1httpd_selinux(8)             SELinux Policy httpd             httpd_selinux(8)
2
3
4

NAME

6       httpd_selinux - Security Enhanced Linux Policy for the httpd processes
7

DESCRIPTION

9       Security-Enhanced Linux secures the httpd processes via flexible manda‐
10       tory access control.
11
12       The httpd processes execute with the  httpd_t  SELinux  type.  You  can
13       check  if  you have these processes running by executing the ps command
14       with the -Z qualifier.
15
16       For example:
17
18       ps -eZ | grep httpd_t
19
20
21

ENTRYPOINTS

23       The httpd_t SELinux type can be entered via the httpd_exec_t file type.
24
25       The default entrypoint paths for the httpd_t domain are the following:
26
27       /usr/sbin/httpd(.worker)?,    /usr/sbin/apache(2)?,    /usr/lib/apache-
28       ssl/.+,     /usr/sbin/apache-ssl(2)?,    /usr/share/jetty/bin/jetty.sh,
29       /usr/sbin/nginx, /usr/sbin/thttpd, /usr/sbin/php-fpm,  /usr/sbin/chero‐
30       kee, /usr/sbin/lighttpd, /usr/sbin/httpd.event, /usr/bin/mongrel_rails,
31       /usr/sbin/htcacheclean
32

PROCESS TYPES

34       SELinux defines process types (domains) for each process running on the
35       system
36
37       You can see the context of a process using the -Z option to ps
38
39       Policy  governs  the  access confined processes have to files.  SELinux
40       httpd policy is very flexible allowing users to setup their httpd  pro‐
41       cesses in as secure a method as possible.
42
43       The following process types are defined for httpd:
44
45       httpd_t, httpd_helper_t, httpd_php_t, httpd_rotatelogs_t, httpd_suexec_t, httpd_sys_script_t, httpd_user_script_t, httpd_passwd_t, httpd_unconfined_script_t
46
47       Note:  semanage  permissive  -a httpd_t can be used to make the process
48       type httpd_t permissive. SELinux does not  deny  access  to  permissive
49       process  types, but the AVC (SELinux denials) messages are still gener‐
50       ated.
51
52

