1httpd_selinux(8)             SELinux Policy httpd             httpd_selinux(8)
2
3
4

NAME

6       httpd_selinux - Security Enhanced Linux Policy for the httpd processes
7

DESCRIPTION

9       Security-Enhanced Linux secures the httpd processes via flexible manda‐
10       tory access control.
11
12       The httpd processes execute with the  httpd_t  SELinux  type.  You  can
13       check  if  you have these processes running by executing the ps command
14       with the -Z qualifier.
15
16       For example:
17
18       ps -eZ | grep httpd_t
19
20
21

ENTRYPOINTS

23       The httpd_t SELinux type can be entered via the httpd_exec_t file type.
24
25       The default entrypoint paths for the httpd_t domain are the following:
26
27       /usr/sbin/httpd(.worker)?,    /usr/sbin/apache(2)?,    /usr/lib/apache-
28       ssl/.+,  /usr/sbin/apache-ssl(2)?,  /usr/sbin/nginx,  /usr/sbin/thttpd,
29       /usr/sbin/php-fpm,       /usr/sbin/cherokee,        /usr/sbin/lighttpd,
30       /usr/sbin/httpd.event, /usr/bin/mongrel_rails, /usr/sbin/htcacheclean
31

PROCESS TYPES

33       SELinux defines process types (domains) for each process running on the
34       system
35
36       You can see the context of a process using the -Z option to ps
37
38       Policy governs the access confined processes have  to  files.   SELinux
39       httpd  policy is very flexible allowing users to setup their httpd pro‐
40       cesses in as secure a method as possible.
41
42       The following process types are defined for httpd:
43
44       httpd_t, httpd_helper_t, httpd_php_t, httpd_rotatelogs_t, httpd_suexec_t, httpd_sys_script_t, httpd_user_script_t, httpd_passwd_t, httpd_unconfined_script_t
45
46       Note: semanage permissive -a httpd_t can be used to  make  the  process
47       type  httpd_t  permissive.  SELinux  does not deny access to permissive
48       process types, but the AVC (SELinux denials) messages are still  gener‐
49       ated.
50
51

