‐
1005            shift/.httpd.d(/.*)?, /etc/vhosts, /etc/thttpd.conf
1006
1007
1008       httpd_cvs_content_t
1009
1010       - Set files with the httpd_cvs_content_t type, if you want to treat the
1011       files as httpd cvs content.
1012
1013
1014
1015       httpd_cvs_htaccess_t
1016
1017       -  Set  files  with the httpd_cvs_htaccess_t type, if you want to treat
1018       the file as a httpd cvs access file.
1019
1020
1021
1022       httpd_cvs_ra_content_t
1023
1024       - Set files with the httpd_cvs_ra_content_t type, if you want to  treat
1025       the files as httpd cvs  read/append content.
1026
1027
1028
1029       httpd_cvs_rw_content_t
1030
1031       -  Set files with the httpd_cvs_rw_content_t type, if you want to treat
1032       the files as httpd cvs read/write content.
1033
1034
1035
1036       httpd_cvs_script_exec_t
1037
1038       - Set files with the httpd_cvs_script_exec_t type, if you want to tran‐
1039       sition an executable to the httpd_cvs_script_t domain.
1040
1041
1042       Paths:
1043            /var/www/cgi-bin/cvsweb.cgi, /usr/share/cvsweb/cvsweb.cgi
1044
1045
1046       httpd_dirsrvadmin_content_t
1047
1048       -  Set  files with the httpd_dirsrvadmin_content_t type, if you want to
1049       treat the files as httpd dirsrvadmin content.
1050
1051
1052
1053       httpd_dirsrvadmin_htaccess_t
1054
1055       - Set files with the httpd_dirsrvadmin_htaccess_t type, if you want  to
1056       treat the file as a httpd dirsrvadmin access file.
1057
1058
1059
1060       httpd_dirsrvadmin_ra_content_t
1061
1062       -  Set  files with the httpd_dirsrvadmin_ra_content_t type, if you want
1063       to treat the files as httpd dirsrvadmin  read/append content.
1064
1065
1066
1067       httpd_dirsrvadmin_rw_content_t
1068
1069       - Set files with the httpd_dirsrvadmin_rw_content_t type, if  you  want
1070       to treat the files as httpd dirsrvadmin read/write content.
1071
1072
1073
1074       httpd_dirsrvadmin_script_exec_t
1075
1076       -  Set files with the httpd_dirsrvadmin_script_exec_t type, if you want
1077       to transition an executable to the httpd_dirsrvadmin_script_t domain.
1078
1079
1080       Paths:
1081            /usr/lib(64)?/dirsrv/cgi-bin(/.*)?, /usr/lib(64)?/dirsrv/dsgw-cgi-
1082            bin(/.*)?
1083
1084
1085       httpd_dspam_content_t
1086
1087       -  Set  files with the httpd_dspam_content_t type, if you want to treat
1088       the files as httpd dspam content.
1089
1090
1091
1092       httpd_dspam_htaccess_t
1093
1094       - Set files with the httpd_dspam_htaccess_t type, if you want to  treat
1095       the file as a httpd dspam access file.
1096
1097
1098
1099       httpd_dspam_ra_content_t
1100
1101       -  Set  files  with  the  httpd_dspam_ra_content_t type, if you want to
1102       treat the files as httpd dspam  read/append content.
1103
1104
1105
1106       httpd_dspam_rw_content_t
1107
1108       - Set files with the httpd_dspam_rw_content_t  type,  if  you  want  to
1109       treat the files as httpd dspam read/write content.
1110
1111
1112
1113       httpd_dspam_script_exec_t
1114
1115       -  Set  files  with  the httpd_dspam_script_exec_t type, if you want to
1116       transition an executable to the httpd_dspam_script_t domain.
1117
1118
1119       Paths:
1120            /var/www/dspam/.*.cgi, /usr/share/dspam-web/dspam.cgi
1121
1122
1123       httpd_exec_t
1124
1125       - Set files with the httpd_exec_t type, if you want  to  transition  an
1126       executable to the httpd_t domain.
1127
1128
1129       Paths:
1130            /usr/sbin/httpd(.worker)?,  /usr/sbin/apache(2)?, /usr/lib/apache-
1131            ssl/.+,         /usr/sbin/apache-ssl(2)?,         /usr/sbin/nginx,
1132            /usr/sbin/thttpd,      /usr/sbin/php-fpm,      /usr/sbin/cherokee,
1133            /usr/sbin/lighttpd, /usr/bin/mongrel_rails, /usr/sbin/htcacheclean
1134
1135
1136       httpd_git_content_t
1137
1138       - Set files with the httpd_git_content_t type, if you want to treat the
1139       files as httpd git content.
