httpd_sys_script_selinux(8)

1httpd_sys_script_selinux(S8E)Linux Policy httpd_sys_scrhitpttpd_sys_script_selinux(8)
2
3
4

NAME

6       httpd_sys_script_selinux  -  Security  Enhanced  Linux  Policy  for the
7       httpd_sys_script processes
8

DESCRIPTION

10       Security-Enhanced Linux  secures  the  httpd_sys_script  processes  via
11       flexible mandatory access control.
12
13       The  httpd_sys_script  processes  execute  with  the httpd_sys_script_t
14       SELinux type. You can check if you have these processes running by exe‐
15       cuting the ps command with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep httpd_sys_script_t
20
21
22

ENTRYPOINTS

24       The   httpd_sys_script_t   SELinux   type   can   be  entered  via  the
25       shell_exec_t,  httpd_sys_script_exec_t,   nfs_t,   httpd_sys_content_t,
26       cifs_t, httpdcontent, httpd_sys_script_exec_t, httpd_sys_content_t file
27       types.
28
29       The default entrypoint paths for the httpd_sys_script_t domain are  the
30       following:
31
32       /bin/d?ash,  /bin/zsh.*,  /bin/ksh.*,  /usr/bin/d?ash,  /usr/bin/ksh.*,
33       /usr/bin/zsh.*, /bin/esh, /bin/mksh, /bin/sash,  /bin/tcsh,  /bin/yash,
34       /bin/bash,    /bin/fish,   /bin/bash2,   /usr/bin/esh,   /usr/bin/sash,
35       /usr/bin/tcsh,     /usr/bin/yash,     /usr/bin/mksh,     /usr/bin/fish,
36       /usr/bin/bash,     /sbin/nologin,    /usr/sbin/sesh,    /usr/bin/bash2,
37       /usr/sbin/smrsh,          /usr/bin/scponly,          /usr/sbin/nologin,
38       /usr/libexec/sesh,        /usr/sbin/scponlyc,       /usr/bin/git-shell,
39       /usr/libexec/sudo/sesh, /usr/bin/cockpit-bridge,  /usr/libexec/cockpit-
40       agent,   /usr/libexec/git-core/git-shell,   /usr/.*.cgi,   /opt/.*.cgi,
41       /var/www/[^/]*/cgi-bin(/.*)?,                      /var/www/perl(/.*)?,
42       /var/www/html/[^/]*/cgi-bin(/.*)?,              /usr/lib/cgi-bin(/.*)?,
43       /var/www/cgi-bin(/.*)?,   /var/www/svn/hooks(/.*)?,    /usr/share/word‐
44       press/.*.php,   /usr/local/nagios/sbin(/.*)?,  /usr/share/wordpress/wp-
45       includes/.*.php,                 /usr/share/wordpress-mu/wp-config.php,
46       /srv/([^/]*/)?www(/.*)?,        /var/www(/.*)?,       /etc/htdig(/.*)?,
47       /srv/gallery2(/.*)?,     /var/lib/trac(/.*)?,     /var/lib/htdig(/.*)?,
48       /var/www/icons(/.*)?,   /usr/share/glpi(/.*)?,  /usr/share/htdig(/.*)?,
49       /usr/share/drupal.*, /usr/share/z-push(/.*)?,  /var/www/svn/conf(/.*)?,
50       /usr/share/icecast(/.*)?,                     /var/lib/cacti/rra(/.*)?,
51       /usr/share/ntop/html(/.*)?,                /usr/share/nginx/html(/.*)?,
52       /usr/share/doc/ghc/html(/.*)?,          /usr/share/openca/htdocs(/.*)?,
53       /usr/share/selinux-policy[^/]*/html(/.*)?,  /usr/.*.cgi,   /opt/.*.cgi,
54       /var/www/[^/]*/cgi-bin(/.*)?,                      /var/www/perl(/.*)?,
55       /var/www/html/[^/]*/cgi-bin(/.*)?,              /usr/lib/cgi-bin(/.*)?,
56       /var/www/cgi-bin(/.*)?,    /var/www/svn/hooks(/.*)?,   /usr/share/word‐
57       press/.*.php,  /usr/local/nagios/sbin(/.*)?,   /usr/share/wordpress/wp-
58       includes/.*.php,                 /usr/share/wordpress-mu/wp-config.php,
59       /srv/([^/]*/)?www(/.*)?,       /var/www(/.*)?,        /etc/htdig(/.*)?,
60       /srv/gallery2(/.*)?,     /var/lib/trac(/.*)?,     /var/lib/htdig(/.*)?,
61       /var/www/icons(/.*)?,  /usr/share/glpi(/.*)?,   /usr/share/htdig(/.*)?,
62       /usr/share/drupal.*,  /usr/share/z-push(/.*)?, /var/www/svn/conf(/.*)?,
63       /usr/share/icecast(/.*)?,                     /var/lib/cacti/rra(/.*)?,
64       /usr/share/ntop/html(/.*)?,                /usr/share/nginx/html(/.*)?,
65       /usr/share/doc/ghc/html(/.*)?,          /usr/share/openca/htdocs(/.*)?,
66       /usr/share/selinux-policy[^/]*/html(/.*)?
67