BOOLEANS

53       SELinux  policy  is customizable based on least access required.  httpd
54       policy is extremely flexible and has several booleans that allow you to
55       manipulate the policy and run httpd with the tightest access possible.
56
57
58
59       If you want to allow httpd to use built in scripting (usually php), you
60       must turn on the httpd_builtin_scripting boolean. Enabled by default.
61
62       setsebool -P httpd_builtin_scripting 1
63
64
65
66       If you want to allow httpd to act as a FTP client connecting to the ftp
67       port  and  ephemeral  ports, you must turn on the httpd_can_connect_ftp
68       boolean. Disabled by default.
69
70       setsebool -P httpd_can_connect_ftp 1
71
72
73
74       If you want to allow httpd to connect to the ldap port, you  must  turn
75       on the httpd_can_connect_ldap boolean. Disabled by default.
76
77       setsebool -P httpd_can_connect_ldap 1
78
79
80
81       If you want to allow http daemon to connect to mythtv, you must turn on
82       the httpd_can_connect_mythtv boolean. Disabled by default.
83
84       setsebool -P httpd_can_connect_mythtv 1
85
86
87
88       If you want to allow http daemon to connect to zabbix, you must turn on
89       the httpd_can_connect_zabbix boolean. Disabled by default.
90
91       setsebool -P httpd_can_connect_zabbix 1
92
93
94
95       If  you  want to allow HTTPD scripts and modules to connect to the net‐
96       work using TCP, you must turn on the httpd_can_network_connect boolean.
97       Disabled by default.
98
99       setsebool -P httpd_can_network_connect 1
100
101
102
103       If  you  want  to allow HTTPD scripts and modules to connect to cobbler
104       over the network, you must turn on  the  httpd_can_network_connect_cob‐
105       bler boolean. Disabled by default.
106
107       setsebool -P httpd_can_network_connect_cobbler 1
108
109
110
111       If  you want to allow HTTPD scripts and modules to connect to databases
112       over the network, you must  turn  on  the  httpd_can_network_connect_db
113       boolean. Disabled by default.
114
115       setsebool -P httpd_can_network_connect_db 1
116
117
118
119       If you want to allow httpd to connect to memcache server, you must turn
120       on the httpd_can_network_memcache boolean. Disabled by default.
121
122       setsebool -P httpd_can_network_memcache 1
123
124
125
126       If you want to allow httpd to act as a relay,  you  must  turn  on  the
127       httpd_can_network_relay boolean. Disabled by default.
128
129       setsebool -P httpd_can_network_relay 1
130
131
132
133       If  you  want  to  allow http daemon to send mail, you must turn on the
134       httpd_can_sendmail boolean. Disabled by default.
135
136       setsebool -P httpd_can_sendmail 1
137
138
139
140       If you want to allow Apache to communicate with avahi service via dbus,
141       you must turn on the httpd_dbus_avahi boolean. Disabled by default.
142
143       setsebool -P httpd_dbus_avahi 1
144
145
146
147       If  you want to allow Apache to communicate with sssd service via dbus,
148       you must turn on the httpd_dbus_sssd boolean. Disabled by default.
149
150       setsebool -P httpd_dbus_sssd 1
151
152
153
154       If you  want  to  allow  httpd  cgi  support,  you  must  turn  on  the
155       httpd_enable_cgi boolean. Enabled by default.
156
157       setsebool -P httpd_enable_cgi 1
158
159
160
161       If  you  want to allow httpd to act as a FTP server by listening on the
162       ftp port, you must turn on the  httpd_enable_ftp_server  boolean.  Dis‐
163       abled by default.
164
165       setsebool -P httpd_enable_ftp_server 1
166
167
168
169       If  you  want to allow httpd to read home directories, you must turn on
170       the httpd_enable_homedirs boolean. Disabled by default.
171
172       setsebool -P httpd_enable_homedirs 1
173
174
175
176       If you want to allow httpd scripts and modules  execmem/execstack,  you
177       must turn on the httpd_execmem boolean. Disabled by default.
178
179       setsebool -P httpd_execmem 1
180
181
182
183       If you want to allow HTTPD to connect to port 80 for graceful shutdown,
184       you must turn  on  the  httpd_graceful_shutdown  boolean.  Disabled  by
185       default.
186
187       setsebool -P httpd_graceful_shutdown 1
188
189
190
191       If  you  want  to allow httpd processes to manage IPA content, you must
192       turn on the httpd_manage_ipa boolean. Disabled by default.
193
194       setsebool -P httpd_manage_ipa 1
195
196
197
198       If you want to allow Apache to use mod_auth_ntlm_winbind, you must turn
199       on the httpd_mod_auth_ntlm_winbind boolean. Disabled by default.
200
201       setsebool -P httpd_mod_auth_ntlm_winbind 1
202
203
204
205       If  you  want to allow Apache to use mod_auth_pam, you must turn on the
206       httpd_mod_auth_pam boolean. Disabled by default.
207
208       setsebool -P httpd_mod_auth_pam 1
209
210
211
212       If you want to allow httpd to read user content, you must turn  on  the
213       httpd_read_user_content boolean. Disabled by default.
214
215       setsebool -P httpd_read_user_content 1
216
217
218
219       If  you  want to allow httpd processes to run IPA helper, you must turn
220       on the httpd_run_ipa boolean. Disabled by default.
221
222       setsebool -P httpd_run_ipa 1
223
224
225
226       If you want to allow Apache to run preupgrade, you  must  turn  on  the
227       httpd_run_preupgrade boolean. Enabled by default.
228
229       setsebool -P httpd_run_preupgrade 1
230
231
232
233       If  you  want to allow Apache to run in stickshift mode, not transition
234       to passenger,  you  must  turn  on  the  httpd_run_stickshift  boolean.
235       Enabled by default.
236
237       setsebool -P httpd_run_stickshift 1
238
239
240
241       If you want to allow HTTPD scripts and modules to server cobbler files,
242       you must turn on  the  httpd_serve_cobbler_files  boolean.  Enabled  by
243       default.
244
245       setsebool -P httpd_serve_cobbler_files 1
246
247
248
249       If  you  want  to allow httpd daemon to change its resource limits, you
250       must turn on the httpd_setrlimit boolean. Disabled by default.
251
252       setsebool -P httpd_setrlimit 1
253
254
255
256       If you want to allow HTTPD to run SSI executables in the same domain as
257       system  CGI  scripts, you must turn on the httpd_ssi_exec boolean. Dis‐
258       abled by default.
259
260       setsebool -P httpd_ssi_exec 1
261
262
263
264       If you want to unify HTTPD to communicate with the terminal. Needed for
265       entering the passphrase for certificates at the terminal, you must turn
266       on the httpd_tty_comm boolean. Disabled by default.
267
268       setsebool -P httpd_tty_comm 1
269
270
271
272       If you want to allow httpd to access cifs file systems, you  must  turn
273       on the httpd_use_cifs boolean. Disabled by default.
274
275       setsebool -P httpd_use_cifs 1
276
277
278
279       If  you  want to allow httpd to access FUSE file systems, you must turn
280       on the httpd_use_fusefs boolean. Disabled by default.
281
282       setsebool -P httpd_use_fusefs 1
283
284
285
286       If you want to allow httpd to access nfs file systems, you must turn on
287       the httpd_use_nfs boolean. Disabled by default.
288
289       setsebool -P httpd_use_nfs 1
290
291
292
293       If  you want to allow httpd to access openstack ports, you must turn on
294       the httpd_use_openstack boolean. Disabled by default.
295
296       setsebool -P httpd_use_openstack 1
297
298
299
300       If you want to allow httpd to connect to  sasl, you must  turn  on  the
301       httpd_use_sasl boolean. Disabled by default.
302
303       setsebool -P httpd_use_sasl 1
304
305
306
307       If  you  want to allow Apache to query NS records, you must turn on the
308       httpd_verify_dns boolean. Disabled by default.
309
310       setsebool -P httpd_verify_dns 1
311
312
313
314       If you want to allow users to resolve user passwd entries directly from
315       ldap  rather  then  using  a  sssd server, you must turn on the authlo‐
316       gin_nsswitch_use_ldap boolean. Disabled by default.
317
318       setsebool -P authlogin_nsswitch_use_ldap 1
319
320
321
322       If you want to deny any process from ptracing or  debugging  any  other
323       processes,  you  must  turn  on  the  deny_ptrace  boolean.  Enabled by
324       default.
325
326       setsebool -P deny_ptrace 1
327
328
329
330       If you want to allow all domains to execute in fips_mode, you must turn
331       on the fips_mode boolean. Enabled by default.
332
333       setsebool -P fips_mode 1
334
335
336
337       If you want to determine whether Git system daemon can access cifs file
338       systems, you must turn on the git_system_use_cifs boolean. Disabled  by
339       default.
340
341       setsebool -P git_system_use_cifs 1
342
343
344
345       If  you want to determine whether Git system daemon can access nfs file
346       systems, you must turn on the git_system_use_nfs boolean.  Disabled  by
347       default.
348
349       setsebool -P git_system_use_nfs 1
350
351
352
353       If  you  want  to allow confined applications to run with kerberos, you
354       must turn on the kerberos_enabled boolean. Enabled by default.
355
356       setsebool -P kerberos_enabled 1
357
358
359
360       If you want to allow system to run with  NIS,  you  must  turn  on  the
361       nis_enabled boolean. Disabled by default.
362
363       setsebool -P nis_enabled 1
364
365
366
367       If  you  want to allow confined applications to use nscd shared memory,
368       you must turn on the nscd_use_shm boolean. Disabled by default.
369
370       setsebool -P nscd_use_shm 1
371
372
373