BOOLEANS

54       SELinux policy is customizable based on least access  required.   httpd
55       policy is extremely flexible and has several booleans that allow you to
56       manipulate the policy and run httpd with the tightest access possible.
57
58
59
60       If you want to allow httpd to use built in scripting (usually php), you
61       must turn on the httpd_builtin_scripting boolean. Enabled by default.
62
63       setsebool -P httpd_builtin_scripting 1
64
65
66
67       If  you  want  to allow http daemon to check spam, you must turn on the
68       httpd_can_check_spam boolean. Disabled by default.
69
70       setsebool -P httpd_can_check_spam 1
71
72
73
74       If you want to allow httpd to act as a FTP client connecting to the ftp
75       port  and  ephemeral  ports, you must turn on the httpd_can_connect_ftp
76       boolean. Disabled by default.
77
78       setsebool -P httpd_can_connect_ftp 1
79
80
81
82       If you want to allow httpd to connect to the ldap port, you  must  turn
83       on the httpd_can_connect_ldap boolean. Disabled by default.
84
85       setsebool -P httpd_can_connect_ldap 1
86
87
88
89       If you want to allow http daemon to connect to mythtv, you must turn on
90       the httpd_can_connect_mythtv boolean. Disabled by default.
91
92       setsebool -P httpd_can_connect_mythtv 1
93
94
95
96       If you want to allow http daemon to connect to zabbix, you must turn on
97       the httpd_can_connect_zabbix boolean. Disabled by default.
98
99       setsebool -P httpd_can_connect_zabbix 1
100
101
102
103       If  you  want to allow HTTPD scripts and modules to connect to the net‐
104       work using TCP, you must turn on the httpd_can_network_connect boolean.
105       Disabled by default.
106
107       setsebool -P httpd_can_network_connect 1
108
109
110
111       If  you  want  to allow HTTPD scripts and modules to connect to cobbler
112       over the network, you must turn on  the  httpd_can_network_connect_cob‐
113       bler boolean. Disabled by default.
114
115       setsebool -P httpd_can_network_connect_cobbler 1
116
117
118
119       If  you want to allow HTTPD scripts and modules to connect to databases
120       over the network, you must  turn  on  the  httpd_can_network_connect_db
121       boolean. Disabled by default.
122
123       setsebool -P httpd_can_network_connect_db 1
124
125
126
127       If you want to allow httpd to connect to memcache server, you must turn
128       on the httpd_can_network_memcache boolean. Disabled by default.
129
130       setsebool -P httpd_can_network_memcache 1
131
132
133
134       If you want to allow httpd to act as a relay,  you  must  turn  on  the
135       httpd_can_network_relay boolean. Disabled by default.
136
137       setsebool -P httpd_can_network_relay 1
138
139
140
141       If  you  want  to  allow http daemon to send mail, you must turn on the
142       httpd_can_sendmail boolean. Disabled by default.
143
144       setsebool -P httpd_can_sendmail 1
145
146
147
148       If you want to allow Apache to communicate with avahi service via dbus,
149       you must turn on the httpd_dbus_avahi boolean. Disabled by default.
150
151       setsebool -P httpd_dbus_avahi 1
152
153
154
155       If  you want to allow Apache to communicate with sssd service via dbus,
156       you must turn on the httpd_dbus_sssd boolean. Disabled by default.
157
158       setsebool -P httpd_dbus_sssd 1
159
160
161
162       If you  want  to  allow  httpd  cgi  support,  you  must  turn  on  the
163       httpd_enable_cgi boolean. Enabled by default.
164
165       setsebool -P httpd_enable_cgi 1
166
167
168
169       If  you  want to allow httpd to act as a FTP server by listening on the
170       ftp port, you must turn on the  httpd_enable_ftp_server  boolean.  Dis‐
171       abled by default.
172
173       setsebool -P httpd_enable_ftp_server 1
174
175
176
177       If  you  want to allow httpd to read home directories, you must turn on
178       the httpd_enable_homedirs boolean. Disabled by default.
179
180       setsebool -P httpd_enable_homedirs 1
181
182
183
184       If you want to allow httpd scripts and modules  execmem/execstack,  you
185       must turn on the httpd_execmem boolean. Disabled by default.
186
187       setsebool -P httpd_execmem 1
188
189
190
191       If you want to allow HTTPD to connect to port 80 for graceful shutdown,
192       you must  turn  on  the  httpd_graceful_shutdown  boolean.  Enabled  by
193       default.
194
195       setsebool -P httpd_graceful_shutdown 1
196
197
198
199       If  you  want  to allow httpd processes to manage IPA content, you must
200       turn on the httpd_manage_ipa boolean. Disabled by default.
201
202       setsebool -P httpd_manage_ipa 1
203
204
205
206       If you want to allow Apache to use mod_auth_ntlm_winbind, you must turn
207       on the httpd_mod_auth_ntlm_winbind boolean. Disabled by default.
208
209       setsebool -P httpd_mod_auth_ntlm_winbind 1
210
211
212
213       If  you  want to allow Apache to use mod_auth_pam, you must turn on the
214       httpd_mod_auth_pam boolean. Disabled by default.
215
216       setsebool -P httpd_mod_auth_pam 1
217
218
219
220       If you want to allow httpd to read user content, you must turn  on  the
221       httpd_read_user_content boolean. Disabled by default.
222
223       setsebool -P httpd_read_user_content 1
224
225
226
227       If  you  want to allow httpd processes to run IPA helper, you must turn
228       on the httpd_run_ipa boolean. Disabled by default.
229
230       setsebool -P httpd_run_ipa 1
231
232
233
234       If you want to allow Apache to run preupgrade, you  must  turn  on  the
235       httpd_run_preupgrade boolean. Enabled by default.
236
237       setsebool -P httpd_run_preupgrade 1
238
239
240
241       If  you  want to allow Apache to run in stickshift mode, not transition
242       to passenger,  you  must  turn  on  the  httpd_run_stickshift  boolean.
243       Enabled by default.
244
245       setsebool -P httpd_run_stickshift 1
246
247
248
249       If you want to allow HTTPD scripts and modules to server cobbler files,
250       you must turn on  the  httpd_serve_cobbler_files  boolean.  Enabled  by
251       default.
252
253       setsebool -P httpd_serve_cobbler_files 1
254
255
256
257       If  you  want  to allow httpd daemon to change its resource limits, you
258       must turn on the httpd_setrlimit boolean. Disabled by default.
259
260       setsebool -P httpd_setrlimit 1
261
262
263
264       If you want to allow HTTPD to run SSI executables in the same domain as
265       system  CGI  scripts, you must turn on the httpd_ssi_exec boolean. Dis‐
