httpd_sys_script_selinux(8)

1httpd_sys_script_selinux(S8E)Linux Policy httpd_sys_scrhitpttpd_sys_script_selinux(8)
2
3
4

NAME

6       httpd_sys_script_selinux  -  Security  Enhanced  Linux  Policy  for the
7       httpd_sys_script processes
8

DESCRIPTION

10       Security-Enhanced Linux  secures  the  httpd_sys_script  processes  via
11       flexible mandatory access control.
12
13       The  httpd_sys_script  processes  execute  with  the httpd_sys_script_t
14       SELinux type. You can check if you have these processes running by exe‐
15       cuting the ps command with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep httpd_sys_script_t
20
21
22

ENTRYPOINTS

24       The   httpd_sys_script_t   SELinux   type   can   be  entered  via  the
25       httpd_sys_content_t,        cifs_t,        nfs_t,         shell_exec_t,
26       httpd_sys_script_exec_t,       httpd_sys_content_t,       httpdcontent,
27       httpd_sys_script_exec_t file types.
28
29       The default entrypoint paths for the httpd_sys_script_t domain are  the
30       following:
31
32       /srv/([^/]*/)?www(/.*)?,        /var/www(/.*)?,       /etc/htdig(/.*)?,
33       /srv/gallery2(/.*)?,     /var/lib/trac(/.*)?,     /var/lib/htdig(/.*)?,
34       /var/www/icons(/.*)?,    /usr/share/htdig(/.*)?,   /usr/share/drupal.*,
35       /var/www/svn/conf(/.*)?,   /usr/share/icecast(/.*)?,   /usr/share/myth‐
36       web(/.*)?,     /var/lib/cacti/rra(/.*)?,    /usr/share/ntop/html(/.*)?,
37       /var/lib/graphite-web(/.*),               /usr/share/mythtv/data(/.*)?,
38       /usr/share/openca/htdocs(/.*)?,                 /usr/share/selinux-pol‐
39       icy[^/]*/html(/.*)?,  /bin/d?ash,  /bin/zsh.*,  /bin/ksh.*,  /bin/sash,
40       /bin/tcsh,  /bin/yash,  /bin/mksh,  /bin/fish,  /bin/bash,  /bin/bash2,
41       /usr/bin/fish,    /sbin/nologin,    /usr/sbin/sesh,    /usr/sbin/smrsh,
42       /usr/bin/scponly,  /usr/libexec/sesh, /usr/sbin/scponlyc, /usr/bin/git-
43       shell,  /usr/libexec/git-core/git-shell,  /var/www/[^/]*/cgi-bin(/.*)?,
44       /var/www/perl(/.*)?,  /var/www/html/[^/]*/cgi-bin(/.*)?,  /usr/lib/cgi-
45       bin(/.*)?,      /var/www/cgi-bin(/.*)?,       /var/www/svn/hooks(/.*)?,
46       /usr/share/wordpress/.*.php,   /usr/share/wordpress/wp-includes/.*.php,
47       /usr/share/mythtv/mythweather/scripts(/.*)?,   /usr/share/mythweb/myth‐
48       web.pl, /usr/share/wordpress-mu/wp-config.php, /srv/([^/]*/)?www(/.*)?,
49       /var/www(/.*)?,         /etc/htdig(/.*)?,          /srv/gallery2(/.*)?,
50       /var/lib/trac(/.*)?,     /var/lib/htdig(/.*)?,    /var/www/icons(/.*)?,
51       /usr/share/htdig(/.*)?,  /usr/share/drupal.*,  /var/www/svn/conf(/.*)?,
52       /usr/share/icecast(/.*)?,                     /usr/share/mythweb(/.*)?,
53       /var/lib/cacti/rra(/.*)?,                   /usr/share/ntop/html(/.*)?,
54       /var/lib/graphite-web(/.*),               /usr/share/mythtv/data(/.*)?,
55       /usr/share/openca/htdocs(/.*)?,                 /usr/share/selinux-pol‐
56       icy[^/]*/html(/.*)?, /var/www/[^/]*/cgi-bin(/.*)?, /var/www/perl(/.*)?,
57       /var/www/html/[^/]*/cgi-bin(/.*)?,              /usr/lib/cgi-bin(/.*)?,
58       /var/www/cgi-bin(/.*)?,    /var/www/svn/hooks(/.*)?,   /usr/share/word‐
59       press/.*.php,                  /usr/share/wordpress/wp-includes/.*.php,
60       /usr/share/mythtv/mythweather/scripts(/.*)?,   /usr/share/mythweb/myth‐
61       web.pl, /usr/share/wordpress-mu/wp-config.php
62