NSSWITCH DOMAIN

375       If you want to allow users to resolve user passwd entries directly from
376       ldap  rather then using a sssd server for the httpd_t, you must turn on
377       the authlogin_nsswitch_use_ldap boolean.
378
379       setsebool -P authlogin_nsswitch_use_ldap 1
380
381
382       If you want to allow confined applications to run with kerberos for the
383       httpd_t, you must turn on the kerberos_enabled boolean.
384
385       setsebool -P kerberos_enabled 1
386
387

PORT TYPES

389       SELinux defines port types to represent TCP and UDP ports.
390
391       You  can  see  the  types associated with a port by using the following
392       command:
393
394       semanage port -l
395
396
397       Policy governs the access  confined  processes  have  to  these  ports.
398       SELinux  httpd  policy  is  very flexible allowing users to setup their
399       httpd processes in as secure a method as possible.
400
401       The following port types are defined for httpd:
402
403
404       http_cache_port_t
405
406
407
408       Default Defined Ports:
409                 tcp 8080,8118,8123,10001-10010
410                 udp 3130
411
412
413       http_port_t
414
415
416
417       Default Defined Ports:
418                 tcp 80,81,443,488,8008,8009,8443,9000
419

MANAGED FILES

421       The SELinux process type httpd_t can manage files labeled with the fol‐
422       lowing  file  types.   The paths listed are the default paths for these
423       file types.  Note the processes UID still need to have DAC permissions.
424
425       abrt_retrace_spool_t
426
427            /var/spool/faf(/.*)?
428            /var/spool/abrt-retrace(/.*)?
429            /var/spool/retrace-server(/.*)?
430
431       anon_inodefs_t
432
433
434       apcupsd_cgi_rw_content_t
435
436
437       awstats_rw_content_t
438
439
440       bugzilla_rw_content_t
441
442            /var/lib/bugzilla(/.*)?
443
444       cifs_t
445
446
447       cluster_conf_t
448
449            /etc/cluster(/.*)?
450
451       cluster_var_lib_t
452
453            /var/lib/pcsd(/.*)?
454            /var/lib/cluster(/.*)?
455            /var/lib/openais(/.*)?
456            /var/lib/pengine(/.*)?
457            /var/lib/corosync(/.*)?
458            /usr/lib/heartbeat(/.*)?
459            /var/lib/heartbeat(/.*)?
460            /var/lib/pacemaker(/.*)?
461
462       cluster_var_run_t
463
464            /var/run/crm(/.*)?
465            /var/run/cman_.*
466            /var/run/rsctmp(/.*)?
467            /var/run/aisexec.*
468            /var/run/heartbeat(/.*)?
469            /var/run/corosync-qnetd(/.*)?
470            /var/run/corosync-qdevice(/.*)?
471            /var/run/corosync.pid
472            /var/run/cpglockd.pid
473            /var/run/rgmanager.pid
474            /var/run/cluster/rgmanager.sk
475
476       cobbler_var_lib_t
477
478            /var/lib/cobbler(/.*)?
479            /var/www/cobbler(/.*)?
480            /var/cache/cobbler(/.*)?
481            /var/lib/tftpboot/etc(/.*)?
482            /var/lib/tftpboot/ppc(/.*)?
483            /var/lib/tftpboot/boot(/.*)?
484            /var/lib/tftpboot/grub(/.*)?
485            /var/lib/tftpboot/s390x(/.*)?
486            /var/lib/tftpboot/images(/.*)?
487            /var/lib/tftpboot/aarch64(/.*)?
488            /var/lib/tftpboot/images2(/.*)?
489            /var/lib/tftpboot/pxelinux.cfg(/.*)?
490            /var/lib/tftpboot/yaboot
491            /var/lib/tftpboot/memdisk
492            /var/lib/tftpboot/menu.c32
493            /var/lib/tftpboot/pxelinux.0
494
495       collectd_rw_content_t
496
497
498       cvs_rw_content_t
499
500
501       dirsrv_config_t
502
503            /etc/dirsrv(/.*)?
504
505       dirsrv_var_log_t
506
507            /var/log/dirsrv(/.*)?
508
509       dirsrv_var_run_t
510
511            /var/run/slapd.*
512            /var/run/dirsrv(/.*)?
513
514       dirsrvadmin_config_t
515
516            /etc/dirsrv/dsgw(/.*)?
517            /etc/dirsrv/admin-serv(/.*)?
518
519       dirsrvadmin_rw_content_t
520
521
522       dirsrvadmin_tmp_t
523
524
525       dspam_rw_content_t
526
527            /var/lib/dspam/data(/.*)?
528
529       fusefs_t
530
531            /var/run/user/[^/]*/gvfs
532
533       git_rw_content_t
534
535            /var/cache/cgit(/.*)?
536            /var/cache/gitweb-caching(/.*)?
537
538       httpd_cache_t
539
540            /var/cache/rt(3|4)(/.*)?
541            /var/cache/ssl.*.sem
542            /var/cache/mod_.*
543            /var/cache/php-.*
544            /var/cache/httpd(/.*)?
545            /var/cache/mason(/.*)?
546            /var/cache/mod_ssl(/.*)?
547            /var/cache/lighttpd(/.*)?
548            /var/cache/mediawiki(/.*)?
549            /var/cache/mod_proxy(/.*)?
550            /var/cache/mod_gnutls(/.*)?
551            /var/cache/php-mmcache(/.*)?
552            /var/cache/php-eaccelerator(/.*)?
553
554       httpd_lock_t
555
556
557       httpd_squirrelmail_t
558
559            /var/lib/squirrelmail/prefs(/.*)?
560
561       httpd_sys_rw_content_t
562
563            /etc/rt(/.*)?
564            /etc/glpi(/.*)?
565            /etc/horde(/.*)?
566            /etc/drupal.*
567            /etc/z-push(/.*)?
568            /var/lib/svn(/.*)?
569            /var/www/svn(/.*)?
570            /etc/owncloud(/.*)?
571            /var/www/html(/.*)?/uploads(/.*)?
572            /var/www/html(/.*)?/wp-content(/.*)?
573            /var/www/html(/.*)?/wp_backups(/.*)?
574            /var/www/html(/.*)?/sites/default/files(/.*)?
575            /var/www/html(/.*)?/sites/default/settings.php
576            /etc/mock/koji(/.*)?
577            /etc/nextcloud(/.*)?
578            /var/lib/drupal.*
579            /etc/zabbix/web(/.*)?
580            /var/lib/moodle(/.*)?
581            /var/log/z-push(/.*)?
582            /var/spool/gosa(/.*)?
583            /etc/WebCalendar(/.*)?
584            /usr/share/joomla(/.*)?