1140
1141
1142
1143       httpd_git_htaccess_t
1144
1145       -  Set  files  with the httpd_git_htaccess_t type, if you want to treat
1146       the file as a httpd git access file.
1147
1148
1149
1150       httpd_git_ra_content_t
1151
1152       - Set files with the httpd_git_ra_content_t type, if you want to  treat
1153       the files as httpd git  read/append content.
1154
1155
1156
1157       httpd_git_rw_content_t
1158
1159       -  Set files with the httpd_git_rw_content_t type, if you want to treat
1160       the files as httpd git read/write content.
1161
1162
1163       Paths:
1164            /var/cache/cgit(/.*)?, /var/cache/gitweb-caching(/.*)?
1165
1166
1167       httpd_git_script_exec_t
1168
1169       - Set files with the httpd_git_script_exec_t type, if you want to tran‐
1170       sition an executable to the httpd_git_script_t domain.
1171
1172
1173       Paths:
1174            /var/www/git/gitweb.cgi,  /var/www/cgi-bin/cgit,  /var/www/gitweb-
1175            caching/gitweb.cgi
1176
1177
1178       httpd_helper_exec_t
1179
1180       - Set files with the httpd_helper_exec_t type, if you want  to  transi‐
1181       tion an executable to the httpd_helper_t domain.
1182
1183
1184
1185       httpd_initrc_exec_t
1186
1187       -  Set  files with the httpd_initrc_exec_t type, if you want to transi‐
1188       tion an executable to the httpd_initrc_t domain.
1189
1190
1191       Paths:
1192            /etc/rc.d/init.d/php-fpm.*,                  /etc/init.d/cherokee,
1193            /etc/rc.d/init.d/httpd,                    /etc/rc.d/init.d/nginx,
1194            /etc/rc.d/init.d/thttpd,                /etc/rc.d/init.d/lighttpd,
1195            /etc/rc.d/init.d/htcacheclean
1196
1197
1198       httpd_keytab_t
1199
1200       -  Set  files  with  the  httpd_keytab_t type, if you want to treat the
1201       files as kerberos keytab files.
1202
1203
1204
1205       httpd_lock_t
1206
1207       - Set files with the httpd_lock_t type, if you want to treat the  files
1208       as httpd lock data, stored under the /var/lock directory
1209
1210
1211
1212       httpd_log_t
1213
1214       - Set files with the httpd_log_t type, if you want to treat the data as
1215       httpd log data, usually stored under the /var/log directory.
1216
1217
1218       Paths:
1219            /var/log/cacti(/.*)?, /var/log/httpd(/.*)?,  /var/log/nginx(/.*)?,
1220            /var/log/apache(2)?(/.*)?, /var/log/php-fpm(/.*)?, /var/log/chero‐
1221            kee(/.*)?,     /var/log/lighttpd(/.*)?,     /var/log/thttpd.log.*,
1222            /var/log/apache-ssl(2)?(/.*)?,             /var/log/cgiwrap.log.*,
1223            /var/www/stickshift/[^/]*/log(/.*)?, /var/log/roundcubemail(/.*)?,
1224            /var/lib/openshift/.log/httpd(/.*)?,       /var/www/openshift/con‐
1225            sole/log(/.*)?, /etc/httpd/logs
1226
1227
1228       httpd_mediawiki_content_t
1229
1230       - Set files with the httpd_mediawiki_content_t type,  if  you  want  to
1231       treat the files as httpd mediawiki content.
1232
1233
1234       Paths:
1235            /var/www/wiki/.*.php, /usr/share/mediawiki(/.*)?
1236
1237
1238       httpd_mediawiki_htaccess_t
1239
1240       -  Set  files  with the httpd_mediawiki_htaccess_t type, if you want to
1241       treat the file as a httpd mediawiki access file.
1242
1243
1244
1245       httpd_mediawiki_ra_content_t
1246
1247       - Set files with the httpd_mediawiki_ra_content_t type, if you want  to
1248       treat the files as httpd mediawiki  read/append content.
1249
1250
1251
1252       httpd_mediawiki_rw_content_t
1253
1254       -  Set files with the httpd_mediawiki_rw_content_t type, if you want to
1255       treat the files as httpd mediawiki read/write content.