266       abled by default.
267
268       setsebool -P httpd_ssi_exec 1
269
270
271
272       If you want to allow Apache to execute tmp content, you  must  turn  on
273       the httpd_tmp_exec boolean. Disabled by default.
274
275       setsebool -P httpd_tmp_exec 1
276
277
278
279       If you want to unify HTTPD to communicate with the terminal. Needed for
280       entering the passphrase for certificates at the terminal, you must turn
281       on the httpd_tty_comm boolean. Disabled by default.
282
283       setsebool -P httpd_tty_comm 1
284
285
286
287       If you want to unify HTTPD handling of all content files, you must turn
288       on the httpd_unified boolean. Disabled by default.
289
290       setsebool -P httpd_unified 1
291
292
293
294       If you want to allow httpd to access cifs file systems, you  must  turn
295       on the httpd_use_cifs boolean. Disabled by default.
296
297       setsebool -P httpd_use_cifs 1
298
299
300
301       If  you  want to allow httpd to access FUSE file systems, you must turn
302       on the httpd_use_fusefs boolean. Disabled by default.
303
304       setsebool -P httpd_use_fusefs 1
305
306
307
308       If you  want  to  allow  httpd  to  run  gpg,  you  must  turn  on  the
309       httpd_use_gpg boolean. Disabled by default.
310
311       setsebool -P httpd_use_gpg 1
312
313
314
315       If you want to allow httpd to access nfs file systems, you must turn on
316       the httpd_use_nfs boolean. Disabled by default.
317
318       setsebool -P httpd_use_nfs 1
319
320
321
322       If you want to allow httpd to access openstack ports, you must turn  on
323       the httpd_use_openstack boolean. Disabled by default.
324
325       setsebool -P httpd_use_openstack 1
326
327
328
329       If  you  want  to allow httpd to connect to  sasl, you must turn on the
330       httpd_use_sasl boolean. Disabled by default.
331
332       setsebool -P httpd_use_sasl 1
333
334
335
336       If you want to allow Apache to query NS records, you must turn  on  the
337       httpd_verify_dns boolean. Disabled by default.
338
339       setsebool -P httpd_verify_dns 1
340
341
342
343       If you want to allow users to resolve user passwd entries directly from
344       ldap rather then using a sssd server, you  must  turn  on  the  authlo‐
345       gin_nsswitch_use_ldap boolean. Disabled by default.
346
347       setsebool -P authlogin_nsswitch_use_ldap 1
348
349
350
351       If you want to allow all daemons to write corefiles to /, you must turn
352       on the daemons_dump_core boolean. Disabled by default.
353
354       setsebool -P daemons_dump_core 1
355
356
357
358       If you want to enable cluster mode for daemons, you must  turn  on  the
359       daemons_enable_cluster_mode boolean. Enabled by default.
360
361       setsebool -P daemons_enable_cluster_mode 1
362
363
364
365       If  you want to allow all daemons to use tcp wrappers, you must turn on
366       the daemons_use_tcp_wrapper boolean. Disabled by default.
367
368       setsebool -P daemons_use_tcp_wrapper 1
369
370
371
372       If you want to allow all daemons the ability to  read/write  terminals,
373       you must turn on the daemons_use_tty boolean. Disabled by default.
374
375       setsebool -P daemons_use_tty 1
376
377
378
379       If  you  want  to deny any process from ptracing or debugging any other
380       processes, you  must  turn  on  the  deny_ptrace  boolean.  Enabled  by
381       default.
382
383       setsebool -P deny_ptrace 1
384
385
386
387       If  you  want  to  allow  any  process  to mmap any file on system with
388       attribute file_type, you must turn on the  domain_can_mmap_files  bool‐
389       ean. Enabled by default.
390
391       setsebool -P domain_can_mmap_files 1
392
393
394
395       If  you want to allow all domains write to kmsg_device, while kernel is
396       executed with systemd.log_target=kmsg parameter, you must turn  on  the
397       domain_can_write_kmsg boolean. Disabled by default.
398
399       setsebool -P domain_can_write_kmsg 1
400
401
402
403       If you want to allow all domains to use other domains file descriptors,
404       you must turn on the domain_fd_use boolean. Enabled by default.
405
406       setsebool -P domain_fd_use 1
407
408
409
410       If you want to allow all domains to have the kernel load  modules,  you
411       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
412       default.
413
414       setsebool -P domain_kernel_load_modules 1
415
416
417
418       If you want to allow all domains to execute in fips_mode, you must turn
419       on the fips_mode boolean. Enabled by default.
420
421       setsebool -P fips_mode 1
422
423
424
425       If you want to determine whether Git system daemon can access cifs file
426       systems, you must turn on the git_system_use_cifs boolean. Disabled  by
427       default.
428
429       setsebool -P git_system_use_cifs 1
430
431
432
433       If  you want to determine whether Git system daemon can access nfs file
434       systems, you must turn on the git_system_use_nfs boolean.  Disabled  by
435       default.
436
437       setsebool -P git_system_use_nfs 1
438
439
440
441       If you want to enable reading of urandom for all domains, you must turn
442       on the global_ssp boolean. Disabled by default.
443
444       setsebool -P global_ssp 1
445
446
447
448       If you want to allow confined applications to run  with  kerberos,  you
449       must turn on the kerberos_enabled boolean. Enabled by default.
450
451       setsebool -P kerberos_enabled 1
452
453
454
455       If  you  want  to  allow  system  to run with NIS, you must turn on the
456       nis_enabled boolean. Disabled by default.
457
458       setsebool -P nis_enabled 1
459
460
461
462       If you want to allow confined applications to use nscd  shared  memory,
463       you must turn on the nscd_use_shm boolean. Disabled by default.
464
465       setsebool -P nscd_use_shm 1
466
467
468
469       If  you  want to allow unprivileged users to execute DDL statement, you
470       must turn  on  the  postgresql_selinux_users_ddl  boolean.  Enabled  by
471       default.
472
473       setsebool -P postgresql_selinux_users_ddl 1
474
475
476
477       If  you  want  to  support  NFS  home directories, you must turn on the
478       use_nfs_home_dirs boolean. Disabled by default.
479
480       setsebool -P use_nfs_home_dirs 1
481
482
483
484       If you want to support SAMBA home directories, you  must  turn  on  the
485       use_samba_home_dirs boolean. Disabled by default.
486
487       setsebool -P use_samba_home_dirs 1
488
489
490

