1httpd_selinux(8) SELinux Policy httpd httpd_selinux(8)
2
3
4
6 httpd_selinux - Security Enhanced Linux Policy for the httpd processes
7
9 Security-Enhanced Linux secures the httpd processes via flexible manda‐
10 tory access control.
11
12 The httpd processes execute with the httpd_t SELinux type. You can
13 check if you have these processes running by executing the ps command
14 with the -Z qualifier.
15
16 For example:
17
18 ps -eZ | grep httpd_t
19
20
21
23 The httpd_t SELinux type can be entered via the httpd_exec_t file type.
24
25 The default entrypoint paths for the httpd_t domain are the following:
26
27 /usr/sbin/httpd(.worker)?, /usr/sbin/apache(2)?, /usr/lib/apache-
28 ssl/.+, /usr/sbin/apache-ssl(2)?, /usr/sbin/nginx, /usr/sbin/thttpd,
29 /usr/sbin/php-fpm, /usr/sbin/cherokee, /usr/sbin/lighttpd,
30 /usr/sbin/httpd.event, /usr/bin/mongrel_rails, /usr/sbin/htcacheclean
31
33 SELinux defines process types (domains) for each process running on the
34 system
35
36 You can see the context of a process using the -Z option to ps
37
38 Policy governs the access confined processes have to files. SELinux
39 httpd policy is very flexible allowing users to setup their httpd pro‐
40 cesses in as secure a method as possible.
41
42 The following process types are defined for httpd:
43
44 httpd_t, httpd_helper_t, httpd_php_t, httpd_rotatelogs_t, httpd_suexec_t, httpd_sys_script_t, httpd_user_script_t, httpd_passwd_t, httpd_unconfined_script_t
45
46 Note: semanage permissive -a httpd_t can be used to make the process
47 type httpd_t permissive. SELinux does not deny access to permissive
48 process types, but the AVC (SELinux denials) messages are still gener‐
49 ated.
50
51
53 SELinux policy is customizable based on least access required. httpd
54 policy is extremely flexible and has several booleans that allow you to
55 manipulate the policy and run httpd with the tightest access possible.
56
57
58
59 If you want to allow httpd to use built in scripting (usually php), you
60 must turn on the httpd_builtin_scripting boolean. Enabled by default.
61
62 setsebool -P httpd_builtin_scripting 1
63
64
65
66 If you want to allow httpd to act as a FTP client connecting to the ftp
67 port and ephemeral ports, you must turn on the httpd_can_connect_ftp
68 boolean. Disabled by default.
69
70 setsebool -P httpd_can_connect_ftp 1
71
72
73
74 If you want to allow httpd to connect to the ldap port, you must turn
75 on the httpd_can_connect_ldap boolean. Disabled by default.
76
77 setsebool -P httpd_can_connect_ldap 1
78
79
80
81 If you want to allow http daemon to connect to mythtv, you must turn on
82 the httpd_can_connect_mythtv boolean. Disabled by default.
83
84 setsebool -P httpd_can_connect_mythtv 1
85
86
87
88 If you want to allow http daemon to connect to zabbix, you must turn on
89 the httpd_can_connect_zabbix boolean. Disabled by default.
90
91 setsebool -P httpd_can_connect_zabbix 1
92
93
94
95 If you want to allow HTTPD scripts and modules to connect to the net‐
96 work using TCP, you must turn on the httpd_can_network_connect boolean.
97 Disabled by default.
98
99 setsebool -P httpd_can_network_connect 1
100
101
102
103 If you want to allow HTTPD scripts and modules to connect to cobbler
104 over the network, you must turn on the httpd_can_network_connect_cob‐
105 bler boolean. Disabled by default.
106
107 setsebool -P httpd_can_network_connect_cobbler 1
108
109
110
111 If you want to allow HTTPD scripts and modules to connect to databases
112 over the network, you must turn on the httpd_can_network_connect_db
113 boolean. Disabled by default.
114
115 setsebool -P httpd_can_network_connect_db 1
116
117
118
119 If you want to allow httpd to connect to memcache server, you must turn
120 on the httpd_can_network_memcache boolean. Disabled by default.
121
122 setsebool -P httpd_can_network_memcache 1
123
124
125
126 If you want to allow httpd to act as a relay, you must turn on the
127 httpd_can_network_relay boolean. Disabled by default.
128
129 setsebool -P httpd_can_network_relay 1
130
131
132
133 If you want to allow http daemon to send mail, you must turn on the
134 httpd_can_sendmail boolean. Disabled by default.
135
136 setsebool -P httpd_can_sendmail 1
137
138
139
140 If you want to allow Apache to communicate with avahi service via dbus,
141 you must turn on the httpd_dbus_avahi boolean. Disabled by default.
142
143 setsebool -P httpd_dbus_avahi 1
144
145
146
147 If you want to allow Apache to communicate with sssd service via dbus,
148 you must turn on the httpd_dbus_sssd boolean. Disabled by default.
149
150 setsebool -P httpd_dbus_sssd 1
151
152
153
154 If you want to allow httpd cgi support, you must turn on the
155 httpd_enable_cgi boolean. Enabled by default.
156
157 setsebool -P httpd_enable_cgi 1
158
159
160
161 If you want to allow httpd to act as a FTP server by listening on the
162 ftp port, you must turn on the httpd_enable_ftp_server boolean. Dis‐
163 abled by default.
164
165 setsebool -P httpd_enable_ftp_server 1
166
167
168
169 If you want to allow httpd to read home directories, you must turn on
170 the httpd_enable_homedirs boolean. Disabled by default.
