1httpd_selinux(8)             SELinux Policy httpd             httpd_selinux(8)
2
3
4

NAME

6       httpd_selinux - Security Enhanced Linux Policy for the httpd processes
7

DESCRIPTION

9       Security-Enhanced Linux secures the httpd processes via flexible manda‐
10       tory access control.
11
12       The httpd processes execute with the  httpd_t  SELinux  type.  You  can
13       check  if  you have these processes running by executing the ps command
14       with the -Z qualifier.
15
16       For example:
17
18       ps -eZ | grep httpd_t
19
20
21

ENTRYPOINTS

23       The httpd_t SELinux type can be entered via the httpd_exec_t file type.
24
25       The default entrypoint paths for the httpd_t domain are the following:
26
27       /usr/sbin/httpd(.worker)?,    /usr/sbin/apache(2)?,    /usr/lib/apache-
28       ssl/.+,  /usr/sbin/apache-ssl(2)?,  /usr/sbin/nginx,  /usr/sbin/thttpd,
29       /usr/sbin/php-fpm,       /usr/sbin/cherokee,        /usr/sbin/lighttpd,
30       /usr/sbin/apachectl,   /usr/sbin/httpd.event,   /usr/bin/mongrel_rails,
31       /usr/sbin/htcacheclean
32

PROCESS TYPES

34       SELinux defines process types (domains) for each process running on the
35       system
36
37       You can see the context of a process using the -Z option to ps
38
39       Policy  governs  the  access confined processes have to files.  SELinux
40       httpd policy is very flexible allowing users to setup their httpd  pro‐
41       cesses in as secure a method as possible.
42
43       The following process types are defined for httpd:
44
45       httpd_t, httpd_helper_t, httpd_php_t, httpd_rotatelogs_t, httpd_suexec_t, httpd_sys_script_t, httpd_user_script_t, httpd_passwd_t, httpd_unconfined_script_t
46
47       Note:  semanage  permissive  -a httpd_t can be used to make the process
48       type httpd_t permissive. SELinux does not  deny  access  to  permissive
49       process  types, but the AVC (SELinux denials) messages are still gener‐
50       ated.
51
52