NSSWITCH DOMAIN

492       If you want to allow users to resolve user passwd entries directly from
493       ldap rather then using a sssd server for the httpd_t, you must turn  on
494       the authlogin_nsswitch_use_ldap boolean.
495
496       setsebool -P authlogin_nsswitch_use_ldap 1
497
498
499       If you want to allow confined applications to run with kerberos for the
500       httpd_t, you must turn on the kerberos_enabled boolean.
501
502       setsebool -P kerberos_enabled 1
503
504

PORT TYPES

506       SELinux defines port types to represent TCP and UDP ports.
507
508       You can see the types associated with a port  by  using  the  following
509       command:
510
511       semanage port -l
512
513
514       Policy  governs  the  access  confined  processes  have to these ports.
515       SELinux httpd policy is very flexible allowing  users  to  setup  their
516       httpd processes in as secure a method as possible.
517
518       The following port types are defined for httpd:
519
520
521       http_cache_port_t
522
523
524
525       Default Defined Ports:
526                 tcp 8080,8118,8123,10001-10010
527                 udp 3130
528
529
530       http_port_t
531
532
533
534       Default Defined Ports:
535                 tcp 80,81,443,488,8008,8009,8443,9000
536

MANAGED FILES

538       The SELinux process type httpd_t can manage files labeled with the fol‐
539       lowing file types.  The paths listed are the default  paths  for  these
540       file types.  Note the processes UID still need to have DAC permissions.
541
542       abrt_retrace_spool_t
543
544            /var/spool/faf(/.*)?
545            /var/spool/abrt-retrace(/.*)?
546            /var/spool/retrace-server(/.*)?
547
548       anon_inodefs_t
549
550
551       apcupsd_cgi_rw_content_t
552
553
554       awstats_rw_content_t
555
556
557       bugzilla_rw_content_t
558
559            /var/lib/bugzilla(/.*)?
560
561       cifs_t
562
563
564       cluster_conf_t
565
566            /etc/cluster(/.*)?
567
568       cluster_var_lib_t
569
570            /var/lib/pcsd(/.*)?
571            /var/lib/cluster(/.*)?
572            /var/lib/openais(/.*)?
573            /var/lib/pengine(/.*)?
574            /var/lib/corosync(/.*)?
575            /usr/lib/heartbeat(/.*)?
576            /var/lib/heartbeat(/.*)?
577            /var/lib/pacemaker(/.*)?
578
579       cluster_var_run_t
580
581            /var/run/crm(/.*)?
582            /var/run/cman_.*
583            /var/run/rsctmp(/.*)?
584            /var/run/aisexec.*
585            /var/run/heartbeat(/.*)?
586            /var/run/corosync-qnetd(/.*)?
587            /var/run/corosync-qdevice(/.*)?
588            /var/run/cpglockd.pid
589            /var/run/corosync.pid
590            /var/run/rgmanager.pid
591            /var/run/cluster/rgmanager.sk
592
593       cobbler_var_lib_t
594
595            /var/lib/cobbler(/.*)?
596            /var/www/cobbler(/.*)?
597            /var/cache/cobbler(/.*)?
598            /var/lib/tftpboot/etc(/.*)?
599            /var/lib/tftpboot/ppc(/.*)?
600            /var/lib/tftpboot/boot(/.*)?
601            /var/lib/tftpboot/grub(/.*)?
602            /var/lib/tftpboot/s390x(/.*)?
603            /var/lib/tftpboot/images(/.*)?
604            /var/lib/tftpboot/aarch64(/.*)?
605            /var/lib/tftpboot/images2(/.*)?
606            /var/lib/tftpboot/pxelinux.cfg(/.*)?
607            /var/lib/tftpboot/yaboot
608            /var/lib/tftpboot/memdisk
609            /var/lib/tftpboot/menu.c32
610            /var/lib/tftpboot/pxelinux.0
611
612       collectd_rw_content_t
613
614
615       cvs_rw_content_t
616
617
618       dirsrv_config_t
619
620            /etc/dirsrv(/.*)?
621
622       dirsrv_var_log_t
623
624            /var/log/dirsrv(/.*)?
625
626       dirsrv_var_run_t
627
628            /var/run/slapd.*
629            /var/run/dirsrv(/.*)?
630
631       dirsrvadmin_config_t
632
633            /etc/dirsrv/dsgw(/.*)?
634            /etc/dirsrv/admin-serv(/.*)?
635
636       dirsrvadmin_rw_content_t
637
638
639       dirsrvadmin_tmp_t
640
641
642       dspam_rw_content_t
643
644            /var/lib/dspam/data(/.*)?
645
646       fusefs_t
647
648            /var/run/user/[^/]*/gvfs
649
650       git_rw_content_t
651
652            /var/cache/cgit(/.*)?
653            /var/cache/gitweb-caching(/.*)?
654
655       httpd_cache_t
656
657            /var/cache/rt(3|4)(/.*)?
658            /var/cache/ssl.*.sem
659            /var/cache/mod_.*
660            /var/cache/php-.*
661            /var/cache/httpd(/.*)?
662            /var/cache/mason(/.*)?
663            /var/cache/mod_ssl(/.*)?
664            /var/cache/lighttpd(/.*)?
665            /var/cache/mediawiki(/.*)?
666            /var/cache/mod_proxy(/.*)?
667            /var/cache/mod_gnutls(/.*)?
668            /var/cache/php-mmcache(/.*)?
669            /var/cache/php-eaccelerator(/.*)?
670
671       httpd_lock_t
672
673
674       httpd_squirrelmail_t
675
676            /var/lib/squirrelmail/prefs(/.*)?
677
678       httpd_sys_rw_content_t
679
680            /etc/glpi(/.*)?
681            /etc/horde(/.*)?
682            /etc/drupal.*
683            /etc/z-push(/.*)?
684            /var/lib/svn(/.*)?
685            /var/www/svn(/.*)?
686            /etc/owncloud(/.*)?
687            /var/www/html(/.*)?/uploads(/.*)?
688            /var/www/html(/.*)?/wp-content(/.*)?
689            /var/www/html(/.*)?/wp_backups(/.*)?
690            /var/www/html(/.*)?/sites/default/files(/.*)?
691            /var/www/html(/.*)?/sites/default/settings.php
692            /etc/nextcloud(/.*)?
693            /etc/mock/koji(/.*)?
694            /var/lib/drupal.*
695            /etc/zabbix/web(/.*)?
696            /var/lib/moodle(/.*)?
697            /var/log/z-push(/.*)?