1256
1257
1258
1259       httpd_mediawiki_script_exec_t
1260
1261       - Set files with the httpd_mediawiki_script_exec_t type, if you want to
1262       transition an executable to the httpd_mediawiki_script_t domain.
1263
1264
1265       Paths:
1266            /usr/lib(64)?/mediawiki/math/texvc,            /usr/lib(64)?/medi‐
1267            awiki/math/texvc_tex, /usr/lib(64)?/mediawiki/math/texvc_tes
1268
1269
1270       httpd_mediawiki_tmp_t
1271
1272       - Set files with the httpd_mediawiki_tmp_t type, if you want  to  store
1273       httpd mediawiki temporary files in the /tmp directories.
1274
1275
1276
1277       httpd_modules_t
1278
1279       -  Set  files  with  the httpd_modules_t type, if you want to treat the
1280       files as httpd modules.
1281
1282
1283       Paths:
1284            /usr/lib(64)?/httpd(/.*)?,             /usr/lib(64)?/apache(/.*)?,
1285            /usr/lib(64)?/cherokee(/.*)?,        /usr/lib(64)?/lighttpd(/.*)?,
1286            /usr/lib(64)?/apache2/modules(/.*)?, /etc/httpd/modules
1287
1288
1289       httpd_munin_content_t
1290
1291       - Set files with the httpd_munin_content_t type, if you want  to  treat
1292       the files as httpd munin content.
1293
1294
1295
1296       httpd_munin_htaccess_t
1297
1298       -  Set files with the httpd_munin_htaccess_t type, if you want to treat
1299       the file as a httpd munin access file.
1300
1301
1302
1303       httpd_munin_ra_content_t
1304
1305       - Set files with the httpd_munin_ra_content_t  type,  if  you  want  to
1306       treat the files as httpd munin  read/append content.
1307
1308
1309
1310       httpd_munin_rw_content_t
1311
1312       -  Set  files  with  the  httpd_munin_rw_content_t type, if you want to
1313       treat the files as httpd munin read/write content.
1314
1315
1316
1317       httpd_munin_script_exec_t
1318
1319       - Set files with the httpd_munin_script_exec_t type,  if  you  want  to
1320       transition an executable to the httpd_munin_script_t domain.
1321
1322
1323       Paths:
1324            /var/www/cgi-bin/munin.*,               /var/www/html/cgi/munin.*,
1325            /var/www/html/munin/cgi(/.*)?
1326
1327
1328       httpd_munin_script_tmp_t
1329
1330       - Set files with the httpd_munin_script_tmp_t  type,  if  you  want  to
1331       store httpd munin script temporary files in the /tmp directories.
1332
1333
1334
1335       httpd_nagios_content_t
1336
1337       -  Set files with the httpd_nagios_content_t type, if you want to treat
1338       the files as httpd nagios content.
1339
1340
1341
1342       httpd_nagios_htaccess_t
1343
1344       - Set files with the httpd_nagios_htaccess_t type, if you want to treat
1345       the file as a httpd nagios access file.
1346
1347
1348
1349       httpd_nagios_ra_content_t
1350
1351       -  Set  files  with  the httpd_nagios_ra_content_t type, if you want to
1352       treat the files as httpd nagios  read/append content.
1353
1354
1355
1356       httpd_nagios_rw_content_t
1357
1358       - Set files with the httpd_nagios_rw_content_t type,  if  you  want  to
1359       treat the files as httpd nagios read/write content.
1360
1361
1362
1363       httpd_nagios_script_exec_t
1364
1365       -  Set  files  with the httpd_nagios_script_exec_t type, if you want to
1366       transition an executable to the httpd_nagios_script_t domain.
1367
1368
1369       Paths:
1370            /usr/lib(64)?/nagios/cgi(/.*)?,                 /usr/lib(64)?/cgi-
1371            bin/nagios(/.+)?,              /usr/lib(64)?/nagios/cgi-bin(/.*)?,
1372            /usr/lib(64)?/cgi-bin/netsaint(/.*)?
1373
1374
1375       httpd_nutups_cgi_content_t
1376
1377       - Set files with the httpd_nutups_cgi_content_t type, if  you  want  to
1378       treat the files as httpd nutups cgi content.