BOOLEANS

54       SELinux policy is customizable based on least access  required.   httpd
55       policy is extremely flexible and has several booleans that allow you to
56       manipulate the policy and run httpd with the tightest access possible.
57
58
59
60       If you want to allow httpd to use built in scripting (usually php), you
61       must turn on the httpd_builtin_scripting boolean. Enabled by default.
62
63       setsebool -P httpd_builtin_scripting 1
64
65
66
67       If you want to allow httpd to act as a FTP client connecting to the ftp
68       port and ephemeral ports, you must turn  on  the  httpd_can_connect_ftp
69       boolean. Disabled by default.
70
71       setsebool -P httpd_can_connect_ftp 1
72
73
74
75       If  you  want to allow httpd to connect to the ldap port, you must turn
76       on the httpd_can_connect_ldap boolean. Disabled by default.
77
78       setsebool -P httpd_can_connect_ldap 1
79
80
81
82       If you want to allow http daemon to connect to mythtv, you must turn on
83       the httpd_can_connect_mythtv boolean. Disabled by default.
84
85       setsebool -P httpd_can_connect_mythtv 1
86
87
88
89       If you want to allow http daemon to connect to zabbix, you must turn on
90       the httpd_can_connect_zabbix boolean. Disabled by default.
91
92       setsebool -P httpd_can_connect_zabbix 1
93
94
95
96       If you want to allow HTTPD scripts and modules to connect to  the  net‐
97       work using TCP, you must turn on the httpd_can_network_connect boolean.
98       Disabled by default.
99
100       setsebool -P httpd_can_network_connect 1
101
102
103
104       If you want to allow HTTPD scripts and modules to  connect  to  cobbler
105       over  the  network, you must turn on the httpd_can_network_connect_cob‐
106       bler boolean. Disabled by default.
107
108       setsebool -P httpd_can_network_connect_cobbler 1
109
110
111
112       If you want to allow HTTPD scripts and modules to connect to  databases
113       over  the  network,  you  must turn on the httpd_can_network_connect_db
114       boolean. Disabled by default.
115
116       setsebool -P httpd_can_network_connect_db 1
117
118
119
120       If you want to allow httpd to connect to memcache server, you must turn
121       on the httpd_can_network_memcache boolean. Disabled by default.
122
123       setsebool -P httpd_can_network_memcache 1
124
125
126
127       If  you  want  to  allow  httpd to act as a relay, you must turn on the
128       httpd_can_network_relay boolean. Disabled by default.
129
130       setsebool -P httpd_can_network_relay 1
131
132
133
134       If you want to allow http daemon to send mail, you  must  turn  on  the
135       httpd_can_sendmail boolean. Disabled by default.
136
137       setsebool -P httpd_can_sendmail 1
138
139
140
141       If you want to allow Apache to communicate with avahi service via dbus,
142       you must turn on the httpd_dbus_avahi boolean. Disabled by default.
143
144       setsebool -P httpd_dbus_avahi 1
145
146
147
148       If you want to allow Apache to communicate with sssd service via  dbus,
149       you must turn on the httpd_dbus_sssd boolean. Disabled by default.
150
151       setsebool -P httpd_dbus_sssd 1
152
153
154
155       If  you  want  to  allow  httpd  cgi  support,  you  must  turn  on the
156       httpd_enable_cgi boolean. Enabled by default.
157
158       setsebool -P httpd_enable_cgi 1
159
160
161
162       If you want to allow httpd to act as a FTP server by listening  on  the
163       ftp  port,  you  must turn on the httpd_enable_ftp_server boolean. Dis‐
164       abled by default.
165
166       setsebool -P httpd_enable_ftp_server 1
167
168
169
170       If you want to allow httpd to read home directories, you must  turn  on
171       the httpd_enable_homedirs boolean. Disabled by default.
172
173       setsebool -P httpd_enable_homedirs 1
174
175
176
177       If  you  want to allow httpd scripts and modules execmem/execstack, you
178       must turn on the httpd_execmem boolean. Disabled by default.
179
180       setsebool -P httpd_execmem 1
181
182
183
184       If you want to allow HTTPD to connect to port 80 for graceful shutdown,
185       you  must  turn  on  the  httpd_graceful_shutdown  boolean. Disabled by
186       default.
187
188       setsebool -P httpd_graceful_shutdown 1
189
190
191
192       If you want to allow httpd processes to manage IPA  content,  you  must
193       turn on the httpd_manage_ipa boolean. Disabled by default.
194
195       setsebool -P httpd_manage_ipa 1
196
197
198
199       If you want to allow Apache to use mod_auth_ntlm_winbind, you must turn
200       on the httpd_mod_auth_ntlm_winbind boolean. Disabled by default.
201
202       setsebool -P httpd_mod_auth_ntlm_winbind 1
203
204
205
206       If you want to allow Apache to use mod_auth_pam, you must turn  on  the
207       httpd_mod_auth_pam boolean. Disabled by default.