PROCESS TYPES

64       SELinux defines process types (domains) for each process running on the
65       system
66
67       You can see the context of a process using the -Z option to ps
68
69       Policy  governs  the  access confined processes have to files.  SELinux
70       httpd_sys_script policy is very flexible allowing users to setup  their
71       httpd_sys_script processes in as secure a method as possible.
72
73       The following process types are defined for httpd_sys_script:
74
75       httpd_sys_script_t
76
77       Note: semanage permissive -a httpd_sys_script_t can be used to make the
78       process type  httpd_sys_script_t  permissive.  SELinux  does  not  deny
79       access  to permissive process types, but the AVC (SELinux denials) mes‐
80       sages are still generated.
81
82

BOOLEANS

84       SELinux  policy  is  customizable  based  on  least  access   required.
85       httpd_sys_script  policy is extremely flexible and has several booleans
86       that allow you to manipulate the policy and run  httpd_sys_script  with
87       the tightest access possible.
88
89
90
91       If you want to allow all domains to use other domains file descriptors,
92       you must turn on the allow_domain_fd_use boolean. Enabled by default.
93
94       setsebool -P allow_domain_fd_use 1
95
96
97
98       If you want to allow confined applications to run  with  kerberos,  you
99       must turn on the allow_kerberos boolean. Enabled by default.
100
101       setsebool -P allow_kerberos 1
102
103
104
105       If  you want to allow sysadm to debug or ptrace all processes, you must
106       turn on the allow_ptrace boolean. Disabled by default.
107
108       setsebool -P allow_ptrace 1
109
110
111
112       If you want to allow system to run with  NIS,  you  must  turn  on  the
113       allow_ypbind boolean. Disabled by default.
114
115       setsebool -P allow_ypbind 1
116
117
118
119       If  you  want to allow all domains to have the kernel load modules, you
120       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
121       default.
122
123       setsebool -P domain_kernel_load_modules 1
124
125
126
127       If you want to allow all domains to execute in fips_mode, you must turn
128       on the fips_mode boolean. Enabled by default.
129
130       setsebool -P fips_mode 1
131
132
133
134       If you want to enable reading of urandom for all domains, you must turn
135       on the global_ssp boolean. Disabled by default.
136
137       setsebool -P global_ssp 1
138
139
140
141       If you want to allow httpd to use built in scripting (usually php), you
142       must turn on the httpd_builtin_scripting boolean. Enabled by default.
143
144       setsebool -P httpd_builtin_scripting 1
145
146
147
148       If you want to allow HTTPD scripts and modules to connect to  the  net‐
149       work using TCP, you must turn on the httpd_can_network_connect boolean.
150       Disabled by default.
151
152       setsebool -P httpd_can_network_connect 1
153
154
155
156       If you want to allow HTTPD scripts and modules to connect to  databases
157       over  the  network,  you  must turn on the httpd_can_network_connect_db
158       boolean. Disabled by default.
159
160       setsebool -P httpd_can_network_connect_db 1
161
162
163
164       If you want to allow http daemon to send mail, you  must  turn  on  the
165       httpd_can_sendmail boolean. Disabled by default.
166
167       setsebool -P httpd_can_sendmail 1
168
169
170
171       If  you  want  to  allow  httpd  cgi  support,  you  must  turn  on the
172       httpd_enable_cgi boolean. Enabled by default.
173
174       setsebool -P httpd_enable_cgi 1
175
176
177
178       If you want to allow httpd to read home directories, you must  turn  on
179       the httpd_enable_homedirs boolean. Disabled by default.
180
181       setsebool -P httpd_enable_homedirs 1
182
183
184
185       If  you  want to allow httpd scripts and modules execmem/execstack, you
186       must turn on the httpd_execmem boolean. Disabled by default.
187
188       setsebool -P httpd_execmem 1
189
190
191
192       If you want to allow HTTPD to run SSI executables in the same domain as
193       system  CGI  scripts, you must turn on the httpd_ssi_exec boolean. Dis‐
194       abled by default.
195
196       setsebool -P httpd_ssi_exec 1
197
198
199
200       If you want to allow Apache to execute tmp content, you  must  turn  on
201       the httpd_tmp_exec boolean. Disabled by default.
202
203       setsebool -P httpd_tmp_exec 1
204
205
206
207       If you want to unify HTTPD handling of all content files, you must turn
208       on the httpd_unified boolean. Disabled by default.
209
210       setsebool -P httpd_unified 1
211
212
213
214       If you want to allow httpd to access cifs file systems, you  must  turn
215       on the httpd_use_cifs boolean. Disabled by default.
216
217       setsebool -P httpd_use_cifs 1
218
219
220
221       If  you  want to allow httpd to access FUSE file systems, you must turn
222       on the httpd_use_fusefs boolean. Disabled by default.
223
224       setsebool -P httpd_use_fusefs 1
225
226
227
228       If you want to allow httpd to access nfs file systems, you must turn on
229       the httpd_use_nfs boolean. Disabled by default.
230
231       setsebool -P httpd_use_nfs 1
232
233
234
235       If  you want to allow httpd to access openstack ports, you must turn on
236       the httpd_use_openstack boolean. Disabled by default.
237
238       setsebool -P httpd_use_openstack 1
239
240
241
242       If you want to allow confined applications to use nscd  shared  memory,
243       you must turn on the nscd_use_shm boolean. Enabled by default.
244
245       setsebool -P nscd_use_shm 1
246
247
248
249       If  you  want to allow unprivileged users to execute DDL statement, you
250       must turn on the sepgsql_enable_users_ddl boolean. Enabled by default.
251
252       setsebool -P sepgsql_enable_users_ddl 1
253
254
255
256       If you want to support NFS home  directories,  you  must  turn  on  the
257       use_nfs_home_dirs boolean. Disabled by default.
258
259       setsebool -P use_nfs_home_dirs 1
260
261
262
263       If  you  want  to  support SAMBA home directories, you must turn on the
264       use_samba_home_dirs boolean. Disabled by default.
265
266       setsebool -P use_samba_home_dirs 1
267
268
269