1379
1380
1381
1382       httpd_nutups_cgi_htaccess_t
1383
1384       -  Set  files with the httpd_nutups_cgi_htaccess_t type, if you want to
1385       treat the file as a httpd nutups cgi access file.
1386
1387
1388
1389       httpd_nutups_cgi_ra_content_t
1390
1391       - Set files with the httpd_nutups_cgi_ra_content_t type, if you want to
1392       treat the files as httpd nutups cgi  read/append content.
1393
1394
1395
1396       httpd_nutups_cgi_rw_content_t
1397
1398       - Set files with the httpd_nutups_cgi_rw_content_t type, if you want to
1399       treat the files as httpd nutups cgi read/write content.
1400
1401
1402
1403       httpd_nutups_cgi_script_exec_t
1404
1405       - Set files with the httpd_nutups_cgi_script_exec_t type, if  you  want
1406       to transition an executable to the httpd_nutups_cgi_script_t domain.
1407
1408
1409       Paths:
1410            /var/www/nut-cgi-bin/upsset.cgi,       /var/www/nut-cgi-bin/upsim‐
1411            age.cgi, /var/www/nut-cgi-bin/upsstats.cgi
1412
1413
1414       httpd_openshift_content_t
1415
1416       - Set files with the httpd_openshift_content_t type,  if  you  want  to
1417       treat the files as httpd openshift content.
1418
1419
1420
1421       httpd_openshift_htaccess_t
1422
1423       -  Set  files  with the httpd_openshift_htaccess_t type, if you want to
1424       treat the file as a httpd openshift access file.
1425
1426
1427
1428       httpd_openshift_ra_content_t
1429
1430       - Set files with the httpd_openshift_ra_content_t type, if you want  to
1431       treat the files as httpd openshift  read/append content.
1432
1433
1434
1435       httpd_openshift_rw_content_t
1436
1437       -  Set files with the httpd_openshift_rw_content_t type, if you want to
1438       treat the files as httpd openshift read/write content.
1439
1440
1441
1442       httpd_openshift_script_exec_t
1443
1444       - Set files with the httpd_openshift_script_exec_t type, if you want to
1445       transition an executable to the httpd_openshift_script_t domain.
1446
1447
1448
1449       httpd_php_exec_t
1450
1451       -  Set  files with the httpd_php_exec_t type, if you want to transition
1452       an executable to the httpd_php_t domain.
1453
1454
1455
1456       httpd_php_tmp_t
1457
1458       - Set files with the httpd_php_tmp_t type, if you want to  store  httpd
1459       php temporary files in the /tmp directories.
1460
1461
1462
1463       httpd_prewikka_content_t
1464
1465       -  Set  files  with  the  httpd_prewikka_content_t type, if you want to
1466       treat the files as httpd prewikka content.
1467
1468
1469
1470       httpd_prewikka_htaccess_t
1471
1472       - Set files with the httpd_prewikka_htaccess_t type,  if  you  want  to
1473       treat the file as a httpd prewikka access file.
1474
1475
1476
1477       httpd_prewikka_ra_content_t
1478
1479       -  Set  files with the httpd_prewikka_ra_content_t type, if you want to
1480       treat the files as httpd prewikka  read/append content.
1481
1482
1483
1484       httpd_prewikka_rw_content_t
1485
1486       - Set files with the httpd_prewikka_rw_content_t type, if you  want  to
1487       treat the files as httpd prewikka read/write content.
1488
1489
1490
1491       httpd_prewikka_script_exec_t
1492
1493       -  Set files with the httpd_prewikka_script_exec_t type, if you want to
1494       transition an executable to the httpd_prewikka_script_t domain.
1495
1496
1497
1498       httpd_rotatelogs_exec_t
1499
1500       - Set files with the httpd_rotatelogs_exec_t type, if you want to tran‐
1501       sition an executable to the httpd_rotatelogs_t domain.
1502
1503
1504
1505       httpd_smokeping_cgi_content_t
1506
1507       - Set files with the httpd_smokeping_cgi_content_t type, if you want to
1508       treat the files as httpd smokeping cgi content.
1509
1510
1511
1512       httpd_smokeping_cgi_htaccess_t
1513
1514       - Set files with the httpd_smokeping_cgi_htaccess_t type, if  you  want
1515       to treat the file as a httpd smokeping cgi access file.
1516
1517
1518
1519       httpd_smokeping_cgi_ra_content_t
1520
1521       - Set files with the httpd_smokeping_cgi_ra_content_t type, if you want
1522       to treat the files as httpd smokeping cgi  read/append content.