698            /var/spool/gosa(/.*)?
699            /etc/WebCalendar(/.*)?
700            /usr/share/joomla(/.*)?
701            /var/lib/dokuwiki(/.*)?
702            /var/lib/owncloud(/.*)?
703            /var/spool/viewvc(/.*)?
704            /var/lib/nextcloud(/.*)?
705            /var/lib/pootle/po(/.*)?
706            /var/www/moodledata(/.*)?
707            /srv/gallery2/smarty(/.*)?
708            /var/www/moodle/data(/.*)?
709            /var/lib/graphite-web(/.*)?
710            /var/log/shibboleth-www(/.*)?
711            /var/www/gallery/albums(/.*)?
712            /var/www/html/owncloud/data(/.*)?
713            /var/www/html/nextcloud/data(/.*)?
714            /usr/share/wordpress-mu/wp-content(/.*)?
715            /usr/share/wordpress/wp-content/uploads(/.*)?
716            /usr/share/wordpress/wp-content/upgrade(/.*)?
717            /var/www/html/configuration.php
718
719       httpd_tmp_t
720
721            /var/run/user/apache(/.*)?
722            /var/www/openshift/console/tmp(/.*)?
723
724       httpd_tmpfs_t
725
726
727       httpd_user_rw_content_t
728
729
730       httpd_var_lib_t
731
732            /var/lib/rt(3|4)/data/RT-Shredder(/.*)?
733            /var/lib/dav(/.*)?
734            /var/lib/php(/.*)?
735            /var/lib/glpi(/.*)?
736            /var/lib/httpd(/.*)?
737            /var/lib/nginx(/.*)?
738            /var/lib/z-push(/.*)?
739            /var/lib/ganglia(/.*)?
740            /var/lib/ipsilon(/.*)?
741            /var/lib/cherokee(/.*)?
742            /var/lib/lighttpd(/.*)?
743            /var/lib/mod_security(/.*)?
744            /var/lib/roundcubemail(/.*)?
745            /var/opt/rh/rh-nginx18/lib/nginx(/.*)?
746
747       httpd_var_run_t
748
749            /var/run/wsgi.*
750            /var/run/mod_.*
751            /var/run/httpd.*
752            /var/run/nginx.*
753            /var/run/apache.*
754            /var/run/php-fpm(/.*)?
755            /var/run/lighttpd(/.*)?
756            /var/lib/php/session(/.*)?
757            /var/lib/php/wsdlcache(/.*)?
758            /var/run/dirsrv/admin-serv.*
759            /var/opt/rh/rh-nginx18/run/nginx(/.*)?
760            /var/www/openshift/broker/httpd/run(/.*)?
761            /var/www/openshift/console/httpd/run(/.*)?
762            /opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)?
763            /var/run/thttpd.pid
764            /var/run/gcache_port
765            /var/run/cherokee.pid
766
767       httpdcontent
768
769
770       hugetlbfs_t
771
772            /dev/hugepages
773            /usr/lib/udev/devices/hugepages
774
775       ipa_cert_t
776
777            /etc/httpd/alias/ipasession.key
778
779       ipa_var_run_t
780
781            /var/run/ipa(/.*)?
782
783       jetty_cache_t
784
785            /var/cache/jetty(/.*)?
786
787       jetty_log_t
788
789            /var/log/jetty(/.*)?
790
791       jetty_var_lib_t
792
793            /var/lib/jetty(/.*)?
794
795       jetty_var_run_t
796
797            /var/run/jetty(/.*)?
798
799       keystone_cgi_rw_content_t
800
801
802       krb5_host_rcache_t
803
804            /var/cache/krb5rcache(/.*)?
805            /var/tmp/nfs_0
806            /var/tmp/DNS_25
807            /var/tmp/host_0
808            /var/tmp/imap_0
809            /var/tmp/HTTP_23
810            /var/tmp/HTTP_48
811            /var/tmp/ldap_55
812            /var/tmp/ldap_487
813            /var/tmp/ldapmap1_0
814
815       man2html_rw_content_t
816
817            /var/cache/man2html(/.*)?
818
819       mediawiki_rw_content_t
820
821            /var/www/wiki[0-9]?(/.*)?
822
823       memcached_var_run_t
824
825            /var/run/memcached(/.*)?
826            /var/run/ipa_memcached(/.*)?
827
828       mirrormanager_var_run_t
829
830            /var/run/mirrormanager(/.*)?
831
832       mojomojo_rw_content_t
833
834            /var/lib/mojomojo(/.*)?
835
836       munin_rw_content_t
837
838
839       mythtv_rw_content_t
840
841
842       nagios_rw_content_t
843
844
845       nfs_t
846
847
848       nutups_cgi_rw_content_t
849
850
851       openshift_rw_content_t
852
853
854       passenger_tmp_t
855
856
857       passenger_var_lib_t
858
859            /var/lib/passenger(/.*)?
860
861       passenger_var_run_t
862
863            /var/run/passenger(/.*)?
864
865       pki_apache_config
866
867
868       pki_apache_var_lib
869
870
871       pki_apache_var_log
872
873
874       postfix_spool_t
875
876            /var/spool/postfix.*
877            /var/spool/postfix/defer(/.*)?
878            /var/spool/postfix/flush(/.*)?
879            /var/spool/postfix/deferred(/.*)?
880            /var/spool/postfix/maildrop(/.*)?
881
882       preupgrade_data_t
883
884            /var/lib/preupgrade(/.*)?
885            /var/log/preupgrade(/.*)?
886
887       prewikka_rw_content_t
888
889
890       public_content_rw_t
891
892            /var/spool/abrt-upload(/.*)?
893
894       root_t
895
896            /sysroot/ostree/deploy/.*-atomic.*/deploy(/.*)?
897            /
898            /initrd
899
900       security_t
901
902            /selinux
903
904       smokeping_cgi_rw_content_t
905
906
907       squid_rw_content_t
908
909
910       squirrelmail_spool_t
911
912            /var/spool/squirrelmail(/.*)?
913
914       systemd_passwd_var_run_t
915
916            /var/run/systemd/ask-password(/.*)?
917            /var/run/systemd/ask-password-block(/.*)?
918
919       w3c_validator_rw_content_t
920
921
922       webalizer_rw_content_t
923
924            /var/www/usage(/.*)?
925
926       zarafa_var_lib_t
927
928            /var/lib/zarafa(/.*)?
929            /var/lib/zarafa-webapp(/.*)?
930            /var/lib/zarafa-webaccess(/.*)?
931
932       zoneminder_rw_content_t
933
934
935       zoneminder_var_lib_t
936
937            /var/lib/zoneminder(/.*)?
938
939