MANAGED FILES

271       The SELinux process type httpd_sys_script_t can  manage  files  labeled
272       with  the following file types.  The paths listed are the default paths
273       for these file types.  Note the processes UID still need  to  have  DAC
274       permissions.
275
276       cifs_t
277
278
279       fusefs_t
280
281
282       httpd_sys_rw_content_t
283
284            /etc/drupal.*
285            /var/lib/svn(/.*)?
286            /var/www/svn(/.*)?
287            /etc/dokuwiki(/.*)?
288            /etc/owncloud(/.*)?
289            /var/lib/koji(/.*)?
290            /etc/mock/koji(/.*)?
291            /var/www/html/[^/]*/sites/default/files(/.*)?
292            /var/www/html/[^/]*/sites/default/settings.php
293            /var/lib/drupal.*
294            /etc/zabbix/web(/.*)?
295            /var/log/z-push(/.*)?
296            /var/spool/gosa(/.*)?
297            /var/www/moodle(/.*)?
298            /var/lib/dokuwiki(/.*)?
299            /var/lib/owncloud(/.*)?
300            /var/spool/viewvc(/.*)?
301            /var/www/moodledata(/.*)?
302            /var/www/gallery/albums(/.*)?
303            /var/www/html/owncloud/data(/.*)?
304            /usr/share/wordpress-mu/wp-content(/.*)?
305            /usr/share/wordpress/wp-content/uploads(/.*)?
306            /usr/share/wordpress/wp-content/upgrade(/.*)?
307            /var/www/html/configuration.php
308
309       httpd_tmp_t
310
311            /var/www/openshift/console/tmp(/.*)?
312
313       httpdcontent
314
315
316       initrc_tmp_t
317
318
319       mnt_t
320
321            /mnt(/[^/]*)
322            /mnt(/[^/]*)?
323            /rhev(/[^/]*)?
324            /media(/[^/]*)
325            /media(/[^/]*)?
326            /etc/rhgb(/.*)?
327            /media/.hal-.*
328            /net
329            /afs
330            /rhev
331            /misc
332
333       nfs_t
334
335
336       public_content_rw_t
337
338            /var/spool/abrt-upload(/.*)?
339
340       tmp_t
341
342            /tmp
343            /usr/tmp
344            /var/tmp
345            /tmp-inst
346            /var/tmp-inst
347            /var/tmp/vi.recover
348
349