1523
1524
1525
1526       httpd_smokeping_cgi_rw_content_t
1527
1528       - Set files with the httpd_smokeping_cgi_rw_content_t type, if you want
1529       to treat the files as httpd smokeping cgi read/write content.
1530
1531
1532
1533       httpd_smokeping_cgi_script_exec_t
1534
1535       -  Set  files  with  the httpd_smokeping_cgi_script_exec_t type, if you
1536       want to transition an executable  to  the  httpd_smokeping_cgi_script_t
1537       domain.
1538
1539
1540
1541       httpd_squid_content_t
1542
1543       -  Set  files with the httpd_squid_content_t type, if you want to treat
1544       the files as httpd squid content.
1545
1546
1547
1548       httpd_squid_htaccess_t
1549
1550       - Set files with the httpd_squid_htaccess_t type, if you want to  treat
1551       the file as a httpd squid access file.
1552
1553
1554
1555       httpd_squid_ra_content_t
1556
1557       -  Set  files  with  the  httpd_squid_ra_content_t type, if you want to
1558       treat the files as httpd squid  read/append content.
1559
1560
1561
1562       httpd_squid_rw_content_t
1563
1564       - Set files with the httpd_squid_rw_content_t  type,  if  you  want  to
1565       treat the files as httpd squid read/write content.
1566
1567
1568
1569       httpd_squid_script_exec_t
1570
1571       -  Set  files  with  the httpd_squid_script_exec_t type, if you want to
1572       transition an executable to the httpd_squid_script_t domain.
1573
1574
1575       Paths:
1576            /usr/lib/squid/cachemgr.cgi, /usr/lib64/squid/cachemgr.cgi
1577
1578
1579       httpd_squirrelmail_t
1580
1581       - Set files with the httpd_squirrelmail_t type, if you  want  to  treat
1582       the files as httpd squirrelmail data.
1583
1584
1585
1586       httpd_suexec_exec_t
1587
1588       -  Set  files with the httpd_suexec_exec_t type, if you want to transi‐
1589       tion an executable to the httpd_suexec_t domain.
1590
1591
1592       Paths:
1593            /usr/lib(64)?/apache(2)?/suexec(2)?,            /usr/lib(64)?/cgi-
1594            bin/(nph-)?cgiwrap(d)?, /usr/sbin/suexec
1595
1596
1597       httpd_suexec_tmp_t
1598
1599       -  Set  files  with  the  httpd_suexec_tmp_t type, if you want to store
1600       httpd suexec temporary files in the /tmp directories.
1601
1602
1603
1604       httpd_sys_content_t
1605
1606       - Set files with the httpd_sys_content_t type, if you want to treat the
1607       files as httpd sys content.
1608
1609
1610       Paths:
1611            /srv/([^/]*/)?www(/.*)?,     /var/www(/.*)?,     /etc/htdig(/.*)?,
1612            /srv/gallery2(/.*)?,  /var/lib/trac(/.*)?,   /var/lib/htdig(/.*)?,
1613            /var/www/icons(/.*)?, /usr/share/htdig(/.*)?, /usr/share/drupal.*,
1614            /var/www/svn/conf(/.*)?,                 /usr/share/icecast(/.*)?,
1615            /usr/share/mythweb(/.*)?,                /var/lib/cacti/rra(/.*)?,
1616            /usr/share/ntop/html(/.*)?,            /var/lib/graphite-web(/.*),
1617            /usr/share/mythtv/data(/.*)?,      /usr/share/openca/htdocs(/.*)?,
1618            /usr/share/selinux-policy[^/]*/html(/.*)?
1619
1620
1621       httpd_sys_htaccess_t
1622
1623       - Set files with the httpd_sys_htaccess_t type, if you  want  to  treat
1624       the file as a httpd sys access file.
1625
1626
1627
1628       httpd_sys_ra_content_t
1629
1630       -  Set files with the httpd_sys_ra_content_t type, if you want to treat
1631       the files as httpd sys  read/append content.
1632
1633
1634
1635       httpd_sys_rw_content_t
1636
1637       - Set files with the httpd_sys_rw_content_t type, if you want to  treat
1638       the files as httpd sys read/write content.
