httpd_suexec_selinux(8)

1httpd_suexec_selinux(8)   SELinux Policy httpd_suexec  httpd_suexec_selinux(8)
2
3
4

NAME

6       httpd_suexec_selinux   -   Security   Enhanced  Linux  Policy  for  the
7       httpd_suexec processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the httpd_suexec processes via flexible
11       mandatory access control.
12
13       The  httpd_suexec  processes  execute  with  the httpd_suexec_t SELinux
14       type. You can check if you have these processes  running  by  executing
15       the ps command with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep httpd_suexec_t
20
21
22

ENTRYPOINTS

24       The    httpd_suexec_t   SELinux   type   can   be   entered   via   the
25       httpd_suexec_exec_t file type.
26
27       The default entrypoint paths for the httpd_suexec_t domain are the fol‐
28       lowing:
29
30       /usr/lib(64)?/apache(2)?/suexec(2)?,  /usr/lib(64)?/cgi-bin/(nph-)?cgi‐
31       wrap(d)?, /usr/sbin/suexec
32

PROCESS TYPES

34       SELinux defines process types (domains) for each process running on the
35       system
36
37       You can see the context of a process using the -Z option to ps
38
39       Policy  governs  the  access confined processes have to files.  SELinux
40       httpd_suexec policy is very flexible  allowing  users  to  setup  their
41       httpd_suexec processes in as secure a method as possible.
42
43       The following process types are defined for httpd_suexec:
44
45       httpd_suexec_t
46
47       Note:  semanage  permissive  -a  httpd_suexec_t can be used to make the
48       process type httpd_suexec_t permissive. SELinux does not deny access to
49       permissive  process  types,  but the AVC (SELinux denials) messages are
50       still generated.
51
52

BOOLEANS

54       SELinux  policy  is  customizable  based  on  least  access   required.
55       httpd_suexec policy is extremely flexible and has several booleans that
56       allow you to manipulate the policy and run httpd_suexec with the tight‐
57       est access possible.
58
59
60
61       If you want to allow all domains to use other domains file descriptors,
62       you must turn on the allow_domain_fd_use boolean. Enabled by default.
63
64       setsebool -P allow_domain_fd_use 1
65
66
67
68       If you want to allow confined applications to run  with  kerberos,  you
69       must turn on the allow_kerberos boolean. Enabled by default.
70
71       setsebool -P allow_kerberos 1
72
73
74
75       If  you want to allow sysadm to debug or ptrace all processes, you must
76       turn on the allow_ptrace boolean. Disabled by default.
77
78       setsebool -P allow_ptrace 1
79
80
81
82       If you want to allow system to run with  NIS,  you  must  turn  on  the
83       allow_ypbind boolean. Disabled by default.
84
85       setsebool -P allow_ypbind 1
86
87
88
89       If  you  want to allow all domains to have the kernel load modules, you
90       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
91       default.
92
93       setsebool -P domain_kernel_load_modules 1
94
95
96
97       If you want to allow all domains to execute in fips_mode, you must turn
98       on the fips_mode boolean. Enabled by default.
99
100       setsebool -P fips_mode 1
101
102
103
104       If you want to enable reading of urandom for all domains, you must turn
105       on the global_ssp boolean. Disabled by default.
106
107       setsebool -P global_ssp 1
108
109
110
111       If  you  want to allow HTTPD scripts and modules to connect to the net‐
112       work using TCP, you must turn on the httpd_can_network_connect boolean.
113       Disabled by default.
114
115       setsebool -P httpd_can_network_connect 1
116
117
118
119       If  you want to allow HTTPD scripts and modules to connect to databases
120       over the network, you must  turn  on  the  httpd_can_network_connect_db
121       boolean. Disabled by default.
122
123       setsebool -P httpd_can_network_connect_db 1
124
125
126
127       If  you  want  to  allow  httpd  cgi  support,  you  must  turn  on the
128       httpd_enable_cgi boolean. Enabled by default.
129
130       setsebool -P httpd_enable_cgi 1
131
132
133
134       If you want to allow httpd to read home directories, you must  turn  on
135       the httpd_enable_homedirs boolean. Disabled by default.
136
137       setsebool -P httpd_enable_homedirs 1
138
139
140
141       If  you  want to allow httpd scripts and modules execmem/execstack, you
142       must turn on the httpd_execmem boolean. Disabled by default.
143
144       setsebool -P httpd_execmem 1
145
146
147
148       If you want to allow httpd to read user content, you must turn  on  the
149       httpd_read_user_content boolean. Disabled by default.
150
151       setsebool -P httpd_read_user_content 1
152
153
154
155       If you want to unify HTTPD to communicate with the terminal. Needed for
156       entering the passphrase for certificates at the terminal, you must turn
157       on the httpd_tty_comm boolean. Disabled by default.
158
159       setsebool -P httpd_tty_comm 1
160
161
162
163       If you want to unify HTTPD handling of all content files, you must turn
164       on the httpd_unified boolean. Disabled by default.
165
166       setsebool -P httpd_unified 1
167
168
169
170       If you want to allow httpd to access cifs file systems, you  must  turn
171       on the httpd_use_cifs boolean. Disabled by default.
172
173       setsebool -P httpd_use_cifs 1
174
175
176
177       If  you  want to allow httpd to access FUSE file systems, you must turn
178       on the httpd_use_fusefs boolean. Disabled by default.
179
180       setsebool -P httpd_use_fusefs 1
181
182
183
184       If you want to allow httpd to access nfs file systems, you must turn on
185       the httpd_use_nfs boolean. Disabled by default.
186
187       setsebool -P httpd_use_nfs 1
188
189
190
191       If  you  want to allow confined applications to use nscd shared memory,
192       you must turn on the nscd_use_shm boolean. Enabled by default.
193
194       setsebool -P nscd_use_shm 1
195
196
197
198       If you want to support NFS home  directories,  you  must  turn  on  the
199       use_nfs_home_dirs boolean. Disabled by default.
200
201       setsebool -P use_nfs_home_dirs 1
202
203
204
205       If  you  want  to  support SAMBA home directories, you must turn on the
206       use_samba_home_dirs boolean. Disabled by default.
207
208       setsebool -P use_samba_home_dirs 1
209
210
211