171
172 setsebool -P httpd_enable_homedirs 1
173
174
175
176 If you want to allow httpd scripts and modules execmem/execstack, you
177 must turn on the httpd_execmem boolean. Disabled by default.
178
179 setsebool -P httpd_execmem 1
180
181
182
183 If you want to allow HTTPD to connect to port 80 for graceful shutdown,
184 you must turn on the httpd_graceful_shutdown boolean. Disabled by
185 default.
186
187 setsebool -P httpd_graceful_shutdown 1
188
189
190
191 If you want to allow httpd processes to manage IPA content, you must
192 turn on the httpd_manage_ipa boolean. Disabled by default.
193
194 setsebool -P httpd_manage_ipa 1
195
196
197
198 If you want to allow Apache to use mod_auth_ntlm_winbind, you must turn
199 on the httpd_mod_auth_ntlm_winbind boolean. Disabled by default.
200
201 setsebool -P httpd_mod_auth_ntlm_winbind 1
202
203
204
205 If you want to allow Apache to use mod_auth_pam, you must turn on the
206 httpd_mod_auth_pam boolean. Disabled by default.
207
208 setsebool -P httpd_mod_auth_pam 1
209
210
211
212 If you want to allow httpd to read user content, you must turn on the
213 httpd_read_user_content boolean. Disabled by default.
214
215 setsebool -P httpd_read_user_content 1
216
217
218
219 If you want to allow httpd processes to run IPA helper, you must turn
220 on the httpd_run_ipa boolean. Disabled by default.
221
222 setsebool -P httpd_run_ipa 1
223
224
225
226 If you want to allow Apache to run preupgrade, you must turn on the
227 httpd_run_preupgrade boolean. Enabled by default.
228
229 setsebool -P httpd_run_preupgrade 1
230
231
232
233 If you want to allow Apache to run in stickshift mode, not transition
234 to passenger, you must turn on the httpd_run_stickshift boolean.
235 Enabled by default.
236
237 setsebool -P httpd_run_stickshift 1
238
239
240
241 If you want to allow HTTPD scripts and modules to server cobbler files,
242 you must turn on the httpd_serve_cobbler_files boolean. Enabled by
243 default.
244
245 setsebool -P httpd_serve_cobbler_files 1
246
247
248
249 If you want to allow httpd daemon to change its resource limits, you
250 must turn on the httpd_setrlimit boolean. Disabled by default.
251
252 setsebool -P httpd_setrlimit 1
253
254
255
256 If you want to allow HTTPD to run SSI executables in the same domain as
257 system CGI scripts, you must turn on the httpd_ssi_exec boolean. Dis‐
258 abled by default.
259
260 setsebool -P httpd_ssi_exec 1
261
262
263
264 If you want to unify HTTPD to communicate with the terminal. Needed for
265 entering the passphrase for certificates at the terminal, you must turn
266 on the httpd_tty_comm boolean. Disabled by default.
267
268 setsebool -P httpd_tty_comm 1
269
270
271
272 If you want to allow httpd to access cifs file systems, you must turn
273 on the httpd_use_cifs boolean. Disabled by default.
274
275 setsebool -P httpd_use_cifs 1
276
277
278
279 If you want to allow httpd to access FUSE file systems, you must turn
280 on the httpd_use_fusefs boolean. Disabled by default.
281
282 setsebool -P httpd_use_fusefs 1
283
284
285
286 If you want to allow httpd to access nfs file systems, you must turn on
287 the httpd_use_nfs boolean. Disabled by default.
288
289 setsebool -P httpd_use_nfs 1
290
291
292
293 If you want to allow httpd to access openstack ports, you must turn on
294 the httpd_use_openstack boolean. Disabled by default.
295
296 setsebool -P httpd_use_openstack 1
297
298
299
300 If you want to allow httpd to connect to sasl, you must turn on the
301 httpd_use_sasl boolean. Disabled by default.
302
303 setsebool -P httpd_use_sasl 1
304
305
306
307 If you want to allow Apache to query NS records, you must turn on the
308 httpd_verify_dns boolean. Disabled by default.
309
310 setsebool -P httpd_verify_dns 1
311
312
313
314 If you want to allow users to resolve user passwd entries directly from
315 ldap rather then using a sssd server, you must turn on the authlo‐
316 gin_nsswitch_use_ldap boolean. Disabled by default.
317
318 setsebool -P authlogin_nsswitch_use_ldap 1
319
320
321
322 If you want to deny any process from ptracing or debugging any other
323 processes, you must turn on the deny_ptrace boolean. Enabled by
324 default.
325
326 setsebool -P deny_ptrace 1
327
328
329
330 If you want to allow all domains to execute in fips_mode, you must turn
331 on the fips_mode boolean. Enabled by default.
332
333 setsebool -P fips_mode 1
334
335
336
337 If you want to determine whether Git system daemon can access cifs file
338 systems, you must turn on the git_system_use_cifs boolean. Disabled by
339 default.
340
341 setsebool -P git_system_use_cifs 1
342
343
344
345 If you want to determine whether Git system daemon can access nfs file
346 systems, you must turn on the git_system_use_nfs boolean. Disabled by
347 default.
348
349 setsebool -P git_system_use_nfs 1
350
351
352
353 If you want to allow confined applications to run with kerberos, you
354 must turn on the kerberos_enabled boolean. Enabled by default.
355
356 setsebool -P kerberos_enabled 1
357
358
359
360 If you want to allow system to run with NIS, you must turn on the
361 nis_enabled boolean. Disabled by default.