585            /var/lib/dokuwiki(/.*)?
586            /var/lib/owncloud(/.*)?
587            /var/spool/viewvc(/.*)?
588            /var/lib/nextcloud(/.*)?
589            /var/lib/pootle/po(/.*)?
590            /var/lib/phpMyAdmin(/.*)?
591            /var/www/moodledata(/.*)?
592            /srv/gallery2/smarty(/.*)?
593            /var/www/moodle/data(/.*)?
594            /var/lib/graphite-web(/.*)?
595            /var/log/shibboleth-www(/.*)?
596            /var/www/gallery/albums(/.*)?
597            /var/www/html/owncloud/data(/.*)?
598            /var/www/html/nextcloud/data(/.*)?
599            /usr/share/wordpress-mu/wp-content(/.*)?
600            /usr/share/wordpress/wp-content/upgrade(/.*)?
601            /usr/share/wordpress/wp-content/uploads(/.*)?
602            /var/www/html/configuration.php
603
604       httpd_tmp_t
605
606            /var/run/user/apache(/.*)?
607            /var/www/openshift/console/tmp(/.*)?
608
609       httpd_tmpfs_t
610
611
612       httpd_user_rw_content_t
613
614
615       httpd_var_lib_t
616
617            /var/lib/rt(3|4)/data/RT-Shredder(/.*)?
618            /var/lib/dav(/.*)?
619            /var/lib/php(/.*)?
620            /var/lib/glpi(/.*)?
621            /var/lib/httpd(/.*)?
622            /var/lib/nginx(/.*)?
623            /var/lib/z-push(/.*)?
624            /var/lib/ganglia(/.*)?
625            /var/lib/ipsilon(/.*)?
626            /var/lib/cherokee(/.*)?
627            /var/lib/lighttpd(/.*)?
628            /var/lib/mod_security(/.*)?
629            /var/lib/roundcubemail(/.*)?
630            /var/opt/rh/rh-nginx18/lib/nginx(/.*)?
631
632       httpd_var_run_t
633
634            /var/run/wsgi.*
635            /var/run/mod_.*
636            /var/run/httpd.*
637            /var/run/nginx.*
638            /var/run/apache.*
639            /var/run/php-fpm(/.*)?
640            /var/run/fcgiwrap(/.*)?
641            /var/run/lighttpd(/.*)?
642            /var/lib/php/session(/.*)?
643            /var/lib/php/wsdlcache(/.*)?
644            /var/run/dirsrv/admin-serv.*
645            /var/opt/rh/rh-nginx18/run/nginx(/.*)?
646            /var/www/openshift/broker/httpd/run(/.*)?
647            /var/www/openshift/console/httpd/run(/.*)?
648            /opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)?
649            /var/run/thttpd.pid
650            /var/run/gcache_port
651            /var/run/cherokee.pid
652
653       httpdcontent
654
655
656       hugetlbfs_t
657
658            /dev/hugepages
659            /usr/lib/udev/devices/hugepages
660
661       ipa_cert_t
662
663            /etc/httpd/alias/ipasession.key
664
665       ipa_var_run_t
666
667            /var/run/ipa(/.*)?
668
669       jetty_cache_t
670
671            /var/cache/jetty(/.*)?
672
673       jetty_log_t
674
675            /var/log/jetty(/.*)?
676
677       jetty_tmp_t
678
679
680       jetty_unit_file_t
681
682            /usr/lib/systemd/system/jetty.service
683
684       jetty_var_lib_t
685
686            /var/lib/jetty(/.*)?
687
688       jetty_var_run_t
689
690            /var/run/jetty(/.*)?
691
692       keystone_cgi_rw_content_t
693
694
695       krb5_host_rcache_t
696
697            /var/cache/krb5rcache(/.*)?
698            /var/tmp/nfs_0
699            /var/tmp/DNS_25
700            /var/tmp/host_0
701            /var/tmp/imap_0
702            /var/tmp/HTTP_23
703            /var/tmp/HTTP_48
704            /var/tmp/ldap_55
705            /var/tmp/ldap_487
706            /var/tmp/ldapmap1_0
707
708       man2html_rw_content_t
709
710            /var/cache/man2html(/.*)?
711
712       mediawiki_rw_content_t
713
714            /var/www/wiki[0-9]?(/.*)?
715
716       memcached_var_run_t
717
718            /var/run/memcached(/.*)?
719            /var/run/ipa_memcached(/.*)?
720
721       mirrormanager_var_run_t
722
723            /var/run/mirrormanager(/.*)?
724
725       mojomojo_rw_content_t
726
727            /var/lib/mojomojo(/.*)?
728
729       munin_rw_content_t
730
731
732       mythtv_rw_content_t
733
734
735       nagios_rw_content_t
736
737
738       nfs_t
739
740
741       nutups_cgi_rw_content_t
742
743
744       openshift_rw_content_t
745
746
747       passenger_tmp_t
748
749
750       passenger_var_lib_t
751
752            /var/lib/passenger(/.*)?
753
754       passenger_var_run_t
755
756            /var/run/passenger(/.*)?
757
758       pki_apache_config
759
760
761       pki_apache_var_lib
762
763
764       pki_apache_var_log
765
766
767       postfix_spool_t
768
769            /var/spool/postfix.*
770            /var/spool/postfix/defer(/.*)?
771            /var/spool/postfix/flush(/.*)?
772            /var/spool/postfix/deferred(/.*)?
773            /var/spool/postfix/maildrop(/.*)?
774
775       preupgrade_data_t
776
777            /var/lib/preupgrade(/.*)?
778            /var/log/preupgrade(/.*)?
779
780       prewikka_rw_content_t
781
782
783       public_content_rw_t
784
785            /var/spool/abrt-upload(/.*)?
786
787       root_t
788
789            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
790            /
791            /initrd
792
793       security_t
794
795            /selinux
796
797       smokeping_cgi_rw_content_t
798
799
800       squid_rw_content_t
801
802
803       squirrelmail_spool_t
804
805            /var/spool/squirrelmail(/.*)?
806
807       systemd_passwd_var_run_t
808
809            /var/run/systemd/ask-password(/.*)?
810            /var/run/systemd/ask-password-block(/.*)?
811
812       w3c_validator_rw_content_t
813
814
815       webalizer_rw_content_t
816
817            /var/www/usage(/.*)?
818
819       zarafa_var_lib_t
820
821            /var/lib/zarafa(/.*)?
822            /var/lib/zarafa-webapp(/.*)?
823            /var/lib/zarafa-webaccess(/.*)?
824
825       zoneminder_rw_content_t
826
827
828       zoneminder_var_lib_t
829
830            /var/lib/zoneminder(/.*)?
831
832