MANAGED FILES

213       The SELinux process type httpd_suexec_t can manage files  labeled  with
214       the  following  file types.  The paths listed are the default paths for
215       these file types.  Note the processes UID still need to have  DAC  per‐
216       missions.
217
218       cifs_t
219
220
221       fusefs_t
222
223
224       httpd_suexec_tmp_t
225
226
227       initrc_tmp_t
228
229
230       mnt_t
231
232            /mnt(/[^/]*)
233            /mnt(/[^/]*)?
234            /rhev(/[^/]*)?
235            /media(/[^/]*)
236            /media(/[^/]*)?
237            /etc/rhgb(/.*)?
238            /media/.hal-.*
239            /net
240            /afs
241            /rhev
242            /misc
243
244       nfs_t
245
246
247       tmp_t
248
249            /tmp
250            /usr/tmp
251            /var/tmp
252            /tmp-inst
253            /var/tmp-inst
254            /var/tmp/vi.recover
255
256

FILE CONTEXTS

258       SELinux requires files to have an extended attribute to define the file
259       type.
260
261       You can see the context of a file using the -Z option to ls
262
263       Policy governs the access  confined  processes  have  to  these  files.
264       SELinux  httpd_suexec  policy  is very flexible allowing users to setup
265       their httpd_suexec processes in as secure a method as possible.
266
267       STANDARD FILE CONTEXT
268
269       SELinux defines the file context types for  the  httpd_suexec,  if  you
270       wanted  to store files with these types in a diffent paths, you need to
271       execute the semanage command to sepecify alternate  labeling  and  then
272       use restorecon to put the labels on disk.
273
274       semanage  fcontext  -a  -t httpd_suexec_tmp_t '/srv/myhttpd_suexec_con‐
275       tent(/.*)?'
276       restorecon -R -v /srv/myhttpd_suexec_content
277
278       Note: SELinux often uses regular expressions  to  specify  labels  that
279       match multiple files.
280
281       The following file types are defined for httpd_suexec:
282
283
284
285       httpd_suexec_exec_t
286
287       -  Set  files with the httpd_suexec_exec_t type, if you want to transi‐
288       tion an executable to the httpd_suexec_t domain.
289
290
291       Paths:
292            /usr/lib(64)?/apache(2)?/suexec(2)?,            /usr/lib(64)?/cgi-
293            bin/(nph-)?cgiwrap(d)?, /usr/sbin/suexec
294
295
296       httpd_suexec_tmp_t
297
298       -  Set  files  with  the  httpd_suexec_tmp_t type, if you want to store
299       httpd suexec temporary files in the /tmp directories.
300
301
302
303       Note: File context can be temporarily modified with the chcon  command.
304       If  you want to permanently change the file context you need to use the
305       semanage fcontext command.  This will modify the SELinux labeling data‐
306       base.  You will need to use restorecon to apply the labels.
307
308

COMMANDS

310       semanage  fcontext  can also be used to manipulate default file context
311       mappings.
312
313       semanage permissive can also be used to manipulate  whether  or  not  a
314       process type is permissive.
315
316       semanage  module can also be used to enable/disable/install/remove pol‐
317       icy modules.
318
319       semanage boolean can also be used to manipulate the booleans
320
321
322       system-config-selinux is a GUI tool available to customize SELinux pol‐
323       icy settings.
324
325

AUTHOR

327       This manual page was auto-generated using sepolicy manpage .
328
329