1httpd_sys_script_selinux(S8E)Linux Policy httpd_sys_scrhitpttpd_sys_script_selinux(8)
2
3
4
6 httpd_sys_script_selinux - Security Enhanced Linux Policy for the
7 httpd_sys_script processes
8
10 Security-Enhanced Linux secures the httpd_sys_script processes via
11 flexible mandatory access control.
12
13 The httpd_sys_script processes execute with the httpd_sys_script_t
14 SELinux type. You can check if you have these processes running by exe‐
15 cuting the ps command with the -Z qualifier.
16
17 For example:
18
19 ps -eZ | grep httpd_sys_script_t
20
21
22
24 The httpd_sys_script_t SELinux type can be entered via the
25 httpd_sys_content_t, nfs_t, cifs_t, httpd_sys_script_exec_t,
26 httpd_sys_content_t, httpdcontent, httpd_sys_script_exec_t file types.
27
28 The default entrypoint paths for the httpd_sys_script_t domain are the
29 following:
30
31 /srv/([^/]*/)?www(/.*)?, /var/www(/.*)?, /etc/htdig(/.*)?,
32 /srv/gallery2(/.*)?, /var/lib/trac(/.*)?, /var/lib/htdig(/.*)?,
33 /var/www/icons(/.*)?, /usr/share/glpi(/.*)?, /usr/share/htdig(/.*)?,
34 /usr/share/drupal.*, /usr/share/z-push(/.*)?, /var/www/svn/conf(/.*)?,
35 /usr/share/icecast(/.*)?, /var/lib/cacti/rra(/.*)?,
36 /usr/share/ntop/html(/.*)?, /usr/share/nginx/html(/.*)?,
37 /usr/share/doc/ghc/html(/.*)?, /usr/share/openca/htdocs(/.*)?,
38 /usr/share/selinux-policy[^/]*/html(/.*)?, /opt/.*.cgi, /usr/.*.cgi,
39 /var/www/[^/]*/cgi-bin(/.*)?, /var/www/perl(/.*)?,
40 /var/www/html/[^/]*/cgi-bin(/.*)?, /usr/lib/cgi-bin(/.*)?,
41 /var/www/cgi-bin(/.*)?, /var/www/svn/hooks(/.*)?, /usr/share/word‐
42 press/.*.php, /usr/local/nagios/sbin(/.*)?, /usr/share/wordpress/wp-
43 includes/.*.php, /usr/share/wordpress-mu/wp-config.php,
44 /srv/([^/]*/)?www(/.*)?, /var/www(/.*)?, /etc/htdig(/.*)?,
45 /srv/gallery2(/.*)?, /var/lib/trac(/.*)?, /var/lib/htdig(/.*)?,
46 /var/www/icons(/.*)?, /usr/share/glpi(/.*)?, /usr/share/htdig(/.*)?,
47 /usr/share/drupal.*, /usr/share/z-push(/.*)?, /var/www/svn/conf(/.*)?,
48 /usr/share/icecast(/.*)?, /var/lib/cacti/rra(/.*)?,
49 /usr/share/ntop/html(/.*)?, /usr/share/nginx/html(/.*)?,
50 /usr/share/doc/ghc/html(/.*)?, /usr/share/openca/htdocs(/.*)?,
51 /usr/share/selinux-policy[^/]*/html(/.*)?, /opt/.*.cgi, /usr/.*.cgi,
52 /var/www/[^/]*/cgi-bin(/.*)?, /var/www/perl(/.*)?,
53 /var/www/html/[^/]*/cgi-bin(/.*)?, /usr/lib/cgi-bin(/.*)?,
54 /var/www/cgi-bin(/.*)?, /var/www/svn/hooks(/.*)?, /usr/share/word‐
55 press/.*.php, /usr/local/nagios/sbin(/.*)?, /usr/share/wordpress/wp-
56 includes/.*.php, /usr/share/wordpress-mu/wp-config.php
57
59 SELinux defines process types (domains) for each process running on the
60 system
61
62 You can see the context of a process using the -Z option to ps
63
64 Policy governs the access confined processes have to files. SELinux
65 httpd_sys_script policy is very flexible allowing users to setup their
66 httpd_sys_script processes in as secure a method as possible.
67
68 The following process types are defined for httpd_sys_script:
69
70 httpd_sys_script_t
71
72 Note: semanage permissive -a httpd_sys_script_t can be used to make the
73 process type httpd_sys_script_t permissive. SELinux does not deny
74 access to permissive process types, but the AVC (SELinux denials) mes‐
75 sages are still generated.
76
77
79 SELinux policy is customizable based on least access required.
80 httpd_sys_script policy is extremely flexible and has several booleans
81 that allow you to manipulate the policy and run httpd_sys_script with
82 the tightest access possible.