362
363 setsebool -P nis_enabled 1
364
365
366
367 If you want to allow confined applications to use nscd shared memory,
368 you must turn on the nscd_use_shm boolean. Disabled by default.
369
370 setsebool -P nscd_use_shm 1
371
372
373
375 If you want to allow users to resolve user passwd entries directly from
376 ldap rather then using a sssd server for the httpd_t, you must turn on
377 the authlogin_nsswitch_use_ldap boolean.
378
379 setsebool -P authlogin_nsswitch_use_ldap 1
380
381
382 If you want to allow confined applications to run with kerberos for the
383 httpd_t, you must turn on the kerberos_enabled boolean.
384
385 setsebool -P kerberos_enabled 1
386
387
389 SELinux defines port types to represent TCP and UDP ports.
390
391 You can see the types associated with a port by using the following
392 command:
393
394 semanage port -l
395
396
397 Policy governs the access confined processes have to these ports.
398 SELinux httpd policy is very flexible allowing users to setup their
399 httpd processes in as secure a method as possible.
400
401 The following port types are defined for httpd:
402
403
404 http_cache_port_t
405
406
407
408 Default Defined Ports:
409 tcp 8080,8118,8123,10001-10010
410 udp 3130
411
412
413 http_port_t
414
415
416
417 Default Defined Ports:
418 tcp 80,81,443,488,8008,8009,8443,9000
419
421 The SELinux process type httpd_t can manage files labeled with the fol‐
422 lowing file types. The paths listed are the default paths for these
423 file types. Note the processes UID still need to have DAC permissions.
424
425 abrt_retrace_spool_t
426
427 /var/spool/faf(/.*)?
428 /var/spool/abrt-retrace(/.*)?
429 /var/spool/retrace-server(/.*)?
430
431 anon_inodefs_t
432
433
434 apcupsd_cgi_rw_content_t
435
436
437 awstats_rw_content_t
438
439
440 bugzilla_rw_content_t
441
442 /var/lib/bugzilla(/.*)?
443
444 cifs_t
445
446
447 cluster_conf_t
448
449 /etc/cluster(/.*)?
450
451 cluster_var_lib_t
452
453 /var/lib/pcsd(/.*)?
454 /var/lib/cluster(/.*)?
455 /var/lib/openais(/.*)?
456 /var/lib/pengine(/.*)?
457 /var/lib/corosync(/.*)?
458 /usr/lib/heartbeat(/.*)?
459 /var/lib/heartbeat(/.*)?
460 /var/lib/pacemaker(/.*)?
461
462 cluster_var_run_t
463
464 /var/run/crm(/.*)?
465 /var/run/cman_.*
466 /var/run/rsctmp(/.*)?
467 /var/run/aisexec.*
468 /var/run/heartbeat(/.*)?
469 /var/run/corosync-qnetd(/.*)?
470 /var/run/corosync-qdevice(/.*)?
471 /var/run/corosync.pid
472 /var/run/cpglockd.pid
473 /var/run/rgmanager.pid
474 /var/run/cluster/rgmanager.sk
475
476 cobbler_var_lib_t
477
478 /var/lib/cobbler(/.*)?
479 /var/www/cobbler(/.*)?
480 /var/cache/cobbler(/.*)?
481 /var/lib/tftpboot/etc(/.*)?
482 /var/lib/tftpboot/ppc(/.*)?
483 /var/lib/tftpboot/boot(/.*)?
484 /var/lib/tftpboot/grub(/.*)?
485 /var/lib/tftpboot/s390x(/.*)?
486 /var/lib/tftpboot/images(/.*)?
487 /var/lib/tftpboot/aarch64(/.*)?
488 /var/lib/tftpboot/images2(/.*)?
489 /var/lib/tftpboot/pxelinux.cfg(/.*)?
490 /var/lib/tftpboot/yaboot
491 /var/lib/tftpboot/memdisk
492 /var/lib/tftpboot/menu.c32
493 /var/lib/tftpboot/pxelinux.0
494
495 collectd_rw_content_t
496
497
498 cvs_rw_content_t
499
500
501 dirsrv_config_t
502
503 /etc/dirsrv(/.*)?
504
505 dirsrv_var_log_t
506
507 /var/log/dirsrv(/.*)?
508
509 dirsrv_var_run_t
510
511 /var/run/slapd.*
512 /var/run/dirsrv(/.*)?
513
514 dirsrvadmin_config_t
515
516 /etc/dirsrv/dsgw(/.*)?
517 /etc/dirsrv/admin-serv(/.*)?
518
519 dirsrvadmin_rw_content_t
520
521
522 dirsrvadmin_tmp_t
523
524
525 dspam_rw_content_t
526
527 /var/lib/dspam/data(/.*)?
528
529 fusefs_t
530
531 /var/run/user/[^/]*/gvfs
532
533 git_rw_content_t
534
535 /var/cache/cgit(/.*)?
536 /var/cache/gitweb-caching(/.*)?
537
538 httpd_cache_t
539
540 /var/cache/rt(3|4)(/.*)?
541 /var/cache/ssl.*.sem
542 /var/cache/mod_.*
543 /var/cache/php-.*
544 /var/cache/httpd(/.*)?
545 /var/cache/mason(/.*)?
546 /var/cache/mod_ssl(/.*)?
547 /var/cache/lighttpd(/.*)?
548 /var/cache/mediawiki(/.*)?
549 /var/cache/mod_proxy(/.*)?