208
209       setsebool -P httpd_mod_auth_pam 1
210
211
212
213       If  you  want to allow httpd to read user content, you must turn on the
214       httpd_read_user_content boolean. Disabled by default.
215
216       setsebool -P httpd_read_user_content 1
217
218
219
220       If you want to allow httpd processes to run IPA helper, you  must  turn
221       on the httpd_run_ipa boolean. Disabled by default.
222
223       setsebool -P httpd_run_ipa 1
224
225
226
227       If  you  want  to  allow Apache to run preupgrade, you must turn on the
228       httpd_run_preupgrade boolean. Enabled by default.
229
230       setsebool -P httpd_run_preupgrade 1
231
232
233
234       If you want to allow Apache to run in stickshift mode,  not  transition
235       to  passenger,  you must turn on the httpd_run_stickshift boolean. Dis‐
236       abled by default.
237
238       setsebool -P httpd_run_stickshift 1
239
240
241
242       If you want to allow HTTPD scripts and modules to server cobbler files,
243       you  must  turn  on  the  httpd_serve_cobbler_files boolean. Enabled by
244       default.
245
246       setsebool -P httpd_serve_cobbler_files 1
247
248
249
250       If you want to allow httpd daemon to change its  resource  limits,  you
251       must turn on the httpd_setrlimit boolean. Disabled by default.
252
253       setsebool -P httpd_setrlimit 1
254
255
256
257       If you want to allow HTTPD to run SSI executables in the same domain as
258       system CGI scripts, you must turn on the httpd_ssi_exec  boolean.  Dis‐
259       abled by default.
260
261       setsebool -P httpd_ssi_exec 1
262
263
264
265       If you want to unify HTTPD to communicate with the terminal. Needed for
266       entering the passphrase for certificates at the terminal, you must turn
267       on the httpd_tty_comm boolean. Disabled by default.
268
269       setsebool -P httpd_tty_comm 1
270
271
272
273       If  you  want to allow httpd to access cifs file systems, you must turn
274       on the httpd_use_cifs boolean. Disabled by default.
275
276       setsebool -P httpd_use_cifs 1
277
278
279
280       If you want to allow httpd to access FUSE file systems, you  must  turn
281       on the httpd_use_fusefs boolean. Disabled by default.
282
283       setsebool -P httpd_use_fusefs 1
284
285
286
287       If you want to allow httpd to access nfs file systems, you must turn on
288       the httpd_use_nfs boolean. Disabled by default.
289
290       setsebool -P httpd_use_nfs 1
291
292
293
294       If you want to allow httpd to access openstack ports, you must turn  on
295       the httpd_use_openstack boolean. Disabled by default.
296
297       setsebool -P httpd_use_openstack 1
298
299
300
301       If  you  want  to allow httpd to connect to  sasl, you must turn on the
302       httpd_use_sasl boolean. Disabled by default.
303
304       setsebool -P httpd_use_sasl 1
305
306
307
308       If you want to allow Apache to query NS records, you must turn  on  the
309       httpd_verify_dns boolean. Disabled by default.
310
311       setsebool -P httpd_verify_dns 1
312
313
314
315       If you want to allow users to resolve user passwd entries directly from
316       ldap rather then using a sssd server, you  must  turn  on  the  authlo‐
317       gin_nsswitch_use_ldap boolean. Disabled by default.
318
319       setsebool -P authlogin_nsswitch_use_ldap 1
320
321
322
323       If  you  want  to deny any process from ptracing or debugging any other
324       processes, you  must  turn  on  the  deny_ptrace  boolean.  Enabled  by
325       default.
326
327       setsebool -P deny_ptrace 1
328
329
330
331       If you want to allow all domains to execute in fips_mode, you must turn
332       on the fips_mode boolean. Enabled by default.
333
334       setsebool -P fips_mode 1
335
336
337
338       If you want to determine whether Git system daemon can access cifs file
339       systems,  you must turn on the git_system_use_cifs boolean. Disabled by
340       default.
341
342       setsebool -P git_system_use_cifs 1
343
344
345
346       If you want to determine whether Git system daemon can access nfs  file
347       systems,  you  must turn on the git_system_use_nfs boolean. Disabled by
348       default.
349
350       setsebool -P git_system_use_nfs 1
351
352
353
354       If you want to allow confined applications to run  with  kerberos,  you
355       must turn on the kerberos_enabled boolean. Enabled by default.
356
357       setsebool -P kerberos_enabled 1
358
359
360
361       If  you  want  to  allow  system  to run with NIS, you must turn on the
362       nis_enabled boolean. Disabled by default.
363
364       setsebool -P nis_enabled 1
365
366
367
368       If you want to allow confined applications to use nscd  shared  memory,
369       you must turn on the nscd_use_shm boolean. Disabled by default.
370
371       setsebool -P nscd_use_shm 1
372
373
374