83
84
85
86 If you want to allow users to resolve user passwd entries directly from
87 ldap rather then using a sssd server, you must turn on the authlo‐
88 gin_nsswitch_use_ldap boolean. Disabled by default.
89
90 setsebool -P authlogin_nsswitch_use_ldap 1
91
92
93
94 If you want to allow all domains to execute in fips_mode, you must turn
95 on the fips_mode boolean. Enabled by default.
96
97 setsebool -P fips_mode 1
98
99
100
101 If you want to allow HTTPD scripts and modules to connect to databases
102 over the network, you must turn on the httpd_can_network_connect_db
103 boolean. Disabled by default.
104
105 setsebool -P httpd_can_network_connect_db 1
106
107
108
109 If you want to allow http daemon to send mail, you must turn on the
110 httpd_can_sendmail boolean. Disabled by default.
111
112 setsebool -P httpd_can_sendmail 1
113
114
115
116 If you want to allow httpd cgi support, you must turn on the
117 httpd_enable_cgi boolean. Enabled by default.
118
119 setsebool -P httpd_enable_cgi 1
120
121
122
123 If you want to allow httpd to read home directories, you must turn on
124 the httpd_enable_homedirs boolean. Disabled by default.
125
126 setsebool -P httpd_enable_homedirs 1
127
128
129
130 If you want to allow httpd scripts and modules execmem/execstack, you
131 must turn on the httpd_execmem boolean. Disabled by default.
132
133 setsebool -P httpd_execmem 1
134
135
136
137 If you want to allow httpd to read user content, you must turn on the
138 httpd_read_user_content boolean. Disabled by default.
139
140 setsebool -P httpd_read_user_content 1
141
142
143
144 If you want to allow HTTPD to run SSI executables in the same domain as
145 system CGI scripts, you must turn on the httpd_ssi_exec boolean. Dis‐
146 abled by default.
147
148 setsebool -P httpd_ssi_exec 1
149
150
151
152 If you want to allow httpd to access cifs file systems, you must turn
153 on the httpd_use_cifs boolean. Disabled by default.
154
155 setsebool -P httpd_use_cifs 1
156
157
158
159 If you want to allow httpd to access FUSE file systems, you must turn
160 on the httpd_use_fusefs boolean. Disabled by default.
161
162 setsebool -P httpd_use_fusefs 1
163
164
165
166 If you want to allow httpd to access nfs file systems, you must turn on
167 the httpd_use_nfs boolean. Disabled by default.
168
169 setsebool -P httpd_use_nfs 1
170
171
172
173 If you want to allow httpd to access openstack ports, you must turn on
174 the httpd_use_openstack boolean. Disabled by default.
175
176 setsebool -P httpd_use_openstack 1
177
178
179
180 If you want to allow confined applications to run with kerberos, you
181 must turn on the kerberos_enabled boolean. Enabled by default.
182
183 setsebool -P kerberos_enabled 1
184
185
186
187 If you want to allow system to run with NIS, you must turn on the
188 nis_enabled boolean. Disabled by default.
189
190 setsebool -P nis_enabled 1
191
192
193
194 If you want to allow confined applications to use nscd shared memory,
195 you must turn on the nscd_use_shm boolean. Disabled by default.
196
197 setsebool -P nscd_use_shm 1
198
199
200
202 The SELinux process type httpd_sys_script_t can manage files labeled
203 with the following file types. The paths listed are the default paths
204 for these file types. Note the processes UID still need to have DAC
205 permissions.
206
207 anon_inodefs_t
208
209
210 cifs_t
211
212
213 fusefs_t
214
215 /var/run/user/[^/]*/gvfs
216
217 httpd_sys_rw_content_t
218
219 /etc/rt(/.*)?
220 /etc/glpi(/.*)?
221 /etc/horde(/.*)?
222 /etc/drupal.*
223 /etc/z-push(/.*)?
224 /var/lib/svn(/.*)?
225 /var/www/svn(/.*)?
226 /etc/owncloud(/.*)?
227 /var/www/html(/.*)?/uploads(/.*)?
228 /var/www/html(/.*)?/wp-content(/.*)?
229 /var/www/html(/.*)?/wp_backups(/.*)?
230 /var/www/html(/.*)?/sites/default/files(/.*)?
231 /var/www/html(/.*)?/sites/default/settings.php
232 /etc/mock/koji(/.*)?
233 /etc/nextcloud(/.*)?
234 /var/lib/drupal.*
235 /etc/zabbix/web(/.*)?
236 /var/lib/moodle(/.*)?
237 /var/log/z-push(/.*)?
238 /var/spool/gosa(/.*)?
239 /etc/WebCalendar(/.*)?
240 /usr/share/joomla(/.*)?
241 /var/lib/dokuwiki(/.*)?