FILE CONTEXTS

941       SELinux requires files to have an extended attribute to define the file
942       type.
943
944       You can see the context of a file using the -Z option to ls
945
946       Policy governs the access  confined  processes  have  to  these  files.
947       SELinux  httpd  policy  is  very flexible allowing users to setup their
948       httpd processes in as secure a method as possible.
949
950       EQUIVALENCE DIRECTORIES
951
952
953       httpd policy stores data with multiple  different  file  context  types
954       under  the /var/lib/php directory.  If you would like to store the data
955       in a different directory you can use the semanage command to create  an
956       equivalence  mapping.   If you wanted to store this data under the /srv
957       dirctory you would execute the following command:
958
959       semanage fcontext -a -e /var/lib/php /srv/php
960       restorecon -R -v /srv/php
961
962       httpd policy stores data with multiple  different  file  context  types
963       under the /var/www directory.  If you would like to store the data in a
964       different directory you can use  the  semanage  command  to  create  an
965       equivalence  mapping.   If you wanted to store this data under the /srv
966       dirctory you would execute the following command:
967
968       semanage fcontext -a -e /var/www /srv/www
969       restorecon -R -v /srv/www
970
971       STANDARD FILE CONTEXT
972
973       SELinux defines the file context types for the httpd, if you wanted  to
974       store  files  with  these types in a diffent paths, you need to execute
975       the semanage command  to  sepecify  alternate  labeling  and  then  use
976       restorecon to put the labels on disk.
977
978       semanage fcontext -a -t httpd_var_run_t '/srv/myhttpd_content(/.*)?'
979       restorecon -R -v /srv/myhttpd_content
980
981       Note:  SELinux  often  uses  regular expressions to specify labels that
982       match multiple files.
983
984       The following file types are defined for httpd:
985
986
987
988       httpd_cache_t
989
990       - Set files with the httpd_cache_t type, if you want to store the files
991       under the /var/cache directory.
992
993
994       Paths:
995            /var/cache/rt(3|4)(/.*)?, /var/cache/ssl.*.sem, /var/cache/mod_.*,
996            /var/cache/php-.*, /var/cache/httpd(/.*)?, /var/cache/mason(/.*)?,
997            /var/cache/mod_ssl(/.*)?,               /var/cache/lighttpd(/.*)?,
998            /var/cache/mediawiki(/.*)?,            /var/cache/mod_proxy(/.*)?,
999            /var/cache/mod_gnutls(/.*)?,         /var/cache/php-mmcache(/.*)?,
1000            /var/cache/php-eaccelerator(/.*)?
1001
1002
1003       httpd_config_t
1004
1005       - Set files with the httpd_config_t type, if  you  want  to  treat  the
1006       files as httpd configuration data, usually stored under the /etc direc‐
1007       tory.
1008
1009
1010       Paths:
1011            /etc/httpd(/.*)?,     /etc/nginx(/.*)?,     /etc/apache(2)?(/.*)?,
1012            /etc/cherokee(/.*)?,       /etc/lighttpd(/.*)?,       /etc/apache-
1013            ssl(2)?(/.*)?, /var/lib/openshift/.httpd.d(/.*)?,  /etc/opt/rh/rh-
1014            nginx18/nginx(/.*)?,           /var/lib/stickshift/.httpd.d(/.*)?,
1015            /etc/vhosts, /etc/thttpd.conf
1016
1017
1018       httpd_exec_t
1019
1020       - Set files with the httpd_exec_t type, if you want  to  transition  an
1021       executable to the httpd_t domain.
1022
1023
1024       Paths:
1025            /usr/sbin/httpd(.worker)?,  /usr/sbin/apache(2)?, /usr/lib/apache-
1026            ssl/.+,  /usr/sbin/apache-ssl(2)?,  /usr/share/jetty/bin/jetty.sh,
1027            /usr/sbin/nginx,        /usr/sbin/thttpd,       /usr/sbin/php-fpm,
1028            /usr/sbin/cherokee,   /usr/sbin/lighttpd,   /usr/sbin/httpd.event,
1029            /usr/bin/mongrel_rails, /usr/sbin/htcacheclean
1030
1031
1032       httpd_helper_exec_t
1033
1034       -  Set  files with the httpd_helper_exec_t type, if you want to transi‐
1035       tion an executable to the httpd_helper_t domain.
1036
1037
1038
1039       httpd_initrc_exec_t
1040
1041       - Set files with the httpd_initrc_exec_t type, if you want  to  transi‐
1042       tion an executable to the httpd_initrc_t domain.
1043
1044
1045       Paths:
1046            /etc/init.d/cherokee,                      /etc/rc.d/init.d/httpd,
1047            /etc/rc.d/init.d/lighttpd
1048
1049
1050       httpd_keytab_t
1051
1052       - Set files with the httpd_keytab_t type, if  you  want  to  treat  the
1053       files as kerberos keytab files.
1054
1055
1056
1057       httpd_lock_t
1058
1059       -  Set files with the httpd_lock_t type, if you want to treat the files
1060       as httpd lock data, stored under the /var/lock directory
1061
1062
1063
1064       httpd_log_t
1065
1066       - Set files with the httpd_log_t type, if you want to treat the data as
1067       httpd log data, usually stored under the /var/log directory.
1068
1069
1070       Paths:
1071            /srv/([^/]*/)?www/logs(/.*)?,           /var/www(/.*)?/logs(/.*)?,
1072            /var/log/glpi(/.*)?,  /var/log/cacti(/.*)?,  /var/log/httpd(/.*)?,
1073            /var/log/nginx(/.*)?,   /var/log/apache(2)?(/.*)?,  /var/log/hori‐
1074            zon(/.*)?,    /var/log/php-fpm(/.*)?,     /var/log/cherokee(/.*)?,
1075            /var/log/lighttpd(/.*)?,                     /var/log/suphp.log.*,
1076            /var/log/thttpd.log.*,              /var/log/apache-ssl(2)?(/.*)?,
1077            /var/log/cgiwrap.log.*,       /var/www/stickshift/[^/]*/log(/.*)?,
1078            /var/log/graphite-web(/.*)?,          /var/www/miq/vmdb/log(/.*)?,
1079            /var/log/roundcubemail(/.*)?,           /var/log/php_errors.log.*,
1080            /var/opt/rh/rh-nginx18/log(/.*)?,           /var/log/dirsrv/admin-
1081            serv(/.*)?,   /var/lib/openshift/.log/httpd(/.*)?,  /var/www/open‐
1082            shift/console/log(/.*)?,                   /var/www/openshift/bro‐
1083            ker/httpd/logs(/.*)?, /var/www/openshift/console/httpd/logs(/.*)?,
1084            /etc/httpd/logs
1085
1086
1087       httpd_modules_t
1088
1089       - Set files with the httpd_modules_t type, if you  want  to  treat  the
1090       files as httpd modules.
1091
1092
1093       Paths:
1094            /usr/lib/httpd(/.*)?,    /usr/lib/apache(/.*)?,    /usr/lib/chero‐
1095            kee(/.*)?,     /usr/lib/lighttpd(/.*)?,      /usr/lib/apache2/mod‐
1096            ules(/.*)?, /etc/httpd/modules
1097
1098
1099       httpd_passwd_exec_t
1100
1101       -  Set  files with the httpd_passwd_exec_t type, if you want to transi‐
1102       tion an executable to the httpd_passwd_t domain.
1103
1104
1105
1106       httpd_php_exec_t
1107
1108       - Set files with the httpd_php_exec_t type, if you want  to  transition
1109       an executable to the httpd_php_t domain.
1110
1111
1112
1113       httpd_php_tmp_t
1114
1115       -  Set  files with the httpd_php_tmp_t type, if you want to store httpd
1116       php temporary files in the /tmp directories.
1117
1118
1119
1120       httpd_rotatelogs_exec_t
1121
1122       - Set files with the httpd_rotatelogs_exec_t type, if you want to tran‐
1123       sition an executable to the httpd_rotatelogs_t domain.
1124
1125
1126
1127       httpd_squirrelmail_t
1128
1129       -  Set  files  with the httpd_squirrelmail_t type, if you want to treat
1130       the files as httpd squirrelmail data.
1131
1132
1133
1134       httpd_suexec_exec_t
1135
1136       - Set files with the httpd_suexec_exec_t type, if you want  to  transi‐
1137       tion an executable to the httpd_suexec_t domain.
1138
1139
1140       Paths:
1141            /usr/lib/apache(2)?/suexec(2)?,       /usr/lib/cgi-bin/(nph-)?cgi‐
1142            wrap(d)?, /usr/sbin/suexec
1143
1144