NSSWITCH DOMAIN

376       If you want to allow users to resolve user passwd entries directly from
377       ldap rather then using a sssd server for the httpd_t, you must turn  on
378       the authlogin_nsswitch_use_ldap boolean.
379
380       setsebool -P authlogin_nsswitch_use_ldap 1
381
382
383       If you want to allow confined applications to run with kerberos for the
384       httpd_t, you must turn on the kerberos_enabled boolean.
385
386       setsebool -P kerberos_enabled 1
387
388

PORT TYPES

390       SELinux defines port types to represent TCP and UDP ports.
391
392       You can see the types associated with a port  by  using  the  following
393       command:
394
395       semanage port -l
396
397
398       Policy  governs  the  access  confined  processes  have to these ports.
399       SELinux httpd policy is very flexible allowing  users  to  setup  their
400       httpd processes in as secure a method as possible.
401
402       The following port types are defined for httpd:
403
404
405       http_cache_port_t
406
407
408
409       Default Defined Ports:
410                 tcp 8080,8118,8123,10001-10010
411                 udp 3130
412
413
414       http_port_t
415
416
417
418       Default Defined Ports:
419                 tcp 80,81,443,488,8008,8009,8443,9000
420

MANAGED FILES

422       The SELinux process type httpd_t can manage files labeled with the fol‐
423       lowing file types.  The paths listed are the default  paths  for  these
424       file types.  Note the processes UID still need to have DAC permissions.
425
426       abrt_retrace_spool_t
427
428            /var/spool/faf(/.*)?
429            /var/spool/abrt-retrace(/.*)?
430            /var/spool/retrace-server(/.*)?
431
432       anon_inodefs_t
433
434
435       apcupsd_cgi_rw_content_t
436
437
438       awstats_rw_content_t
439
440
441       bugzilla_rw_content_t
442
443            /var/lib/bugzilla(/.*)?
444
445       cifs_t
446
447
448       cluster_conf_t
449
450            /etc/cluster(/.*)?
451
452       cluster_var_lib_t
453
454            /var/lib/pcsd(/.*)?
455            /var/lib/cluster(/.*)?
456            /var/lib/openais(/.*)?
457            /var/lib/pengine(/.*)?
458            /var/lib/corosync(/.*)?
459            /usr/lib/heartbeat(/.*)?
460            /var/lib/heartbeat(/.*)?
461            /var/lib/pacemaker(/.*)?
462
463       cluster_var_run_t
464
465            /var/run/crm(/.*)?
466            /var/run/cman_.*
467            /var/run/rsctmp(/.*)?
468            /var/run/aisexec.*
469            /var/run/heartbeat(/.*)?
470            /var/run/corosync-qnetd(/.*)?
471            /var/run/corosync-qdevice(/.*)?
472            /var/run/corosync.pid
473            /var/run/cpglockd.pid
474            /var/run/rgmanager.pid
475            /var/run/cluster/rgmanager.sk
476
477       cobbler_var_lib_t
478
479            /var/lib/cobbler(/.*)?
480            /var/www/cobbler(/.*)?
481            /var/cache/cobbler(/.*)?
482            /var/lib/tftpboot/etc(/.*)?
483            /var/lib/tftpboot/ppc(/.*)?
484            /var/lib/tftpboot/boot(/.*)?
485            /var/lib/tftpboot/grub(/.*)?
486            /var/lib/tftpboot/s390x(/.*)?
487            /var/lib/tftpboot/images(/.*)?
488            /var/lib/tftpboot/aarch64(/.*)?
489            /var/lib/tftpboot/images2(/.*)?
490            /var/lib/tftpboot/pxelinux.cfg(/.*)?
491            /var/lib/tftpboot/yaboot
492            /var/lib/tftpboot/memdisk
493            /var/lib/tftpboot/menu.c32
494            /var/lib/tftpboot/pxelinux.0
495
496       collectd_rw_content_t
497
498
499       cvs_rw_content_t
500
501
502       dirsrv_config_t
503
504            /etc/dirsrv(/.*)?
505
506       dirsrv_var_log_t
507
508            /var/log/dirsrv(/.*)?
509
510       dirsrv_var_run_t
511
512            /var/run/slapd.*
513            /var/run/dirsrv(/.*)?
514
515       dirsrvadmin_config_t
516