550 /var/cache/mod_gnutls(/.*)?
551 /var/cache/php-mmcache(/.*)?
552 /var/cache/php-eaccelerator(/.*)?
553
554 httpd_lock_t
555
556
557 httpd_squirrelmail_t
558
559 /var/lib/squirrelmail/prefs(/.*)?
560
561 httpd_sys_rw_content_t
562
563 /etc/rt(/.*)?
564 /etc/glpi(/.*)?
565 /etc/horde(/.*)?
566 /etc/drupal.*
567 /etc/z-push(/.*)?
568 /var/lib/svn(/.*)?
569 /var/www/svn(/.*)?
570 /etc/owncloud(/.*)?
571 /var/www/html(/.*)?/uploads(/.*)?
572 /var/www/html(/.*)?/wp-content(/.*)?
573 /var/www/html(/.*)?/wp_backups(/.*)?
574 /var/www/html(/.*)?/sites/default/files(/.*)?
575 /var/www/html(/.*)?/sites/default/settings.php
576 /etc/mock/koji(/.*)?
577 /etc/nextcloud(/.*)?
578 /var/lib/drupal.*
579 /etc/zabbix/web(/.*)?
580 /var/lib/moodle(/.*)?
581 /var/log/z-push(/.*)?
582 /var/spool/gosa(/.*)?
583 /etc/WebCalendar(/.*)?
584 /usr/share/joomla(/.*)?
585 /var/lib/dokuwiki(/.*)?
586 /var/lib/owncloud(/.*)?
587 /var/spool/viewvc(/.*)?
588 /var/lib/nextcloud(/.*)?
589 /var/lib/pootle/po(/.*)?
590 /var/lib/phpMyAdmin(/.*)?
591 /var/www/moodledata(/.*)?
592 /srv/gallery2/smarty(/.*)?
593 /var/www/moodle/data(/.*)?
594 /var/lib/graphite-web(/.*)?
595 /var/log/shibboleth-www(/.*)?
596 /var/www/gallery/albums(/.*)?
597 /var/www/html/owncloud/data(/.*)?
598 /var/www/html/nextcloud/data(/.*)?
599 /usr/share/wordpress-mu/wp-content(/.*)?
600 /usr/share/wordpress/wp-content/upgrade(/.*)?
601 /usr/share/wordpress/wp-content/uploads(/.*)?
602 /var/www/html/configuration.php
603
604 httpd_tmp_t
605
606 /var/run/user/apache(/.*)?
607 /var/www/openshift/console/tmp(/.*)?
608
609 httpd_tmpfs_t
610
611
612 httpd_user_rw_content_t
613
614
615 httpd_var_lib_t
616
617 /var/lib/rt(3|4)/data/RT-Shredder(/.*)?
618 /var/lib/dav(/.*)?
619 /var/lib/php(/.*)?
620 /var/lib/glpi(/.*)?
621 /var/lib/httpd(/.*)?
622 /var/lib/nginx(/.*)?
623 /var/lib/z-push(/.*)?
624 /var/lib/ganglia(/.*)?
625 /var/lib/ipsilon(/.*)?
626 /var/lib/cherokee(/.*)?
627 /var/lib/lighttpd(/.*)?
628 /var/lib/mod_security(/.*)?
629 /var/lib/roundcubemail(/.*)?
630 /var/opt/rh/rh-nginx18/lib/nginx(/.*)?
631
632 httpd_var_run_t
633
634 /var/run/wsgi.*
635 /var/run/mod_.*
636 /var/run/httpd.*
637 /var/run/nginx.*
638 /var/run/apache.*
639 /var/run/php-fpm(/.*)?
640 /var/run/fcgiwrap(/.*)?
641 /var/run/lighttpd(/.*)?
642 /var/lib/php/session(/.*)?
643 /var/lib/php/wsdlcache(/.*)?
644 /var/run/dirsrv/admin-serv.*
645 /var/opt/rh/rh-nginx18/run/nginx(/.*)?
646 /var/www/openshift/broker/httpd/run(/.*)?
647 /var/www/openshift/console/httpd/run(/.*)?
648 /opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)?
649 /var/run/thttpd.pid
650 /var/run/gcache_port
651 /var/run/cherokee.pid
652
653 httpdcontent
654
655
656 hugetlbfs_t
657
658 /dev/hugepages
659 /usr/lib/udev/devices/hugepages
660
661 ipa_cert_t
662
663 /etc/httpd/alias/ipasession.key
664
665 ipa_var_run_t
666
667 /var/run/ipa(/.*)?
668
669 jetty_cache_t
670
671 /var/cache/jetty(/.*)?
672
673 jetty_log_t
674
675 /var/log/jetty(/.*)?
676
677 jetty_tmp_t
678
679
680 jetty_unit_file_t
681
682 /usr/lib/systemd/system/jetty.service
683
684 jetty_var_lib_t
685
686 /var/lib/jetty(/.*)?
687
688 jetty_var_run_t
689
690 /var/run/jetty(/.*)?
691
692 keystone_cgi_rw_content_t
693
694
695 krb5_host_rcache_t
696
697 /var/cache/krb5rcache(/.*)?
698 /var/tmp/nfs_0
699 /var/tmp/DNS_25
700 /var/tmp/host_0
701 /var/tmp/imap_0
702 /var/tmp/HTTP_23
703 /var/tmp/HTTP_48
704 /var/tmp/ldap_55
705 /var/tmp/ldap_487
706 /var/tmp/ldapmap1_0
707
708 man2html_rw_content_t
709
710 /var/cache/man2html(/.*)?