FILE CONTEXTS

834       SELinux requires files to have an extended attribute to define the file
835       type.
836
837       You can see the context of a file using the -Z option to ls
838
839       Policy  governs  the  access  confined  processes  have to these files.
840       SELinux httpd policy is very flexible allowing  users  to  setup  their
841       httpd processes in as secure a method as possible.
842
843       EQUIVALENCE DIRECTORIES
844
845
846       httpd  policy  stores  data  with multiple different file context types
847       under the /var/lib/php directory.  If you would like to store the  data
848       in  a different directory you can use the semanage command to create an
849       equivalence mapping.  If you wanted to store this data under  the  /srv
850       dirctory you would execute the following command:
851
852       semanage fcontext -a -e /var/lib/php /srv/php
853       restorecon -R -v /srv/php
854
855       httpd  policy  stores  data  with multiple different file context types
856       under the /var/www directory.  If you would like to store the data in a
857       different  directory  you  can  use  the  semanage command to create an
858       equivalence mapping.  If you wanted to store this data under  the  /srv
859       dirctory you would execute the following command:
860
861       semanage fcontext -a -e /var/www /srv/www
862       restorecon -R -v /srv/www
863
864       STANDARD FILE CONTEXT
865
866       SELinux  defines the file context types for the httpd, if you wanted to
867       store files with these types in a diffent paths, you  need  to  execute
868       the  semanage  command  to  sepecify  alternate  labeling  and then use
869       restorecon to put the labels on disk.
870
871       semanage fcontext -a -t httpd_var_run_t '/srv/myhttpd_content(/.*)?'
872       restorecon -R -v /srv/myhttpd_content
873
874       Note: SELinux often uses regular expressions  to  specify  labels  that
875       match multiple files.
876
877       The following file types are defined for httpd:
878
879
880
881       httpd_cache_t
882
883       - Set files with the httpd_cache_t type, if you want to store the files
884       under the /var/cache directory.
885
886
887       Paths:
888            /var/cache/rt(3|4)(/.*)?, /var/cache/ssl.*.sem, /var/cache/mod_.*,
889            /var/cache/php-.*, /var/cache/httpd(/.*)?, /var/cache/mason(/.*)?,
890            /var/cache/mod_ssl(/.*)?,               /var/cache/lighttpd(/.*)?,
891            /var/cache/mediawiki(/.*)?,            /var/cache/mod_proxy(/.*)?,
892            /var/cache/mod_gnutls(/.*)?,         /var/cache/php-mmcache(/.*)?,
893            /var/cache/php-eaccelerator(/.*)?
894
895
896       httpd_config_t
897
898       -  Set  files  with  the  httpd_config_t type, if you want to treat the
899       files as httpd configuration data, usually stored under the /etc direc‐
900       tory.
901
902
903       Paths:
904            /etc/httpd(/.*)?,     /etc/nginx(/.*)?,     /etc/apache(2)?(/.*)?,
905            /etc/cherokee(/.*)?,       /etc/lighttpd(/.*)?,       /etc/apache-
906            ssl(2)?(/.*)?,  /var/lib/openshift/.httpd.d(/.*)?, /etc/opt/rh/rh-
907            nginx18/nginx(/.*)?,           /var/lib/stickshift/.httpd.d(/.*)?,
908            /etc/vhosts, /etc/thttpd.conf
909
910
911       httpd_exec_t
912
913       -  Set  files  with the httpd_exec_t type, if you want to transition an
914       executable to the httpd_t domain.
915
916
917       Paths:
918            /usr/sbin/httpd(.worker)?, /usr/sbin/apache(2)?,  /usr/lib/apache-
919            ssl/.+,         /usr/sbin/apache-ssl(2)?,         /usr/sbin/nginx,
920            /usr/sbin/thttpd,      /usr/sbin/php-fpm,      /usr/sbin/cherokee,
921            /usr/sbin/lighttpd, /usr/sbin/httpd.event, /usr/bin/mongrel_rails,
922            /usr/sbin/htcacheclean
923
924
925       httpd_helper_exec_t
926
927       - Set files with the httpd_helper_exec_t type, if you want  to  transi‐
928       tion an executable to the httpd_helper_t domain.
929
930
931
932       httpd_initrc_exec_t
933
934       -  Set  files with the httpd_initrc_exec_t type, if you want to transi‐
935       tion an executable to the httpd_initrc_t domain.
936
937
938       Paths:
939            /etc/init.d/cherokee,                      /etc/rc.d/init.d/httpd,
940            /etc/rc.d/init.d/lighttpd
941
942
943       httpd_keytab_t
944
945       -  Set  files  with  the  httpd_keytab_t type, if you want to treat the
946       files as kerberos keytab files.
947
948
949
950       httpd_lock_t
951
952       - Set files with the httpd_lock_t type, if you want to treat the  files
953       as httpd lock data, stored under the /var/lock directory
954
955
956
957       httpd_log_t
958
959       - Set files with the httpd_log_t type, if you want to treat the data as
960       httpd log data, usually stored under the /var/log directory.
961
962
963       Paths:
964            /srv/([^/]*/)?www/logs(/.*)?,           /var/www(/.*)?/logs(/.*)?,
965            /var/log/glpi(/.*)?,  /var/log/cacti(/.*)?,  /var/log/httpd(/.*)?,
966            /var/log/nginx(/.*)?,  /var/log/apache(2)?(/.*)?,   /var/log/hori‐