PROCESS TYPES

69       SELinux defines process types (domains) for each process running on the
70       system
71
72       You can see the context of a process using the -Z option to ps
73
74       Policy governs the access confined processes have  to  files.   SELinux
75       httpd_sys_script  policy is very flexible allowing users to setup their
76       httpd_sys_script processes in as secure a method as possible.
77
78       The following process types are defined for httpd_sys_script:
79
80       httpd_sys_script_t
81
82       Note: semanage permissive -a httpd_sys_script_t can be used to make the
83       process  type  httpd_sys_script_t  permissive.  SELinux  does  not deny
84       access to permissive process types, but the AVC (SELinux denials)  mes‐
85       sages are still generated.
86
87

BOOLEANS

89       SELinux   policy  is  customizable  based  on  least  access  required.
90       httpd_sys_script policy is extremely flexible and has several  booleans
91       that  allow  you to manipulate the policy and run httpd_sys_script with
92       the tightest access possible.
93
94
95
96       If you want to allow users to resolve user passwd entries directly from
97       ldap  rather  then  using  a  sssd server, you must turn on the authlo‐
98       gin_nsswitch_use_ldap boolean. Disabled by default.
99
100       setsebool -P authlogin_nsswitch_use_ldap 1
101
102
103
104       If you want to deny any process from ptracing or  debugging  any  other
105       processes,  you  must  turn  on  the  deny_ptrace  boolean.  Enabled by
106       default.
107
108       setsebool -P deny_ptrace 1
109
110
111
112       If you want to allow any process  to  mmap  any  file  on  system  with
113       attribute  file_type,  you must turn on the domain_can_mmap_files bool‐
114       ean. Enabled by default.
115
116       setsebool -P domain_can_mmap_files 1
117
118
119
120       If you want to allow all domains write to kmsg_device, while kernel  is
121       executed  with  systemd.log_target=kmsg parameter, you must turn on the
122       domain_can_write_kmsg boolean. Disabled by default.
123
124       setsebool -P domain_can_write_kmsg 1
125
126
127
128       If you want to allow all domains to use other domains file descriptors,
129       you must turn on the domain_fd_use boolean. Enabled by default.
130
131       setsebool -P domain_fd_use 1
132
133
134
135       If  you  want to allow all domains to have the kernel load modules, you
136       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
137       default.
138
139       setsebool -P domain_kernel_load_modules 1
140
141
142
143       If you want to allow all domains to execute in fips_mode, you must turn
144       on the fips_mode boolean. Enabled by default.
145
146       setsebool -P fips_mode 1
147
148
149
150       If you want to enable reading of urandom for all domains, you must turn
151       on the global_ssp boolean. Disabled by default.
152
153       setsebool -P global_ssp 1
154
155
156
157       If you want to allow httpd to use built in scripting (usually php), you
158       must turn on the httpd_builtin_scripting boolean. Disabled by default.
159
160       setsebool -P httpd_builtin_scripting 1
161
162
163
164       If you want to allow HTTPD scripts and modules to connect to  the  net‐
165       work using TCP, you must turn on the httpd_can_network_connect boolean.
166       Disabled by default.
167
168       setsebool -P httpd_can_network_connect 1
169
170
171
172       If you want to allow HTTPD scripts and modules to connect to  databases
173       over  the  network,  you  must turn on the httpd_can_network_connect_db
174       boolean. Disabled by default.
175
176       setsebool -P httpd_can_network_connect_db 1
177
178
179
180       If you want to allow http daemon to send mail, you  must  turn  on  the
181       httpd_can_sendmail boolean. Disabled by default.
182
183       setsebool -P httpd_can_sendmail 1
184
185
186
187       If  you  want  to  allow  httpd  cgi  support,  you  must  turn  on the
188       httpd_enable_cgi boolean. Disabled by default.
189
190       setsebool -P httpd_enable_cgi 1
191
192
193
194       If you want to allow httpd to read home directories, you must  turn  on
195       the httpd_enable_homedirs boolean. Disabled by default.
196
197       setsebool -P httpd_enable_homedirs 1
198
199
200
201       If  you  want to allow httpd scripts and modules execmem/execstack, you
202       must turn on the httpd_execmem boolean. Disabled by default.
203
204       setsebool -P httpd_execmem 1
205
206
207
208       If you want to allow httpd to read user content, you must turn  on  the
209       httpd_read_user_content boolean. Disabled by default.
210
211       setsebool -P httpd_read_user_content 1
212
213
214
215       If you want to allow HTTPD to run SSI executables in the same domain as
216       system CGI scripts, you must turn on the httpd_ssi_exec  boolean.  Dis‐
217       abled by default.
218
219       setsebool -P httpd_ssi_exec 1
220
221
222
223       If  you  want  to allow Apache to execute tmp content, you must turn on
224       the httpd_tmp_exec boolean. Disabled by default.
225
226       setsebool -P httpd_tmp_exec 1
227
228
229
230       If you want to unify HTTPD handling of all content files, you must turn
231       on the httpd_unified boolean. Disabled by default.
232
233       setsebool -P httpd_unified 1
234
235
236
237       If  you  want to allow httpd to access cifs file systems, you must turn
238       on the httpd_use_cifs boolean. Disabled by default.
239
240       setsebool -P httpd_use_cifs 1
241
242
243
244       If you want to allow httpd to access FUSE file systems, you  must  turn
245       on the httpd_use_fusefs boolean. Disabled by default.
246
247       setsebool -P httpd_use_fusefs 1
248
249
250
251       If you want to allow httpd to access nfs file systems, you must turn on
252       the httpd_use_nfs boolean. Disabled by default.
253
254       setsebool -P httpd_use_nfs 1
255
256
257
258       If you want to allow httpd to access openstack ports, you must turn  on
259       the httpd_use_openstack boolean. Disabled by default.
260
261       setsebool -P httpd_use_openstack 1
262
263
264
265       If  you  want  to allow confined applications to run with kerberos, you
266       must turn on the kerberos_enabled boolean. Enabled by default.
267
268       setsebool -P kerberos_enabled 1
269
270
271
272       If you want to allow system to run with  NIS,  you  must  turn  on  the
273       nis_enabled boolean. Disabled by default.
274
275       setsebool -P nis_enabled 1
276
277
278
279       If  you  want to allow confined applications to use nscd shared memory,
280       you must turn on the nscd_use_shm boolean. Disabled by default.
281
282       setsebool -P nscd_use_shm 1
283
284
285
286       If you want to allow unprivileged users to execute DDL  statement,  you
287       must  turn  on  the  postgresql_selinux_users_ddl  boolean.  Enabled by
288       default.
289
290       setsebool -P postgresql_selinux_users_ddl 1
291
292
293
294       If you want to support NFS home  directories,  you  must  turn  on  the
295       use_nfs_home_dirs boolean. Disabled by default.
296
297       setsebool -P use_nfs_home_dirs 1
298
299
300
301       If  you  want  to  support SAMBA home directories, you must turn on the
302       use_samba_home_dirs boolean. Disabled by default.
303
304       setsebool -P use_samba_home_dirs 1
305
306
307