517            /etc/dirsrv/dsgw(/.*)?
518            /etc/dirsrv/admin-serv(/.*)?
519
520       dirsrvadmin_rw_content_t
521
522
523       dirsrvadmin_tmp_t
524
525
526       dspam_rw_content_t
527
528            /var/lib/dspam/data(/.*)?
529
530       fusefs_t
531
532            /var/run/user/[^/]*/gvfs
533
534       git_rw_content_t
535
536            /var/cache/cgit(/.*)?
537            /var/cache/gitweb-caching(/.*)?
538
539       httpd_cache_t
540
541            /var/cache/rt(3|4)(/.*)?
542            /var/cache/ssl.*.sem
543            /var/cache/mod_.*
544            /var/cache/php-.*
545            /var/cache/httpd(/.*)?
546            /var/cache/mason(/.*)?
547            /var/cache/mod_ssl(/.*)?
548            /var/cache/lighttpd(/.*)?
549            /var/cache/mediawiki(/.*)?
550            /var/cache/mod_proxy(/.*)?
551            /var/cache/mod_gnutls(/.*)?
552            /var/cache/php-mmcache(/.*)?
553            /var/cache/php-eaccelerator(/.*)?
554
555       httpd_lock_t
556
557
558       httpd_squirrelmail_t
559
560            /var/lib/squirrelmail/prefs(/.*)?
561
562       httpd_sys_rw_content_t
563
564            /etc/rt(/.*)?
565            /etc/glpi(/.*)?
566            /etc/horde(/.*)?
567            /etc/drupal.*
568            /etc/z-push(/.*)?
569            /var/lib/svn(/.*)?
570            /var/www/svn(/.*)?
571            /etc/owncloud(/.*)?
572            /var/www/html(/.*)?/uploads(/.*)?
573            /var/www/html(/.*)?/wp-content(/.*)?
574            /var/www/html(/.*)?/wp_backups(/.*)?
575            /var/www/html(/.*)?/sites/default/files(/.*)?
576            /var/www/html(/.*)?/sites/default/settings.php
577            /etc/mock/koji(/.*)?
578            /etc/nextcloud(/.*)?
579            /var/lib/drupal.*
580            /etc/zabbix/web(/.*)?
581            /var/lib/moodle(/.*)?
582            /var/log/z-push(/.*)?
583            /var/spool/gosa(/.*)?
584            /etc/WebCalendar(/.*)?
585            /usr/share/joomla(/.*)?
586            /var/lib/dokuwiki(/.*)?
587            /var/lib/owncloud(/.*)?
588            /var/spool/viewvc(/.*)?
589            /var/lib/nextcloud(/.*)?
590            /var/lib/pootle/po(/.*)?
591            /var/lib/phpMyAdmin(/.*)?
592            /var/www/moodledata(/.*)?
593            /srv/gallery2/smarty(/.*)?
594            /var/www/moodle/data(/.*)?
595            /var/lib/graphite-web(/.*)?
596            /var/log/shibboleth-www(/.*)?
597            /var/www/gallery/albums(/.*)?
598            /var/www/html/owncloud/data(/.*)?
599            /var/www/html/nextcloud/data(/.*)?
600            /usr/share/wordpress-mu/wp-content(/.*)?
601            /usr/share/wordpress/wp-content/upgrade(/.*)?
602            /usr/share/wordpress/wp-content/uploads(/.*)?
603            /var/www/html/configuration.php
604
605       httpd_tmp_t
606
607            /var/run/user/apache(/.*)?
608            /var/www/openshift/console/tmp(/.*)?
609
610       httpd_tmpfs_t
611
612
613       httpd_user_rw_content_t
614
615
616       httpd_var_lib_t
617
618            /var/lib/rt(3|4)/data/RT-Shredder(/.*)?
619            /var/lib/dav(/.*)?
620            /var/lib/php(/.*)?
621            /var/lib/glpi(/.*)?
622            /var/lib/httpd(/.*)?
623            /var/lib/nginx(/.*)?
624            /var/lib/z-push(/.*)?
625            /var/lib/ganglia(/.*)?
626            /var/lib/ipsilon(/.*)?
627            /var/lib/cherokee(/.*)?
628            /var/lib/lighttpd(/.*)?
629            /var/lib/mod_security(/.*)?
630            /var/lib/roundcubemail(/.*)?
631            /var/opt/rh/rh-nginx18/lib/nginx(/.*)?
632
633       httpd_var_run_t
634
635            /var/run/wsgi.*
636            /var/run/mod_.*
637            /var/run/httpd.*
638            /var/run/nginx.*
639            /var/run/apache.*
640            /var/run/php-fpm(/.*)?
641            /var/run/fcgiwrap(/.*)?
642            /var/run/lighttpd(/.*)?
643            /var/lib/php/session(/.*)?