967            zon(/.*)?,     /var/log/php-fpm(/.*)?,    /var/log/cherokee(/.*)?,
968            /var/log/lighttpd(/.*)?,                     /var/log/suphp.log.*,
969            /var/log/thttpd.log.*,              /var/log/apache-ssl(2)?(/.*)?,
970            /var/log/cgiwrap.log.*,       /var/www/stickshift/[^/]*/log(/.*)?,
971            /var/log/graphite-web(/.*)?,          /var/www/miq/vmdb/log(/.*)?,
972            /var/log/roundcubemail(/.*)?,           /var/log/php_errors.log.*,
973            /var/log/dirsrv/admin-serv(/.*)?,                  /var/opt/rh/rh-
974            nginx18/log(/.*)?,            /var/lib/openshift/.log/httpd(/.*)?,
975            /var/www/openshift/console/log(/.*)?,      /var/www/openshift/bro‐
976            ker/httpd/logs(/.*)?, /var/www/openshift/console/httpd/logs(/.*)?,
977            /etc/httpd/logs
978
979
980       httpd_modules_t
981
982       -  Set  files  with  the httpd_modules_t type, if you want to treat the
983       files as httpd modules.
984
985
986       Paths:
987            /usr/lib/httpd(/.*)?,    /usr/lib/apache(/.*)?,    /usr/lib/chero‐
988            kee(/.*)?,      /usr/lib/lighttpd(/.*)?,     /usr/lib/apache2/mod‐
989            ules(/.*)?, /etc/httpd/modules
990
991
992       httpd_passwd_exec_t
993
994       - Set files with the httpd_passwd_exec_t type, if you want  to  transi‐
995       tion an executable to the httpd_passwd_t domain.
996
997
998
999       httpd_php_exec_t
1000
1001       -  Set  files with the httpd_php_exec_t type, if you want to transition
1002       an executable to the httpd_php_t domain.
1003
1004
1005
1006       httpd_php_tmp_t
1007
1008       - Set files with the httpd_php_tmp_t type, if you want to  store  httpd
1009       php temporary files in the /tmp directories.
1010
1011
1012
1013       httpd_rotatelogs_exec_t
1014
1015       - Set files with the httpd_rotatelogs_exec_t type, if you want to tran‐
1016       sition an executable to the httpd_rotatelogs_t domain.
1017
1018
1019
1020       httpd_squirrelmail_t
1021
1022       - Set files with the httpd_squirrelmail_t type, if you  want  to  treat
1023       the files as httpd squirrelmail data.
1024
1025
1026
1027       httpd_suexec_exec_t
1028
1029       -  Set  files with the httpd_suexec_exec_t type, if you want to transi‐
1030       tion an executable to the httpd_suexec_t domain.
1031
1032
1033       Paths:
1034            /usr/lib/apache(2)?/suexec(2)?,       /usr/lib/cgi-bin/(nph-)?cgi‐
1035            wrap(d)?, /usr/sbin/suexec
1036
1037
1038       httpd_suexec_tmp_t
1039
1040       -  Set  files  with  the  httpd_suexec_tmp_t type, if you want to store
1041       httpd suexec temporary files in the /tmp directories.
1042
1043
1044
1045       httpd_sys_content_t
1046
1047       - Set files with the httpd_sys_content_t type, if you want to treat the
1048       files as httpd sys content.
1049
1050
1051       Paths:
1052            /srv/([^/]*/)?www(/.*)?,     /var/www(/.*)?,     /etc/htdig(/.*)?,
1053            /srv/gallery2(/.*)?,  /var/lib/trac(/.*)?,   /var/lib/htdig(/.*)?,
1054            /var/www/icons(/.*)?,                       /usr/share/glpi(/.*)?,
1055            /usr/share/htdig(/.*)?,     /usr/share/drupal.*,     /usr/share/z-
1056            push(/.*)?,   /var/www/svn/conf(/.*)?,   /usr/share/icecast(/.*)?,
1057            /var/lib/cacti/rra(/.*)?,              /usr/share/ntop/html(/.*)?,
1058            /usr/share/nginx/html(/.*)?,        /usr/share/doc/ghc/html(/.*)?,
1059            /usr/share/openca/htdocs(/.*)?,            /usr/share/selinux-pol‐
1060            icy[^/]*/html(/.*)?
1061
1062
1063       httpd_sys_htaccess_t
1064
1065       -  Set  files  with the httpd_sys_htaccess_t type, if you want to treat
1066       the file as a httpd sys access file.
1067
1068
1069
1070       httpd_sys_ra_content_t
1071
1072       - Set files with the httpd_sys_ra_content_t type, if you want to  treat
1073       the files as httpd sys read/append content.
1074
1075
1076
1077       httpd_sys_rw_content_t
1078
1079       -  Set files with the httpd_sys_rw_content_t type, if you want to treat
1080       the files as httpd sys read/write content.
1081
1082
1083       Paths:
1084            /etc/rt(/.*)?, /etc/glpi(/.*)?,  /etc/horde(/.*)?,  /etc/drupal.*,
1085            /etc/z-push(/.*)?,     /var/lib/svn(/.*)?,     /var/www/svn(/.*)?,
1086            /etc/owncloud(/.*)?,            /var/www/html(/.*)?/uploads(/.*)?,
1087            /var/www/html(/.*)?/wp-content(/.*)?, /var/www/html(/.*)?/wp_back‐
1088            ups(/.*)?,          /var/www/html(/.*)?/sites/default/files(/.*)?,
1089            /var/www/html(/.*)?/sites/default/settings.php,
1090            /etc/mock/koji(/.*)?,   /etc/nextcloud(/.*)?,   /var/lib/drupal.*,
1091            /etc/zabbix/web(/.*)?,      /var/lib/moodle(/.*)?,     /var/log/z-
1092            push(/.*)?,     /var/spool/gosa(/.*)?,     /etc/WebCalendar(/.*)?,
1093            /usr/share/joomla(/.*)?,   /var/lib/dokuwiki(/.*)?,  /var/lib/own‐
1094            cloud(/.*)?,  /var/spool/viewvc(/.*)?,   /var/lib/nextcloud(/.*)?,
1095            /var/lib/pootle/po(/.*)?, /var/lib/phpMyAdmin(/.*)?, /var/www/moo‐
1096            dledata(/.*)?,      /srv/gallery2/smarty(/.*)?,      /var/www/moo‐