1639
1640
1641       Paths:
1642            /etc/drupal.*,       /var/lib/svn(/.*)?,       /var/www/svn(/.*)?,
1643            /etc/dokuwiki(/.*)?,   /etc/owncloud(/.*)?,   /var/lib/koji(/.*)?,
1644            /etc/mock/koji(/.*)?,
1645            /var/www/html/[^/]*/sites/default/files(/.*)?,
1646            /var/www/html/[^/]*/sites/default/settings.php, /var/lib/drupal.*,
1647            /etc/zabbix/web(/.*)?,                      /var/log/z-push(/.*)?,
1648            /var/spool/gosa(/.*)?,                      /var/www/moodle(/.*)?,
1649            /var/lib/dokuwiki(/.*)?,                  /var/lib/owncloud(/.*)?,
1650            /var/spool/viewvc(/.*)?,                /var/www/moodledata(/.*)?,
1651            /var/www/gallery/albums(/.*)?,  /var/www/html/owncloud/data(/.*)?,
1652            /usr/share/wordpress-mu/wp-content(/.*)?, /usr/share/wordpress/wp-
1653            content/uploads(/.*)?,                /usr/share/wordpress/wp-con‐
1654            tent/upgrade(/.*)?, /var/www/html/configuration.php
1655
1656
1657       httpd_sys_script_exec_t
1658
1659       - Set files with the httpd_sys_script_exec_t type, if you want to tran‐
1660       sition an executable to the httpd_sys_script_t domain.
1661
1662
1663       Paths:
1664            /var/www/[^/]*/cgi-bin(/.*)?,                 /var/www/perl(/.*)?,
1665            /var/www/html/[^/]*/cgi-bin(/.*)?,         /usr/lib/cgi-bin(/.*)?,
1666            /var/www/cgi-bin(/.*)?, /var/www/svn/hooks(/.*)?, /usr/share/word‐
1667            press/.*.php,             /usr/share/wordpress/wp-includes/.*.php,
1668            /usr/share/mythtv/mythweather/scripts(/.*)?,      /usr/share/myth‐
1669            web/mythweb.pl, /usr/share/wordpress-mu/wp-config.php
1670
1671
1672       httpd_tmp_t
1673
1674       -  Set files with the httpd_tmp_t type, if you want to store httpd tem‐
1675       porary files in the /tmp directories.
1676
1677
1678
1679       httpd_tmpfs_t
1680
1681       - Set files with the httpd_tmpfs_t type, if you  want  to  store  httpd
1682       files on a tmpfs file system.
1683
1684
1685
1686       httpd_unconfined_script_exec_t
1687
1688       -  Set  files with the httpd_unconfined_script_exec_t type, if you want
1689       to transition an executable to the httpd_unconfined_script_t domain.
1690
1691
1692
1693       httpd_user_content_t
1694
1695       - Set files with the httpd_user_content_t type, if you  want  to  treat
1696       the files as httpd user content.
1697
1698
1699       Paths:
1700            /home/[^/]*/((www)|(web)|(public_html))(/.+)?,
1701            /home/staff/((www)|(web)|(public_html))(/.+)?
1702
1703
1704       httpd_user_htaccess_t
1705
1706       - Set files with the httpd_user_htaccess_t type, if you want  to  treat
1707       the file as a httpd user access file.
1708
1709
1710
1711       httpd_user_ra_content_t
1712
1713       - Set files with the httpd_user_ra_content_t type, if you want to treat
1714       the files as httpd user  read/append content.
1715
1716
1717
1718       httpd_user_rw_content_t
1719
1720       - Set files with the httpd_user_rw_content_t type, if you want to treat
1721       the files as httpd user read/write content.
1722
1723
1724
1725       httpd_user_script_exec_t
1726
1727       -  Set  files  with  the  httpd_user_script_exec_t type, if you want to
1728       transition an executable to the httpd_user_script_t domain.
1729
1730
1731
1732       httpd_var_lib_t
1733
1734       - Set files with the httpd_var_lib_t type, if you  want  to  store  the
1735       httpd files under the /var/lib directory.
1736
1737
1738       Paths:
1739            /var/lib/dav(/.*)?,   /var/lib/httpd(/.*)?,  /var/lib/nginx(/.*)?,
1740            /var/lib/z-push(/.*)?,  /var/lib/cherokee(/.*)?,   /var/lib/round‐
1741            cubemail(/.*)?, /var/lib/rt3/data/RT-Shredder(/.*)?
1742
1743
1744       httpd_var_run_t
1745
1746       -  Set  files  with  the httpd_var_run_t type, if you want to store the
1747       httpd files under the /run or /var/run directory.