644            /var/lib/php/wsdlcache(/.*)?
645            /var/run/dirsrv/admin-serv.*
646            /var/opt/rh/rh-nginx18/run/nginx(/.*)?
647            /var/www/openshift/broker/httpd/run(/.*)?
648            /var/www/openshift/console/httpd/run(/.*)?
649            /opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)?
650            /var/run/thttpd.pid
651            /var/run/gcache_port
652            /var/run/cherokee.pid
653
654       httpdcontent
655
656
657       hugetlbfs_t
658
659            /dev/hugepages
660            /usr/lib/udev/devices/hugepages
661
662       ipa_cert_t
663
664            /etc/httpd/alias/ipasession.key
665
666       ipa_var_run_t
667
668            /var/run/ipa(/.*)?
669
670       jetty_cache_t
671
672            /var/cache/jetty(/.*)?
673
674       jetty_log_t
675
676            /var/log/jetty(/.*)?
677
678       jetty_tmp_t
679
680
681       jetty_unit_file_t
682
683            /usr/lib/systemd/system/jetty.service
684
685       jetty_var_lib_t
686
687            /var/lib/jetty(/.*)?
688
689       jetty_var_run_t
690
691            /var/run/jetty(/.*)?
692
693       keystone_cgi_rw_content_t
694
695
696       krb5_host_rcache_t
697
698            /var/cache/krb5rcache(/.*)?
699            /var/tmp/nfs_0
700            /var/tmp/DNS_25
701            /var/tmp/host_0
702            /var/tmp/imap_0
703            /var/tmp/HTTP_23
704            /var/tmp/HTTP_48
705            /var/tmp/ldap_55
706            /var/tmp/ldap_487
707            /var/tmp/ldapmap1_0
708
709       man2html_rw_content_t
710
711            /var/cache/man2html(/.*)?
712
713       mediawiki_rw_content_t
714
715            /var/www/wiki[0-9]?(/.*)?
716
717       memcached_var_run_t
718
719            /var/run/memcached(/.*)?
720            /var/run/ipa_memcached(/.*)?
721
722       mirrormanager_var_run_t
723
724            /var/run/mirrormanager(/.*)?
725
726       mojomojo_rw_content_t
727
728            /var/lib/mojomojo(/.*)?
729
730       munin_rw_content_t
731
732
733       mythtv_rw_content_t
734
735
736       nagios_rw_content_t
737
738
739       nfs_t
740
741
742       nutups_cgi_rw_content_t
743
744
745       openshift_rw_content_t
746
747
748       passenger_tmp_t
749
750
751       passenger_var_lib_t
752
753            /var/lib/passenger(/.*)?
754
755       passenger_var_run_t
756
757            /var/run/passenger(/.*)?
758
759       pki_apache_config
760
761
762       pki_apache_var_lib
763
764
765       pki_apache_var_log
766
767
768       postfix_spool_t
769
770            /var/spool/postfix.*
771            /var/spool/postfix/defer(/.*)?
772            /var/spool/postfix/flush(/.*)?
773            /var/spool/postfix/deferred(/.*)?
774            /var/spool/postfix/maildrop(/.*)?
775
776       preupgrade_data_t
777
778            /var/lib/preupgrade(/.*)?
779            /var/log/preupgrade(/.*)?
780
781       prewikka_rw_content_t
782
783
784       public_content_rw_t
785
786            /var/spool/abrt-upload(/.*)?
787
788       root_t
789
790            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
791            /
792            /initrd
793
794       security_t
795
796            /selinux
797
798       smokeping_cgi_rw_content_t
799
800
801       squid_rw_content_t
802
803
804       squirrelmail_spool_t
805
806            /var/spool/squirrelmail(/.*)?
807
808       systemd_passwd_var_run_t
809
810            /var/run/systemd/ask-password(/.*)?
811            /var/run/systemd/ask-password-block(/.*)?
812
813       w3c_validator_rw_content_t
814
815
816       webalizer_rw_content_t
817
818            /var/www/usage(/.*)?
819
820       zarafa_var_lib_t
821
822            /var/lib/zarafa(/.*)?
823            /var/lib/zarafa-webapp(/.*)?
824            /var/lib/zarafa-webaccess(/.*)?
825
826       zoneminder_rw_content_t
827
828
829       zoneminder_var_lib_t
830
831            /var/lib/zoneminder(/.*)?
832
833