1097            dle/data(/.*)?,  /var/lib/graphite-web(/.*)?, /var/log/shibboleth-
1098            www(/.*)?,    /var/www/gallery/albums(/.*)?,    /var/www/html/own‐
1099            cloud/data(/.*)?,              /var/www/html/nextcloud/data(/.*)?,
1100            /usr/share/wordpress-mu/wp-content(/.*)?, /usr/share/wordpress/wp-
1101            content/upgrade(/.*)?,                /usr/share/wordpress/wp-con‐
1102            tent/uploads(/.*)?, /var/www/html/configuration.php
1103
1104
1105       httpd_sys_script_exec_t
1106
1107       - Set files with the httpd_sys_script_exec_t type, if you want to tran‐
1108       sition an executable to the httpd_sys_script_t domain.
1109
1110
1111       Paths:
1112            /opt/.*.cgi,       /usr/.*.cgi,      /var/www/[^/]*/cgi-bin(/.*)?,
1113            /var/www/perl(/.*)?,            /var/www/html/[^/]*/cgi-bin(/.*)?,
1114            /usr/lib/cgi-bin(/.*)?,                    /var/www/cgi-bin(/.*)?,
1115            /var/www/svn/hooks(/.*)?,             /usr/share/wordpress/.*.php,
1116            /usr/local/nagios/sbin(/.*)?,             /usr/share/wordpress/wp-
1117            includes/.*.php, /usr/share/wordpress-mu/wp-config.php
1118
1119
1120       httpd_tmp_t
1121
1122       - Set files with the httpd_tmp_t type, if you want to store httpd  tem‐
1123       porary files in the /tmp directories.
1124
1125
1126       Paths:
1127            /var/run/user/apache(/.*)?, /var/www/openshift/console/tmp(/.*)?
1128
1129
1130       httpd_tmpfs_t
1131
1132       -  Set  files  with  the httpd_tmpfs_t type, if you want to store httpd
1133       files on a tmpfs file system.
1134
1135
1136
1137       httpd_unconfined_script_exec_t
1138
1139       - Set files with the httpd_unconfined_script_exec_t type, if  you  want
1140       to transition an executable to the httpd_unconfined_script_t domain.
1141
1142
1143
1144       httpd_unit_file_t
1145
1146       -  Set  files with the httpd_unit_file_t type, if you want to treat the
1147       files as httpd unit content.
1148
1149
1150       Paths:
1151            /usr/lib/systemd/system/httpd.*,  /usr/lib/systemd/system/nginx.*,
1152            /usr/lib/systemd/system/thttpd.*,     /usr/lib/systemd/system/php-
1153            fpm.*
1154
1155
1156       httpd_user_content_t
1157
1158       - Set files with the httpd_user_content_t type, if you  want  to  treat
1159       the files as httpd user content.
1160
1161
1162
1163       httpd_user_htaccess_t
1164
1165       -  Set  files with the httpd_user_htaccess_t type, if you want to treat
1166       the file as a httpd user access file.
1167
1168
1169
1170       httpd_user_ra_content_t
1171
1172       - Set files with the httpd_user_ra_content_t type, if you want to treat
1173       the files as httpd user read/append content.
1174
1175
1176
1177       httpd_user_rw_content_t
1178
1179       - Set files with the httpd_user_rw_content_t type, if you want to treat
1180       the files as httpd user read/write content.
1181
1182
1183
1184       httpd_user_script_exec_t
1185
1186       - Set files with the httpd_user_script_exec_t  type,  if  you  want  to
1187       transition an executable to the httpd_user_script_t domain.
1188
1189
1190
1191       httpd_var_lib_t
1192
1193       -  Set  files  with  the httpd_var_lib_t type, if you want to store the
1194       httpd files under the /var/lib directory.
1195
1196
1197       Paths:
1198            /var/lib/rt(3|4)/data/RT-Shredder(/.*)?,       /var/lib/dav(/.*)?,
1199            /var/lib/php(/.*)?,   /var/lib/glpi(/.*)?,   /var/lib/httpd(/.*)?,
1200            /var/lib/nginx(/.*)?,     /var/lib/z-push(/.*)?,     /var/lib/gan‐
1201            glia(/.*)?,    /var/lib/ipsilon(/.*)?,    /var/lib/cherokee(/.*)?,
1202            /var/lib/lighttpd(/.*)?,              /var/lib/mod_security(/.*)?,
1203            /var/lib/roundcubemail(/.*)?,                      /var/opt/rh/rh-
1204            nginx18/lib/nginx(/.*)?
1205
1206
1207       httpd_var_run_t
1208
1209       - Set files with the httpd_var_run_t type, if you  want  to  store  the
1210       httpd files under the /run or /var/run directory.
1211
1212
1213       Paths:
1214            /var/run/wsgi.*,         /var/run/mod_.*,        /var/run/httpd.*,
1215            /var/run/nginx.*,    /var/run/apache.*,    /var/run/php-fpm(/.*)?,
1216            /var/run/fcgiwrap(/.*)?,                  /var/run/lighttpd(/.*)?,
1217            /var/lib/php/session(/.*)?,          /var/lib/php/wsdlcache(/.*)?,
1218            /var/run/dirsrv/admin-serv.*,                      /var/opt/rh/rh-
1219            nginx18/run/nginx(/.*)?,                   /var/www/openshift/bro‐
1220            ker/httpd/run(/.*)?,   /var/www/openshift/console/httpd/run(/.*)?,
1221            /opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)?,
1222            /var/run/thttpd.pid, /var/run/gcache_port, /var/run/cherokee.pid
1223
1224
1225       Note:  File context can be temporarily modified with the chcon command.
1226       If you want to permanently change the file context you need to use  the
1227       semanage fcontext command.  This will modify the SELinux labeling data‐
1228       base.  You will need to use restorecon to apply the labels.
1229
1230