1748
1749
1750       Paths:
1751            /var/run/mod_.*,        /var/run/wsgi.*,         /var/run/httpd.*,
1752            /var/run/nginx.*,    /var/run/apache.*,    /var/run/php-fpm(/.*)?,
1753            /var/run/lighttpd(/.*)?,               /var/lib/php/session(/.*)?,
1754            /var/run/thttpd.pid, /var/run/gcache_port
1755
1756
1757       httpd_w3c_validator_content_t
1758
1759       - Set files with the httpd_w3c_validator_content_t type, if you want to
1760       treat the files as httpd w3c validator content.
1761
1762
1763
1764       httpd_w3c_validator_htaccess_t
1765
1766       - Set files with the httpd_w3c_validator_htaccess_t type, if  you  want
1767       to treat the file as a httpd w3c validator access file.
1768
1769
1770
1771       httpd_w3c_validator_ra_content_t
1772
1773       - Set files with the httpd_w3c_validator_ra_content_t type, if you want
1774       to treat the files as httpd w3c validator  read/append content.
1775
1776
1777
1778       httpd_w3c_validator_rw_content_t
1779
1780       - Set files with the httpd_w3c_validator_rw_content_t type, if you want
1781       to treat the files as httpd w3c validator read/write content.
1782
1783
1784
1785       httpd_w3c_validator_script_exec_t
1786
1787       -  Set  files  with  the httpd_w3c_validator_script_exec_t type, if you
1788       want to transition an executable  to  the  httpd_w3c_validator_script_t
1789       domain.
1790
1791
1792       Paths:
1793            /usr/share/w3c-markup-validator/cgi-bin(/.*)?,       /usr/lib/cgi-
1794            bin/check
1795
1796
1797       httpd_w3c_validator_tmp_t
1798
1799       - Set files with the httpd_w3c_validator_tmp_t type,  if  you  want  to
1800       store httpd w3c validator temporary files in the /tmp directories.
1801
1802
1803
1804       Note:  File context can be temporarily modified with the chcon command.
1805       If you want to permanently change the file context you need to use  the
1806       semanage fcontext command.  This will modify the SELinux labeling data‐
1807       base.  You will need to use restorecon to apply the labels.
1808
1809

SHARING FILES

1811       If you want to share files with multiple domains (Apache,  FTP,  rsync,
1812       Samba),  you can set a file context of public_content_t and public_con‐
1813       tent_rw_t.  These context allow any of the above domains  to  read  the
1814       content.   If  you want a particular domain to write to the public_con‐
1815       tent_rw_t domain, you must set the appropriate boolean.
1816
1817       Allow httpd servers to read the /var/httpd directory by adding the pub‐
1818       lic_content_t  file  type  to  the  directory and by restoring the file
1819       type.
1820
1821       semanage fcontext -a -t public_content_t "/var/httpd(/.*)?"
1822       restorecon -F -R -v /var/httpd
1823
1824       Allow httpd servers to read and write /var/httpd/incoming by adding the
1825       public_content_rw_t  type  to  the  directory and by restoring the file
1826       type.  You also need to turn on the httpd_anon_write boolean.
1827
1828       semanage fcontext -a -t public_content_rw_t "/var/httpd/incoming(/.*)?"
1829       restorecon -F -R -v /var/httpd/incoming
1830       setsebool -P httpd_anon_write 1
1831
1832
1833       If you want to allow Apache to modify public files used for public file
1834       transfer  services.  Directories/Files  must  be labeled public_rw_con‐
1835       tent_t., you must turn on the allow_httpd_anon_write boolean.
1836
1837       setsebool -P allow_httpd_anon_write 1
1838
1839

COMMANDS

1841       semanage fcontext can also be used to manipulate default  file  context
1842       mappings.
1843
1844       semanage  permissive  can  also  be used to manipulate whether or not a
1845       process type is permissive.
1846
1847       semanage module can also be used to enable/disable/install/remove  pol‐
1848       icy modules.
1849
1850       semanage port can also be used to manipulate the port definitions
1851
1852       semanage boolean can also be used to manipulate the booleans
1853
1854
1855       system-config-selinux is a GUI tool available to customize SELinux pol‐
1856       icy settings.
1857
1858

AUTHOR

1860       This manual page was auto-generated using sepolicy manpage .
1861
1862