711
712 mediawiki_rw_content_t
713
714 /var/www/wiki[0-9]?(/.*)?
715
716 memcached_var_run_t
717
718 /var/run/memcached(/.*)?
719 /var/run/ipa_memcached(/.*)?
720
721 mirrormanager_var_run_t
722
723 /var/run/mirrormanager(/.*)?
724
725 mojomojo_rw_content_t
726
727 /var/lib/mojomojo(/.*)?
728
729 munin_rw_content_t
730
731
732 mythtv_rw_content_t
733
734
735 nagios_rw_content_t
736
737
738 nfs_t
739
740
741 nutups_cgi_rw_content_t
742
743
744 openshift_rw_content_t
745
746
747 passenger_tmp_t
748
749
750 passenger_var_lib_t
751
752 /var/lib/passenger(/.*)?
753
754 passenger_var_run_t
755
756 /var/run/passenger(/.*)?
757
758 pki_apache_config
759
760
761 pki_apache_var_lib
762
763
764 pki_apache_var_log
765
766
767 postfix_spool_t
768
769 /var/spool/postfix.*
770 /var/spool/postfix/defer(/.*)?
771 /var/spool/postfix/flush(/.*)?
772 /var/spool/postfix/deferred(/.*)?
773 /var/spool/postfix/maildrop(/.*)?
774
775 preupgrade_data_t
776
777 /var/lib/preupgrade(/.*)?
778 /var/log/preupgrade(/.*)?
779
780 prewikka_rw_content_t
781
782
783 public_content_rw_t
784
785 /var/spool/abrt-upload(/.*)?
786
787 root_t
788
789 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
790 /
791 /initrd
792
793 security_t
794
795 /selinux
796
797 smokeping_cgi_rw_content_t
798
799
800 squid_rw_content_t
801
802
803 squirrelmail_spool_t
804
805 /var/spool/squirrelmail(/.*)?
806
807 systemd_passwd_var_run_t
808
809 /var/run/systemd/ask-password(/.*)?
810 /var/run/systemd/ask-password-block(/.*)?
811
812 w3c_validator_rw_content_t
813
814
815 webalizer_rw_content_t
816
817 /var/www/usage(/.*)?
818
819 zarafa_var_lib_t
820
821 /var/lib/zarafa(/.*)?
822 /var/lib/zarafa-webapp(/.*)?
823 /var/lib/zarafa-webaccess(/.*)?
824
825 zoneminder_rw_content_t
826
827
828 zoneminder_var_lib_t
829
830 /var/lib/zoneminder(/.*)?
831
832
834 SELinux requires files to have an extended attribute to define the file
835 type.
836
837 You can see the context of a file using the -Z option to ls
838
839 Policy governs the access confined processes have to these files.
840 SELinux httpd policy is very flexible allowing users to setup their
841 httpd processes in as secure a method as possible.
842
843 EQUIVALENCE DIRECTORIES
844
845
846 httpd policy stores data with multiple different file context types
847 under the /var/lib/php directory. If you would like to store the data
848 in a different directory you can use the semanage command to create an
849 equivalence mapping. If you wanted to store this data under the /srv
850 dirctory you would execute the following command:
851
852 semanage fcontext -a -e /var/lib/php /srv/php
853 restorecon -R -v /srv/php
854
855 httpd policy stores data with multiple different file context types
856 under the /var/www directory. If you would like to store the data in a
857 different directory you can use the semanage command to create an
858 equivalence mapping. If you wanted to store this data under the /srv
859 dirctory you would execute the following command:
860
861 semanage fcontext -a -e /var/www /srv/www
862 restorecon -R -v /srv/www
863
864 STANDARD FILE CONTEXT
865
866 SELinux defines the file context types for the httpd, if you wanted to
867 store files with these types in a diffent paths, you need to execute
868 the semanage command to sepecify alternate labeling and then use
869 restorecon to put the labels on disk.
870
871 semanage fcontext -a -t httpd_var_run_t '/srv/myhttpd_content(/.*)?'
872 restorecon -R -v /srv/myhttpd_content
873
874 Note: SELinux often uses regular expressions to specify labels that
875 match multiple files.
876
877 The following file types are defined for httpd:
878
879
880
881 httpd_cache_t
882
883 - Set files with the httpd_cache_t type, if you want to store the files
884 under the /var/cache directory.
885
886
887 Paths:
888 /var/cache/rt(3|4)(/.*)?, /var/cache/ssl.*.sem, /var/cache/mod_.*,
889 /var/cache/php-.*, /var/cache/httpd(/.*)?, /var/cache/mason(/.*)?,
890 /var/cache/mod_ssl(/.*)?, /var/cache/lighttpd(/.*)?,
891 /var/cache/mediawiki(/.*)?, /var/cache/mod_proxy(/.*)?,
892 /var/cache/mod_gnutls(/.*)?, /var/cache/php-mmcache(/.*)?,
893 /var/cache/php-eaccelerator(/.*)?
894
895
896 httpd_config_t
897
898 - Set files with the httpd_config_t type, if you want to treat the
899 files as httpd configuration data, usually stored under the /etc direc‐
900 tory.
901
902
903 Paths:
904 /etc/httpd(/.*)?, /etc/nginx(/.*)?, /etc/apache(2)?(/.*)?,
905 /etc/cherokee(/.*)?, /etc/lighttpd(/.*)?, /etc/apache-
906 ssl(2)?(/.*)?, /var/lib/openshift/.httpd.d(/.*)?, /etc/opt/rh/rh-
907 nginx18/nginx(/.*)?, /var/lib/stickshift/.httpd.d(/.*)?,
908 /etc/vhosts, /etc/thttpd.conf
909
910
911 httpd_exec_t
912
913 - Set files with the httpd_exec_t type, if you want to transition an
914 executable to the httpd_t domain.