MANAGED FILES

309       The SELinux process type httpd_sys_script_t can  manage  files  labeled
310       with  the following file types.  The paths listed are the default paths
311       for these file types.  Note the processes UID still need  to  have  DAC
312       permissions.
313
314       anon_inodefs_t
315
316
317       cifs_t
318
319
320       fusefs_t
321
322            /var/run/user/[^/]*/gvfs
323
324       httpd_sys_rw_content_t
325
326            /etc/glpi(/.*)?
327            /etc/horde(/.*)?
328            /etc/drupal.*
329            /etc/z-push(/.*)?
330            /var/lib/svn(/.*)?
331            /var/www/svn(/.*)?
332            /etc/owncloud(/.*)?
333            /var/www/html(/.*)?/uploads(/.*)?
334            /var/www/html(/.*)?/wp-content(/.*)?
335            /var/www/html(/.*)?/wp_backups(/.*)?
336            /var/www/html(/.*)?/sites/default/files(/.*)?
337            /var/www/html(/.*)?/sites/default/settings.php
338            /etc/nextcloud(/.*)?
339            /etc/mock/koji(/.*)?
340            /var/lib/drupal.*
341            /etc/zabbix/web(/.*)?
342            /var/lib/moodle(/.*)?
343            /var/log/z-push(/.*)?
344            /var/spool/gosa(/.*)?
345            /etc/WebCalendar(/.*)?
346            /usr/share/joomla(/.*)?
347            /var/lib/dokuwiki(/.*)?
348            /var/lib/owncloud(/.*)?
349            /var/spool/viewvc(/.*)?
350            /var/lib/nextcloud(/.*)?
351            /var/lib/pootle/po(/.*)?
352            /var/www/moodledata(/.*)?
353            /srv/gallery2/smarty(/.*)?
354            /var/www/moodle/data(/.*)?
355            /var/lib/graphite-web(/.*)?
356            /var/log/shibboleth-www(/.*)?
357            /var/www/gallery/albums(/.*)?
358            /var/www/html/owncloud/data(/.*)?
359            /var/www/html/nextcloud/data(/.*)?
360            /usr/share/wordpress-mu/wp-content(/.*)?
361            /usr/share/wordpress/wp-content/uploads(/.*)?
362            /usr/share/wordpress/wp-content/upgrade(/.*)?
363            /var/www/html/configuration.php
364
365       httpd_tmp_t
366
367            /var/run/user/apache(/.*)?
368            /var/www/openshift/console/tmp(/.*)?
369
370       httpdcontent
371
372
373       nfs_t
374
375
376       public_content_rw_t
377
378            /var/spool/abrt-upload(/.*)?
379
380