1145       httpd_suexec_tmp_t
1146
1147       - Set files with the httpd_suexec_tmp_t type,  if  you  want  to  store
1148       httpd suexec temporary files in the /tmp directories.
1149
1150
1151
1152       httpd_sys_content_t
1153
1154       - Set files with the httpd_sys_content_t type, if you want to treat the
1155       files as httpd sys content.
1156
1157
1158       Paths:
1159            /srv/([^/]*/)?www(/.*)?,     /var/www(/.*)?,     /etc/htdig(/.*)?,
1160            /srv/gallery2(/.*)?,   /var/lib/trac(/.*)?,  /var/lib/htdig(/.*)?,
1161            /var/www/icons(/.*)?,                       /usr/share/glpi(/.*)?,
1162            /usr/share/htdig(/.*)?,     /usr/share/drupal.*,     /usr/share/z-
1163            push(/.*)?,   /var/www/svn/conf(/.*)?,   /usr/share/icecast(/.*)?,
1164            /var/lib/cacti/rra(/.*)?,              /usr/share/ntop/html(/.*)?,
1165            /usr/share/nginx/html(/.*)?,        /usr/share/doc/ghc/html(/.*)?,
1166            /usr/share/openca/htdocs(/.*)?,            /usr/share/selinux-pol‐
1167            icy[^/]*/html(/.*)?
1168
1169
1170       httpd_sys_htaccess_t
1171
1172       - Set files with the httpd_sys_htaccess_t type, if you  want  to  treat
1173       the file as a httpd sys access file.
1174
1175
1176
1177       httpd_sys_ra_content_t
1178
1179       -  Set files with the httpd_sys_ra_content_t type, if you want to treat
1180       the files as httpd sys  read/append content.
1181
1182
1183
1184       httpd_sys_rw_content_t
1185
1186       - Set files with the httpd_sys_rw_content_t type, if you want to  treat
1187       the files as httpd sys read/write content.
1188
1189
1190       Paths:
1191            /etc/glpi(/.*)?,    /etc/horde(/.*)?,    /etc/drupal.*,    /etc/z-
1192            push(/.*)?,  /var/lib/svn(/.*)?,   /var/www/svn(/.*)?,   /etc/own‐
1193            cloud(/.*)?,                    /var/www/html(/.*)?/uploads(/.*)?,
1194            /var/www/html(/.*)?/wp-content(/.*)?, /var/www/html(/.*)?/wp_back‐
1195            ups(/.*)?,          /var/www/html(/.*)?/sites/default/files(/.*)?,
1196            /var/www/html(/.*)?/sites/default/settings.php,
1197            /etc/nextcloud(/.*)?,   /etc/mock/koji(/.*)?,   /var/lib/drupal.*,
1198            /etc/zabbix/web(/.*)?,     /var/lib/moodle(/.*)?,      /var/log/z-
1199            push(/.*)?,     /var/spool/gosa(/.*)?,     /etc/WebCalendar(/.*)?,
1200            /usr/share/joomla(/.*)?,  /var/lib/dokuwiki(/.*)?,   /var/lib/own‐
1201            cloud(/.*)?,   /var/spool/viewvc(/.*)?,  /var/lib/nextcloud(/.*)?,
1202            /var/lib/pootle/po(/.*)?,               /var/www/moodledata(/.*)?,
1203            /srv/gallery2/smarty(/.*)?,            /var/www/moodle/data(/.*)?,
1204            /var/lib/graphite-web(/.*)?,        /var/log/shibboleth-www(/.*)?,
1205            /var/www/gallery/albums(/.*)?,  /var/www/html/owncloud/data(/.*)?,
1206            /var/www/html/nextcloud/data(/.*)?,    /usr/share/wordpress-mu/wp-
1207            content(/.*)?,      /usr/share/wordpress/wp-content/uploads(/.*)?,
1208            /usr/share/wordpress/wp-content/upgrade(/.*)?,  /var/www/html/con‐
1209            figuration.php
1210
1211
1212       httpd_sys_script_exec_t
1213
1214       - Set files with the httpd_sys_script_exec_t type, if you want to tran‐
1215       sition an executable to the httpd_sys_script_t domain.
1216
1217
1218       Paths:
1219            /usr/.*.cgi,      /opt/.*.cgi,       /var/www/[^/]*/cgi-bin(/.*)?,
1220            /var/www/perl(/.*)?,            /var/www/html/[^/]*/cgi-bin(/.*)?,
1221            /usr/lib/cgi-bin(/.*)?,                    /var/www/cgi-bin(/.*)?,
1222            /var/www/svn/hooks(/.*)?,             /usr/share/wordpress/.*.php,
1223            /usr/local/nagios/sbin(/.*)?,             /usr/share/wordpress/wp-
1224            includes/.*.php, /usr/share/wordpress-mu/wp-config.php
1225
1226
1227       httpd_tmp_t
1228
1229       -  Set files with the httpd_tmp_t type, if you want to store httpd tem‐
1230       porary files in the /tmp directories.
1231
1232
1233       Paths:
1234            /var/run/user/apache(/.*)?, /var/www/openshift/console/tmp(/.*)?
1235
1236
1237       httpd_tmpfs_t
1238
1239       - Set files with the httpd_tmpfs_t type, if you  want  to  store  httpd
1240       files on a tmpfs file system.
1241
1242
1243
1244       httpd_unconfined_script_exec_t
1245
1246       -  Set  files with the httpd_unconfined_script_exec_t type, if you want
1247       to transition an executable to the httpd_unconfined_script_t domain.
1248
1249
1250
1251       httpd_unit_file_t
1252
1253       - Set files with the httpd_unit_file_t type, if you want to  treat  the
1254       files as httpd unit content.
1255
1256
1257       Paths:
1258            /usr/lib/systemd/system/httpd.*,  /usr/lib/systemd/system/jetty.*,
1259            /usr/lib/systemd/system/nginx.*, /usr/lib/systemd/system/thttpd.*,
1260            /usr/lib/systemd/system/php-fpm.*
1261
1262
1263       httpd_user_content_t
1264
1265       -  Set  files  with the httpd_user_content_t type, if you want to treat
1266       the files as httpd user content.
1267
1268
1269
1270       httpd_user_htaccess_t
1271
1272       - Set files with the httpd_user_htaccess_t type, if you want  to  treat
1273       the file as a httpd user access file.
1274
1275
1276
1277       httpd_user_ra_content_t
1278
1279       - Set files with the httpd_user_ra_content_t type, if you want to treat
1280       the files as httpd user  read/append content.
1281
1282
1283
1284       httpd_user_rw_content_t
1285
1286       - Set files with the httpd_user_rw_content_t type, if you want to treat
1287       the files as httpd user read/write content.
1288
1289
1290
1291       httpd_user_script_exec_t
1292
1293       -  Set  files  with  the  httpd_user_script_exec_t type, if you want to
1294       transition an executable to the httpd_user_script_t domain.
1295
1296
1297
1298       httpd_var_lib_t
1299
1300       - Set files with the httpd_var_lib_t type, if you  want  to  store  the
1301       httpd files under the /var/lib directory.
1302
1303
1304       Paths:
1305            /var/lib/rt(3|4)/data/RT-Shredder(/.*)?,       /var/lib/dav(/.*)?,
1306            /var/lib/php(/.*)?,   /var/lib/glpi(/.*)?,   /var/lib/httpd(/.*)?,
1307            /var/lib/nginx(/.*)?,     /var/lib/z-push(/.*)?,     /var/lib/gan‐
1308            glia(/.*)?,    /var/lib/ipsilon(/.*)?,    /var/lib/cherokee(/.*)?,
1309            /var/lib/lighttpd(/.*)?,              /var/lib/mod_security(/.*)?,
1310            /var/lib/roundcubemail(/.*)?,                      /var/opt/rh/rh-
1311            nginx18/lib/nginx(/.*)?
1312
1313
1314       httpd_var_run_t
1315
1316       -  Set  files  with  the httpd_var_run_t type, if you want to store the
1317       httpd files under the /run or /var/run directory.
1318
1319
1320       Paths:
1321            /var/run/wsgi.*,        /var/run/mod_.*,         /var/run/httpd.*,
1322            /var/run/nginx.*,    /var/run/apache.*,    /var/run/php-fpm(/.*)?,
1323            /var/run/lighttpd(/.*)?,               /var/lib/php/session(/.*)?,
1324            /var/lib/php/wsdlcache(/.*)?,        /var/run/dirsrv/admin-serv.*,
1325            /var/opt/rh/rh-nginx18/run/nginx(/.*)?,    /var/www/openshift/bro‐
1326            ker/httpd/run(/.*)?,   /var/www/openshift/console/httpd/run(/.*)?,
1327            /opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)?,
1328            /var/run/thttpd.pid, /var/run/gcache_port, /var/run/cherokee.pid
1329
1330
1331       Note:  File context can be temporarily modified with the chcon command.
1332       If you want to permanently change the file context you need to use  the
1333       semanage fcontext command.  This will modify the SELinux labeling data‐
1334       base.  You will need to use restorecon to apply the labels.
1335
1336