FILE CONTEXTS

351       SELinux requires files to have an extended attribute to define the file
352       type.
353
354       You can see the context of a file using the -Z option to ls
355
356       Policy governs the access  confined  processes  have  to  these  files.
357       SELinux httpd_sys_script policy is very flexible allowing users to set‐
358       up their httpd_sys_script processes in as secure a method as possible.
359
360       The following file types are defined for httpd_sys_script:
361
362
363
364       httpd_sys_script_exec_t
365
366       - Set files with the httpd_sys_script_exec_t type, if you want to tran‐
367       sition an executable to the httpd_sys_script_t domain.
368
369
370       Paths:
371            /var/www/[^/]*/cgi-bin(/.*)?,                 /var/www/perl(/.*)?,
372            /var/www/html/[^/]*/cgi-bin(/.*)?,         /usr/lib/cgi-bin(/.*)?,
373            /var/www/cgi-bin(/.*)?, /var/www/svn/hooks(/.*)?, /usr/share/word‐
374            press/.*.php,             /usr/share/wordpress/wp-includes/.*.php,
375            /usr/share/mythtv/mythweather/scripts(/.*)?,      /usr/share/myth‐
376            web/mythweb.pl, /usr/share/wordpress-mu/wp-config.php
377
378
379       Note: File context can be temporarily modified with the chcon  command.
380       If  you want to permanently change the file context you need to use the
381       semanage fcontext command.  This will modify the SELinux labeling data‐
382       base.  You will need to use restorecon to apply the labels.
383
384

SHARING FILES

386       If  you  want to share files with multiple domains (Apache, FTP, rsync,
387       Samba), you can set a file context of public_content_t and  public_con‐
388       tent_rw_t.   These  context  allow any of the above domains to read the
389       content.  If you want a particular domain to write to  the  public_con‐
390       tent_rw_t domain, you must set the appropriate boolean.
391
392       Allow httpd_sys_script servers to read the /var/httpd_sys_script direc‐
393       tory by adding the public_content_t file type to the directory  and  by
394       restoring the file type.
395
396       semanage fcontext -a -t public_content_t "/var/httpd_sys_script(/.*)?"
397       restorecon -F -R -v /var/httpd_sys_script
398
399       Allow     httpd_sys_script     servers     to     read     and    write
400       /var/httpd_sys_script/incoming by adding the  public_content_rw_t  type
401       to the directory and by restoring the file type.  You also need to turn
402       on the httpd_sys_script_anon_write boolean.
403
404       semanage        fcontext        -a        -t        public_content_rw_t
405       "/var/httpd_sys_script/incoming(/.*)?"
406       restorecon -F -R -v /var/httpd_sys_script/incoming
407       setsebool -P httpd_sys_script_anon_write 1
408
409
410       If you want to allow apache scripts to write to public content.  Direc‐
411       tories/Files must be labeled public_rw_content_t., you must turn on the
412       allow_httpd_sys_script_anon_write boolean.
413
414       setsebool -P allow_httpd_sys_script_anon_write 1
415
416

COMMANDS

418       semanage  fcontext  can also be used to manipulate default file context
419       mappings.
420
421       semanage permissive can also be used to manipulate  whether  or  not  a
422       process type is permissive.
423
424       semanage  module can also be used to enable/disable/install/remove pol‐
425       icy modules.
426
427       semanage boolean can also be used to manipulate the booleans
428
429
430       system-config-selinux is a GUI tool available to customize SELinux pol‐
431       icy settings.
432
433

AUTHOR

435       This manual page was auto-generated using sepolicy manpage .
436
437