FILE CONTEXTS

382       SELinux requires files to have an extended attribute to define the file
383       type.
384
385       You can see the context of a file using the -Z option to ls
386
387       Policy governs the access  confined  processes  have  to  these  files.
388       SELinux httpd_sys_script policy is very flexible allowing users to set‐
389       up their httpd_sys_script processes in as secure a method as possible.
390
391       The following file types are defined for httpd_sys_script:
392
393
394
395       httpd_sys_script_exec_t
396
397       - Set files with the httpd_sys_script_exec_t type, if you want to tran‐
398       sition an executable to the httpd_sys_script_t domain.
399
400
401       Paths:
402            /usr/.*.cgi,       /opt/.*.cgi,      /var/www/[^/]*/cgi-bin(/.*)?,
403            /var/www/perl(/.*)?,            /var/www/html/[^/]*/cgi-bin(/.*)?,
404            /usr/lib/cgi-bin(/.*)?,                    /var/www/cgi-bin(/.*)?,
405            /var/www/svn/hooks(/.*)?,             /usr/share/wordpress/.*.php,
406            /usr/local/nagios/sbin(/.*)?,             /usr/share/wordpress/wp-
407            includes/.*.php, /usr/share/wordpress-mu/wp-config.php
408
409
410       Note: File context can be temporarily modified with the chcon  command.
411       If  you want to permanently change the file context you need to use the
412       semanage fcontext command.  This will modify the SELinux labeling data‐
413       base.  You will need to use restorecon to apply the labels.
414
415

SHARING FILES

417       If  you  want to share files with multiple domains (Apache, FTP, rsync,
418       Samba), you can set a file context of public_content_t and  public_con‐
419       tent_rw_t.   These  context  allow any of the above domains to read the
420       content.  If you want a particular domain to write to  the  public_con‐
421       tent_rw_t domain, you must set the appropriate boolean.
422
423       Allow httpd_sys_script servers to read the /var/httpd_sys_script direc‐
424       tory by adding the public_content_t file type to the directory  and  by
425       restoring the file type.
426
427       semanage fcontext -a -t public_content_t "/var/httpd_sys_script(/.*)?"
428       restorecon -F -R -v /var/httpd_sys_script
429
430       Allow     httpd_sys_script     servers     to     read     and    write
431       /var/httpd_sys_script/incoming by adding the  public_content_rw_t  type
432       to the directory and by restoring the file type.  You also need to turn
433       on the httpd_sys_script_anon_write boolean.
434
435       semanage        fcontext        -a        -t        public_content_rw_t
436       "/var/httpd_sys_script/incoming(/.*)?"
437       restorecon -F -R -v /var/httpd_sys_script/incoming
438       setsebool -P httpd_sys_script_anon_write 1
439
440
441       If  you want to allow apache scripts to write to public content, direc‐
442       tories/files must be labeled public_rw_content_t., you must turn on the
443       httpd_sys_script_anon_write boolean.
444
445       setsebool -P httpd_sys_script_anon_write 1
446
447

COMMANDS

449       semanage  fcontext  can also be used to manipulate default file context
450       mappings.
451
452       semanage permissive can also be used to manipulate  whether  or  not  a
453       process type is permissive.
454
455       semanage  module can also be used to enable/disable/install/remove pol‐
456       icy modules.
457
458       semanage boolean can also be used to manipulate the booleans
459
460
461       system-config-selinux is a GUI tool available to customize SELinux pol‐
462       icy settings.
463
464

AUTHOR

466       This manual page was auto-generated using sepolicy manpage .
467
468