915
916
917 Paths:
918 /usr/sbin/httpd(.worker)?, /usr/sbin/apache(2)?, /usr/lib/apache-
919 ssl/.+, /usr/sbin/apache-ssl(2)?, /usr/sbin/nginx,
920 /usr/sbin/thttpd, /usr/sbin/php-fpm, /usr/sbin/cherokee,
921 /usr/sbin/lighttpd, /usr/sbin/httpd.event, /usr/bin/mongrel_rails,
922 /usr/sbin/htcacheclean
923
924
925 httpd_helper_exec_t
926
927 - Set files with the httpd_helper_exec_t type, if you want to transi‐
928 tion an executable to the httpd_helper_t domain.
929
930
931
932 httpd_initrc_exec_t
933
934 - Set files with the httpd_initrc_exec_t type, if you want to transi‐
935 tion an executable to the httpd_initrc_t domain.
936
937
938 Paths:
939 /etc/init.d/cherokee, /etc/rc.d/init.d/httpd,
940 /etc/rc.d/init.d/lighttpd
941
942
943 httpd_keytab_t
944
945 - Set files with the httpd_keytab_t type, if you want to treat the
946 files as kerberos keytab files.
947
948
949
950 httpd_lock_t
951
952 - Set files with the httpd_lock_t type, if you want to treat the files
953 as httpd lock data, stored under the /var/lock directory
954
955
956
957 httpd_log_t
958
959 - Set files with the httpd_log_t type, if you want to treat the data as
960 httpd log data, usually stored under the /var/log directory.
961
962
963 Paths:
964 /srv/([^/]*/)?www/logs(/.*)?, /var/www(/.*)?/logs(/.*)?,
965 /var/log/glpi(/.*)?, /var/log/cacti(/.*)?, /var/log/httpd(/.*)?,
966 /var/log/nginx(/.*)?, /var/log/apache(2)?(/.*)?, /var/log/hori‐
967 zon(/.*)?, /var/log/php-fpm(/.*)?, /var/log/cherokee(/.*)?,
968 /var/log/lighttpd(/.*)?, /var/log/suphp.log.*,
969 /var/log/thttpd.log.*, /var/log/apache-ssl(2)?(/.*)?,
970 /var/log/cgiwrap.log.*, /var/www/stickshift/[^/]*/log(/.*)?,
971 /var/log/graphite-web(/.*)?, /var/www/miq/vmdb/log(/.*)?,
972 /var/log/roundcubemail(/.*)?, /var/log/php_errors.log.*,
973 /var/log/dirsrv/admin-serv(/.*)?, /var/opt/rh/rh-
974 nginx18/log(/.*)?, /var/lib/openshift/.log/httpd(/.*)?,
975 /var/www/openshift/console/log(/.*)?, /var/www/openshift/bro‐
976 ker/httpd/logs(/.*)?, /var/www/openshift/console/httpd/logs(/.*)?,
977 /etc/httpd/logs
978
979
980 httpd_modules_t
981
982 - Set files with the httpd_modules_t type, if you want to treat the
983 files as httpd modules.
984
985
986 Paths:
987 /usr/lib/httpd(/.*)?, /usr/lib/apache(/.*)?, /usr/lib/chero‐
988 kee(/.*)?, /usr/lib/lighttpd(/.*)?, /usr/lib/apache2/mod‐
989 ules(/.*)?, /etc/httpd/modules
990
991
992 httpd_passwd_exec_t
993
994 - Set files with the httpd_passwd_exec_t type, if you want to transi‐
995 tion an executable to the httpd_passwd_t domain.
996
997
998
999 httpd_php_exec_t
1000
1001 - Set files with the httpd_php_exec_t type, if you want to transition
1002 an executable to the httpd_php_t domain.
1003
1004
1005
1006 httpd_php_tmp_t
1007
1008 - Set files with the httpd_php_tmp_t type, if you want to store httpd
1009 php temporary files in the /tmp directories.
1010
1011
1012
1013 httpd_rotatelogs_exec_t
1014
1015 - Set files with the httpd_rotatelogs_exec_t type, if you want to tran‐
1016 sition an executable to the httpd_rotatelogs_t domain.
1017
1018
1019
1020 httpd_squirrelmail_t
1021
1022 - Set files with the httpd_squirrelmail_t type, if you want to treat
1023 the files as httpd squirrelmail data.
1024
1025
1026
1027 httpd_suexec_exec_t
1028
1029 - Set files with the httpd_suexec_exec_t type, if you want to transi‐
1030 tion an executable to the httpd_suexec_t domain.
1031
1032
1033 Paths:
1034 /usr/lib/apache(2)?/suexec(2)?, /usr/lib/cgi-bin/(nph-)?cgi‐
1035 wrap(d)?, /usr/sbin/suexec
1036
1037
1038 httpd_suexec_tmp_t
1039
1040 - Set files with the httpd_suexec_tmp_t type, if you want to store
1041 httpd suexec temporary files in the /tmp directories.
1042
1043
1044
1045 httpd_sys_content_t
1046
1047 - Set files with the httpd_sys_content_t type, if you want to treat the
1048 files as httpd sys content.