SHARING FILES

1338       If you want to share files with multiple domains (Apache,  FTP,  rsync,
1339       Samba),  you can set a file context of public_content_t and public_con‐
1340       tent_rw_t.  These context allow any of the above domains  to  read  the
1341       content.   If  you want a particular domain to write to the public_con‐
1342       tent_rw_t domain, you must set the appropriate boolean.
1343
1344       Allow httpd servers to read the /var/httpd directory by adding the pub‐
1345       lic_content_t  file  type  to  the  directory and by restoring the file
1346       type.
1347
1348       semanage fcontext -a -t public_content_t "/var/httpd(/.*)?"
1349       restorecon -F -R -v /var/httpd
1350
1351       Allow httpd servers to read and write /var/httpd/incoming by adding the
1352       public_content_rw_t  type  to  the  directory and by restoring the file
1353       type.  You also need to turn on the httpd_anon_write boolean.
1354
1355       semanage fcontext -a -t public_content_rw_t "/var/httpd/incoming(/.*)?"
1356       restorecon -F -R -v /var/httpd/incoming
1357       setsebool -P httpd_anon_write 1
1358
1359
1360       If you want to allow Apache to modify public files used for public file
1361       transfer   services.  Directories/Files  must  be  labeled  public_con‐
1362       tent_rw_t., you must turn on the httpd_anon_write boolean.
1363
1364       setsebool -P httpd_anon_write 1
1365
1366

COMMANDS

1368       semanage fcontext can also be used to manipulate default  file  context
1369       mappings.
1370
1371       semanage  permissive  can  also  be used to manipulate whether or not a
1372       process type is permissive.
1373
1374       semanage module can also be used to enable/disable/install/remove  pol‐
1375       icy modules.
1376
1377       semanage port can also be used to manipulate the port definitions
1378
1379       semanage boolean can also be used to manipulate the booleans
1380
1381
1382       system-config-selinux is a GUI tool available to customize SELinux pol‐
1383       icy settings.
1384
1385

AUTHOR

1387       This manual page was auto-generated using sepolicy manpage .
1388
1389

SEE ALSO

1391       selinux(8), httpd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
1392       ,   setsebool(8),   httpd_helper_selinux(8),   httpd_passwd_selinux(8),
1393       httpd_php_selinux(8),                      httpd_rotatelogs_selinux(8),
1394       httpd_suexec_selinux(8),    httpd_sys_script_selinux(8),   httpd_uncon‐
1395       fined_script_selinux(8), httpd_user_script_selinux(8)
1396
1397
1398
1399httpd                              19-04-25                   httpd_selinux(8)
Impressum