242 /var/lib/owncloud(/.*)?
243 /var/spool/viewvc(/.*)?
244 /var/lib/nextcloud(/.*)?
245 /var/lib/pootle/po(/.*)?
246 /var/lib/phpMyAdmin(/.*)?
247 /var/www/moodledata(/.*)?
248 /srv/gallery2/smarty(/.*)?
249 /var/www/moodle/data(/.*)?
250 /var/lib/graphite-web(/.*)?
251 /var/log/shibboleth-www(/.*)?
252 /var/www/gallery/albums(/.*)?
253 /var/www/html/owncloud/data(/.*)?
254 /var/www/html/nextcloud/data(/.*)?
255 /usr/share/wordpress-mu/wp-content(/.*)?
256 /usr/share/wordpress/wp-content/upgrade(/.*)?
257 /usr/share/wordpress/wp-content/uploads(/.*)?
258 /var/www/html/configuration.php
259
260 httpd_tmp_t
261
262 /var/run/user/apache(/.*)?
263 /var/www/openshift/console/tmp(/.*)?
264
265 httpdcontent
266
267
268 nfs_t
269
270
271 public_content_rw_t
272
273 /var/spool/abrt-upload(/.*)?
274
275
277 SELinux requires files to have an extended attribute to define the file
278 type.
279
280 You can see the context of a file using the -Z option to ls
281
282 Policy governs the access confined processes have to these files.
283 SELinux httpd_sys_script policy is very flexible allowing users to set‐
284 up their httpd_sys_script processes in as secure a method as possible.
285
286 The following file types are defined for httpd_sys_script:
287
288
289
290 httpd_sys_script_exec_t
291
292 - Set files with the httpd_sys_script_exec_t type, if you want to tran‐
293 sition an executable to the httpd_sys_script_t domain.
294
295
296 Paths:
297 /opt/.*.cgi, /usr/.*.cgi, /var/www/[^/]*/cgi-bin(/.*)?,
298 /var/www/perl(/.*)?, /var/www/html/[^/]*/cgi-bin(/.*)?,
299 /usr/lib/cgi-bin(/.*)?, /var/www/cgi-bin(/.*)?,
300 /var/www/svn/hooks(/.*)?, /usr/share/wordpress/.*.php,
301 /usr/local/nagios/sbin(/.*)?, /usr/share/wordpress/wp-
302 includes/.*.php, /usr/share/wordpress-mu/wp-config.php
303
304
305 Note: File context can be temporarily modified with the chcon command.
306 If you want to permanently change the file context you need to use the
307 semanage fcontext command. This will modify the SELinux labeling data‐
308 base. You will need to use restorecon to apply the labels.
309
310
312 If you want to share files with multiple domains (Apache, FTP, rsync,
313 Samba), you can set a file context of public_content_t and public_con‐
314 tent_rw_t. These context allow any of the above domains to read the
315 content. If you want a particular domain to write to the public_con‐
316 tent_rw_t domain, you must set the appropriate boolean.
317
318 Allow httpd_sys_script servers to read the /var/httpd_sys_script direc‐
319 tory by adding the public_content_t file type to the directory and by
320 restoring the file type.
321
322 semanage fcontext -a -t public_content_t "/var/httpd_sys_script(/.*)?"
323 restorecon -F -R -v /var/httpd_sys_script
324
325 Allow httpd_sys_script servers to read and write
326 /var/httpd_sys_script/incoming by adding the public_content_rw_t type
327 to the directory and by restoring the file type. You also need to turn
328 on the httpd_sys_script_anon_write boolean.
329
330 semanage fcontext -a -t public_content_rw_t
331 "/var/httpd_sys_script/incoming(/.*)?"
332 restorecon -F -R -v /var/httpd_sys_script/incoming
333 setsebool -P httpd_sys_script_anon_write 1
334
335
336 If you want to allow apache scripts to write to public content, direc‐
337 tories/files must be labeled public_rw_content_t., you must turn on the
338 httpd_sys_script_anon_write boolean.
339
340 setsebool -P httpd_sys_script_anon_write 1
341
342
344 semanage fcontext can also be used to manipulate default file context
345 mappings.
346
347 semanage permissive can also be used to manipulate whether or not a
348 process type is permissive.
349
350 semanage module can also be used to enable/disable/install/remove pol‐
351 icy modules.
352
353 semanage boolean can also be used to manipulate the booleans
354
355
356 system-config-selinux is a GUI tool available to customize SELinux pol‐
357 icy settings.
358
359
361 This manual page was auto-generated using sepolicy manpage .
362
363
365 selinux(8), httpd_sys_script(8), semanage(8), restorecon(8), chcon(1),
366 sepolicy(8), setsebool(8)
367
368
369
370httpd_sys_script 19-05-30 httpd_sys_script_selinux(8)