FILE CONTEXTS

835       SELinux requires files to have an extended attribute to define the file
836       type.
837
838       You can see the context of a file using the -Z option to ls
839
840       Policy governs the access  confined  processes  have  to  these  files.
841       SELinux  httpd  policy  is  very flexible allowing users to setup their
842       httpd processes in as secure a method as possible.
843
844       EQUIVALENCE DIRECTORIES
845
846
847       httpd policy stores data with multiple  different  file  context  types
848       under  the /var/lib/php directory.  If you would like to store the data
849       in a different directory you can use the semanage command to create  an
850       equivalence  mapping.   If you wanted to store this data under the /srv
851       dirctory you would execute the following command:
852
853       semanage fcontext -a -e /var/lib/php /srv/php
854       restorecon -R -v /srv/php
855
856       httpd policy stores data with multiple  different  file  context  types
857       under the /var/www directory.  If you would like to store the data in a
858       different directory you can use  the  semanage  command  to  create  an
859       equivalence  mapping.   If you wanted to store this data under the /srv
860       dirctory you would execute the following command:
861
862       semanage fcontext -a -e /var/www /srv/www
863       restorecon -R -v /srv/www
864
865       STANDARD FILE CONTEXT
866
867       SELinux defines the file context types for the httpd, if you wanted  to
868       store  files  with  these types in a diffent paths, you need to execute
869       the semanage command  to  sepecify  alternate  labeling  and  then  use
870       restorecon to put the labels on disk.
871
872       semanage fcontext -a -t httpd_var_run_t '/srv/myhttpd_content(/.*)?'
873       restorecon -R -v /srv/myhttpd_content
874
875       Note:  SELinux  often  uses  regular expressions to specify labels that
876       match multiple files.
877
878       The following file types are defined for httpd:
879
880
881
882       httpd_cache_t
883
884       - Set files with the httpd_cache_t type, if you want to store the files
885       under the /var/cache directory.
886
887
888       Paths:
889            /var/cache/rt(3|4)(/.*)?, /var/cache/ssl.*.sem, /var/cache/mod_.*,
890            /var/cache/php-.*, /var/cache/httpd(/.*)?, /var/cache/mason(/.*)?,
891            /var/cache/mod_ssl(/.*)?,               /var/cache/lighttpd(/.*)?,
892            /var/cache/mediawiki(/.*)?,            /var/cache/mod_proxy(/.*)?,
893            /var/cache/mod_gnutls(/.*)?,         /var/cache/php-mmcache(/.*)?,
894            /var/cache/php-eaccelerator(/.*)?
895
896
897       httpd_config_t
898
899       - Set files with the httpd_config_t type, if  you  want  to  treat  the
900       files as httpd configuration data, usually stored under the /etc direc‐
901       tory.
902
903
904       Paths:
905            /etc/httpd(/.*)?,     /etc/nginx(/.*)?,     /etc/apache(2)?(/.*)?,
906            /etc/cherokee(/.*)?,       /etc/lighttpd(/.*)?,       /etc/apache-
907            ssl(2)?(/.*)?, /var/lib/openshift/.httpd.d(/.*)?,  /etc/opt/rh/rh-
908            nginx18/nginx(/.*)?,           /var/lib/stickshift/.httpd.d(/.*)?,
909            /etc/vhosts, /etc/thttpd.conf
910
911
912       httpd_exec_t
913
914       - Set files with the httpd_exec_t type, if you want  to  transition  an
915       executable to the httpd_t domain.
916
917
918       Paths:
919            /usr/sbin/httpd(.worker)?,  /usr/sbin/apache(2)?, /usr/lib/apache-
920            ssl/.+,         /usr/sbin/apache-ssl(2)?,         /usr/sbin/nginx,
921            /usr/sbin/thttpd,      /usr/sbin/php-fpm,      /usr/sbin/cherokee,
922            /usr/sbin/lighttpd,  /usr/sbin/apachectl,   /usr/sbin/httpd.event,
923            /usr/bin/mongrel_rails, /usr/sbin/htcacheclean
924
925
926       httpd_helper_exec_t
927
928       -  Set  files with the httpd_helper_exec_t type, if you want to transi‐
929       tion an executable to the httpd_helper_t domain.
930
931
932
933       httpd_initrc_exec_t
934
935       - Set files with the httpd_initrc_exec_t type, if you want  to  transi‐
936       tion an executable to the httpd_initrc_t domain.
937
938
939       Paths:
940            /etc/init.d/cherokee,                      /etc/rc.d/init.d/httpd,
941            /etc/rc.d/init.d/lighttpd
942
943
944       httpd_keytab_t
945
946       - Set files with the httpd_keytab_t type, if  you  want  to  treat  the
947       files as kerberos keytab files.
948
949
950
951       httpd_lock_t
952
953       -  Set files with the httpd_lock_t type, if you want to treat the files
954       as httpd lock data, stored under the /var/lock directory
955
956
957
958       httpd_log_t
959
960       - Set files with the httpd_log_t type, if you want to treat the data as
961       httpd log data, usually stored under the /var/log directory.
962
963
964       Paths:
965            /srv/([^/]*/)?www/logs(/.*)?,           /var/www(/.*)?/logs(/.*)?,
966            /var/log/glpi(/.*)?,  /var/log/cacti(/.*)?,  /var/log/httpd(/.*)?,