1049
1050
1051 Paths:
1052 /srv/([^/]*/)?www(/.*)?, /var/www(/.*)?, /etc/htdig(/.*)?,
1053 /srv/gallery2(/.*)?, /var/lib/trac(/.*)?, /var/lib/htdig(/.*)?,
1054 /var/www/icons(/.*)?, /usr/share/glpi(/.*)?,
1055 /usr/share/htdig(/.*)?, /usr/share/drupal.*, /usr/share/z-
1056 push(/.*)?, /var/www/svn/conf(/.*)?, /usr/share/icecast(/.*)?,
1057 /var/lib/cacti/rra(/.*)?, /usr/share/ntop/html(/.*)?,
1058 /usr/share/nginx/html(/.*)?, /usr/share/doc/ghc/html(/.*)?,
1059 /usr/share/openca/htdocs(/.*)?, /usr/share/selinux-pol‐
1060 icy[^/]*/html(/.*)?
1061
1062
1063 httpd_sys_htaccess_t
1064
1065 - Set files with the httpd_sys_htaccess_t type, if you want to treat
1066 the file as a httpd sys access file.
1067
1068
1069
1070 httpd_sys_ra_content_t
1071
1072 - Set files with the httpd_sys_ra_content_t type, if you want to treat
1073 the files as httpd sys read/append content.
1074
1075
1076
1077 httpd_sys_rw_content_t
1078
1079 - Set files with the httpd_sys_rw_content_t type, if you want to treat
1080 the files as httpd sys read/write content.
1081
1082
1083 Paths:
1084 /etc/rt(/.*)?, /etc/glpi(/.*)?, /etc/horde(/.*)?, /etc/drupal.*,
1085 /etc/z-push(/.*)?, /var/lib/svn(/.*)?, /var/www/svn(/.*)?,
1086 /etc/owncloud(/.*)?, /var/www/html(/.*)?/uploads(/.*)?,
1087 /var/www/html(/.*)?/wp-content(/.*)?, /var/www/html(/.*)?/wp_back‐
1088 ups(/.*)?, /var/www/html(/.*)?/sites/default/files(/.*)?,
1089 /var/www/html(/.*)?/sites/default/settings.php,
1090 /etc/mock/koji(/.*)?, /etc/nextcloud(/.*)?, /var/lib/drupal.*,
1091 /etc/zabbix/web(/.*)?, /var/lib/moodle(/.*)?, /var/log/z-
1092 push(/.*)?, /var/spool/gosa(/.*)?, /etc/WebCalendar(/.*)?,
1093 /usr/share/joomla(/.*)?, /var/lib/dokuwiki(/.*)?, /var/lib/own‐
1094 cloud(/.*)?, /var/spool/viewvc(/.*)?, /var/lib/nextcloud(/.*)?,
1095 /var/lib/pootle/po(/.*)?, /var/lib/phpMyAdmin(/.*)?, /var/www/moo‐
1096 dledata(/.*)?, /srv/gallery2/smarty(/.*)?, /var/www/moo‐
1097 dle/data(/.*)?, /var/lib/graphite-web(/.*)?, /var/log/shibboleth-
1098 www(/.*)?, /var/www/gallery/albums(/.*)?, /var/www/html/own‐
1099 cloud/data(/.*)?, /var/www/html/nextcloud/data(/.*)?,
1100 /usr/share/wordpress-mu/wp-content(/.*)?, /usr/share/wordpress/wp-
1101 content/upgrade(/.*)?, /usr/share/wordpress/wp-con‐
1102 tent/uploads(/.*)?, /var/www/html/configuration.php
1103
1104
1105 httpd_sys_script_exec_t
1106
1107 - Set files with the httpd_sys_script_exec_t type, if you want to tran‐
1108 sition an executable to the httpd_sys_script_t domain.
1109
1110
1111 Paths:
1112 /opt/.*.cgi, /usr/.*.cgi, /var/www/[^/]*/cgi-bin(/.*)?,
1113 /var/www/perl(/.*)?, /var/www/html/[^/]*/cgi-bin(/.*)?,
1114 /usr/lib/cgi-bin(/.*)?, /var/www/cgi-bin(/.*)?,
1115 /var/www/svn/hooks(/.*)?, /usr/share/wordpress/.*.php,
1116 /usr/local/nagios/sbin(/.*)?, /usr/share/wordpress/wp-
1117 includes/.*.php, /usr/share/wordpress-mu/wp-config.php
1118
1119
1120 httpd_tmp_t
1121
1122 - Set files with the httpd_tmp_t type, if you want to store httpd tem‐
1123 porary files in the /tmp directories.
1124
1125
1126 Paths:
1127 /var/run/user/apache(/.*)?, /var/www/openshift/console/tmp(/.*)?
1128
1129
1130 httpd_tmpfs_t
1131
1132 - Set files with the httpd_tmpfs_t type, if you want to store httpd
1133 files on a tmpfs file system.
1134
1135
1136
1137 httpd_unconfined_script_exec_t
1138
1139 - Set files with the httpd_unconfined_script_exec_t type, if you want
1140 to transition an executable to the httpd_unconfined_script_t domain.
1141
1142
1143
1144 httpd_unit_file_t
1145
1146 - Set files with the httpd_unit_file_t type, if you want to treat the
1147 files as httpd unit content.
1148
1149
1150 Paths:
1151 /usr/lib/systemd/system/httpd.*, /usr/lib/systemd/system/nginx.*,
1152 /usr/lib/systemd/system/thttpd.*, /usr/lib/systemd/system/php-
1153 fpm.*
1154
1155
1156 httpd_user_content_t
1157
1158 - Set files with the httpd_user_content_t type, if you want to treat
1159 the files as httpd user content.