SHARING FILES

1232       If you want to share files with multiple domains (Apache,  FTP,  rsync,
1233       Samba),  you can set a file context of public_content_t and public_con‐
1234       tent_rw_t.  These context allow any of the above domains  to  read  the
1235       content.   If  you want a particular domain to write to the public_con‐
1236       tent_rw_t domain, you must set the appropriate boolean.
1237
1238       Allow httpd servers to read the /var/httpd directory by adding the pub‐
1239       lic_content_t  file  type  to  the  directory and by restoring the file
1240       type.
1241
1242       semanage fcontext -a -t public_content_t "/var/httpd(/.*)?"
1243       restorecon -F -R -v /var/httpd
1244
1245       Allow httpd servers to read and write /var/httpd/incoming by adding the
1246       public_content_rw_t  type  to  the  directory and by restoring the file
1247       type.  You also need to turn on the httpd_anon_write boolean.
1248
1249       semanage fcontext -a -t public_content_rw_t "/var/httpd/incoming(/.*)?"
1250       restorecon -F -R -v /var/httpd/incoming
1251       setsebool -P httpd_anon_write 1
1252
1253
1254       If you want to allow Apache to modify public files used for public file
1255       transfer   services.  Directories/Files  must  be  labeled  public_con‐
1256       tent_rw_t., you must turn on the httpd_anon_write boolean.
1257
1258       setsebool -P httpd_anon_write 1
1259
1260

COMMANDS

1262       semanage fcontext can also be used to manipulate default  file  context
1263       mappings.
1264
1265       semanage  permissive  can  also  be used to manipulate whether or not a
1266       process type is permissive.
1267
1268       semanage module can also be used to enable/disable/install/remove  pol‐
1269       icy modules.
1270
1271       semanage port can also be used to manipulate the port definitions
1272
1273       semanage boolean can also be used to manipulate the booleans
1274
1275
1276       system-config-selinux is a GUI tool available to customize SELinux pol‐
1277       icy settings.
1278
1279

AUTHOR

1281       This manual page was auto-generated using sepolicy manpage .
1282
1283

SEE ALSO

1285       selinux(8),  httpd(8),  semanage(8),  restorecon(8),  chcon(1),  sepol‐
1286       icy(8), setsebool(8), httpd_helper_selinux(8), httpd_passwd_selinux(8),
1287       httpd_php_selinux(8),                      httpd_rotatelogs_selinux(8),
1288       httpd_suexec_selinux(8),    httpd_sys_script_selinux(8),   httpd_uncon‐
1289       fined_script_selinux(8), httpd_user_script_selinux(8)
1290
1291
1292
1293httpd                              19-05-30                   httpd_selinux(8)
Impressum