1160
1161
1162
1163 httpd_user_htaccess_t
1164
1165 - Set files with the httpd_user_htaccess_t type, if you want to treat
1166 the file as a httpd user access file.
1167
1168
1169
1170 httpd_user_ra_content_t
1171
1172 - Set files with the httpd_user_ra_content_t type, if you want to treat
1173 the files as httpd user read/append content.
1174
1175
1176
1177 httpd_user_rw_content_t
1178
1179 - Set files with the httpd_user_rw_content_t type, if you want to treat
1180 the files as httpd user read/write content.
1181
1182
1183
1184 httpd_user_script_exec_t
1185
1186 - Set files with the httpd_user_script_exec_t type, if you want to
1187 transition an executable to the httpd_user_script_t domain.
1188
1189
1190
1191 httpd_var_lib_t
1192
1193 - Set files with the httpd_var_lib_t type, if you want to store the
1194 httpd files under the /var/lib directory.
1195
1196
1197 Paths:
1198 /var/lib/rt(3|4)/data/RT-Shredder(/.*)?, /var/lib/dav(/.*)?,
1199 /var/lib/php(/.*)?, /var/lib/glpi(/.*)?, /var/lib/httpd(/.*)?,
1200 /var/lib/nginx(/.*)?, /var/lib/z-push(/.*)?, /var/lib/gan‐
1201 glia(/.*)?, /var/lib/ipsilon(/.*)?, /var/lib/cherokee(/.*)?,
1202 /var/lib/lighttpd(/.*)?, /var/lib/mod_security(/.*)?,
1203 /var/lib/roundcubemail(/.*)?, /var/opt/rh/rh-
1204 nginx18/lib/nginx(/.*)?
1205
1206
1207 httpd_var_run_t
1208
1209 - Set files with the httpd_var_run_t type, if you want to store the
1210 httpd files under the /run or /var/run directory.
1211
1212
1213 Paths:
1214 /var/run/wsgi.*, /var/run/mod_.*, /var/run/httpd.*,
1215 /var/run/nginx.*, /var/run/apache.*, /var/run/php-fpm(/.*)?,
1216 /var/run/fcgiwrap(/.*)?, /var/run/lighttpd(/.*)?,
1217 /var/lib/php/session(/.*)?, /var/lib/php/wsdlcache(/.*)?,
1218 /var/run/dirsrv/admin-serv.*, /var/opt/rh/rh-
1219 nginx18/run/nginx(/.*)?, /var/www/openshift/bro‐
1220 ker/httpd/run(/.*)?, /var/www/openshift/console/httpd/run(/.*)?,
1221 /opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)?,
1222 /var/run/thttpd.pid, /var/run/gcache_port, /var/run/cherokee.pid
1223
1224
1225 Note: File context can be temporarily modified with the chcon command.
1226 If you want to permanently change the file context you need to use the
1227 semanage fcontext command. This will modify the SELinux labeling data‐
1228 base. You will need to use restorecon to apply the labels.
1229
1230
1232 If you want to share files with multiple domains (Apache, FTP, rsync,
1233 Samba), you can set a file context of public_content_t and public_con‐
1234 tent_rw_t. These context allow any of the above domains to read the
1235 content. If you want a particular domain to write to the public_con‐
1236 tent_rw_t domain, you must set the appropriate boolean.
1237
1238 Allow httpd servers to read the /var/httpd directory by adding the pub‐
1239 lic_content_t file type to the directory and by restoring the file
1240 type.
1241
1242 semanage fcontext -a -t public_content_t "/var/httpd(/.*)?"
1243 restorecon -F -R -v /var/httpd
1244
1245 Allow httpd servers to read and write /var/httpd/incoming by adding the
1246 public_content_rw_t type to the directory and by restoring the file
1247 type. You also need to turn on the httpd_anon_write boolean.
1248
1249 semanage fcontext -a -t public_content_rw_t "/var/httpd/incoming(/.*)?"
1250 restorecon -F -R -v /var/httpd/incoming
1251 setsebool -P httpd_anon_write 1
1252
1253
1254 If you want to allow Apache to modify public files used for public file
1255 transfer services. Directories/Files must be labeled public_con‐
1256 tent_rw_t., you must turn on the httpd_anon_write boolean.
1257
1258 setsebool -P httpd_anon_write 1
1259
1260
1262 semanage fcontext can also be used to manipulate default file context
1263 mappings.
1264
1265 semanage permissive can also be used to manipulate whether or not a
1266 process type is permissive.
1267
1268 semanage module can also be used to enable/disable/install/remove pol‐
1269 icy modules.
1270
1271 semanage port can also be used to manipulate the port definitions
1272
1273 semanage boolean can also be used to manipulate the booleans
1274
1275
1276 system-config-selinux is a GUI tool available to customize SELinux pol‐
1277 icy settings.
1278
1279
1281 This manual page was auto-generated using sepolicy manpage .
1282
1283
1285 selinux(8), httpd(8), semanage(8), restorecon(8), chcon(1), sepol‐
1286 icy(8), setsebool(8), httpd_helper_selinux(8), httpd_passwd_selinux(8),
1287 httpd_php_selinux(8), httpd_rotatelogs_selinux(8),
1288 httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_uncon‐
1289 fined_script_selinux(8), httpd_user_script_selinux(8)
1290
1291
1292
1293httpd 19-05-30 httpd_selinux(8)