967            /var/log/nginx(/.*)?,   /var/log/apache(2)?(/.*)?,  /var/log/hori‐
968            zon(/.*)?,    /var/log/php-fpm(/.*)?,     /var/log/cherokee(/.*)?,
969            /var/log/lighttpd(/.*)?,                     /var/log/suphp.log.*,
970            /var/log/thttpd.log.*,              /var/log/apache-ssl(2)?(/.*)?,
971            /var/log/cgiwrap.log.*,       /var/www/stickshift/[^/]*/log(/.*)?,
972            /var/log/graphite-web(/.*)?,          /var/www/miq/vmdb/log(/.*)?,
973            /var/log/roundcubemail(/.*)?,           /var/log/php_errors.log.*,
974            /var/log/dirsrv/admin-serv(/.*)?,                  /var/opt/rh/rh-
975            nginx18/log(/.*)?,            /var/lib/openshift/.log/httpd(/.*)?,
976            /var/www/openshift/console/log(/.*)?,      /var/www/openshift/bro‐
977            ker/httpd/logs(/.*)?, /var/www/openshift/console/httpd/logs(/.*)?,
978            /etc/httpd/logs
979
980
981       httpd_modules_t
982
983       - Set files with the httpd_modules_t type, if you  want  to  treat  the
984       files as httpd modules.
985
986
987       Paths:
988            /usr/lib/httpd(/.*)?,    /usr/lib/apache(/.*)?,    /usr/lib/chero‐
989            kee(/.*)?,     /usr/lib/lighttpd(/.*)?,      /usr/lib/apache2/mod‐
990            ules(/.*)?, /etc/httpd/modules
991
992
993       httpd_passwd_exec_t
994
995       -  Set  files with the httpd_passwd_exec_t type, if you want to transi‐
996       tion an executable to the httpd_passwd_t domain.
997
998
999
1000       httpd_php_exec_t
1001
1002       - Set files with the httpd_php_exec_t type, if you want  to  transition
1003       an executable to the httpd_php_t domain.
1004
1005
1006
1007       httpd_php_tmp_t
1008
1009       -  Set  files with the httpd_php_tmp_t type, if you want to store httpd
1010       php temporary files in the /tmp directories.
1011
1012
1013
1014       httpd_rotatelogs_exec_t
1015
1016       - Set files with the httpd_rotatelogs_exec_t type, if you want to tran‐
1017       sition an executable to the httpd_rotatelogs_t domain.
1018
1019
1020
1021       httpd_squirrelmail_t
1022
1023       -  Set  files  with the httpd_squirrelmail_t type, if you want to treat
1024       the files as httpd squirrelmail data.
1025
1026
1027
1028       httpd_suexec_exec_t
1029
1030       - Set files with the httpd_suexec_exec_t type, if you want  to  transi‐
1031       tion an executable to the httpd_suexec_t domain.
1032
1033
1034       Paths:
1035            /usr/lib/apache(2)?/suexec(2)?,       /usr/lib/cgi-bin/(nph-)?cgi‐
1036            wrap(d)?, /usr/sbin/suexec
1037
1038
1039       httpd_suexec_tmp_t
1040
1041       - Set files with the httpd_suexec_tmp_t type,  if  you  want  to  store
1042       httpd suexec temporary files in the /tmp directories.
1043
1044
1045
1046       httpd_sys_content_t
1047
1048       - Set files with the httpd_sys_content_t type, if you want to treat the
1049       files as httpd sys content.
1050
1051
1052       Paths:
1053            /srv/([^/]*/)?www(/.*)?,     /var/www(/.*)?,     /etc/htdig(/.*)?,
1054            /srv/gallery2(/.*)?,   /var/lib/trac(/.*)?,  /var/lib/htdig(/.*)?,
1055            /var/www/icons(/.*)?,                       /usr/share/glpi(/.*)?,
1056            /usr/share/htdig(/.*)?,     /usr/share/drupal.*,     /usr/share/z-
1057            push(/.*)?,   /var/www/svn/conf(/.*)?,   /usr/share/icecast(/.*)?,
1058            /var/lib/cacti/rra(/.*)?,              /usr/share/ntop/html(/.*)?,
1059            /usr/share/nginx/html(/.*)?,        /usr/share/doc/ghc/html(/.*)?,
1060            /usr/share/openca/htdocs(/.*)?,            /usr/share/selinux-pol‐
1061            icy[^/]*/html(/.*)?
1062
1063
1064       httpd_sys_htaccess_t
1065
1066       - Set files with the httpd_sys_htaccess_t type, if you  want  to  treat
1067       the file as a httpd sys access file.
1068
1069
1070
1071       httpd_sys_ra_content_t
1072
1073       -  Set files with the httpd_sys_ra_content_t type, if you want to treat
1074       the files as httpd sys read/append content.
1075
1076
1077
1078       httpd_sys_rw_content_t
1079
1080       - Set files with the httpd_sys_rw_content_t type, if you want to  treat
1081       the files as httpd sys read/write content.
1082
1083
1084       Paths:
1085            /etc/rt(/.*)?,  /etc/glpi(/.*)?,  /etc/horde(/.*)?, /etc/drupal.*,
1086            /etc/z-push(/.*)?,     /var/lib/svn(/.*)?,     /var/www/svn(/.*)?,
1087            /etc/owncloud(/.*)?,            /var/www/html(/.*)?/uploads(/.*)?,
1088            /var/www/html(/.*)?/wp-content(/.*)?, /var/www/html(/.*)?/wp_back‐
1089            ups(/.*)?,          /var/www/html(/.*)?/sites/default/files(/.*)?,
1090            /var/www/html(/.*)?/sites/default/settings.php,
1091            /etc/mock/koji(/.*)?,   /etc/nextcloud(/.*)?,   /var/lib/drupal.*,
1092            /etc/zabbix/web(/.*)?,     /var/lib/moodle(/.*)?,      /var/log/z-
1093            push(/.*)?,     /var/spool/gosa(/.*)?,     /etc/WebCalendar(/.*)?,
1094            /usr/share/joomla(/.*)?,  /var/lib/dokuwiki(/.*)?,   /var/lib/own‐
1095            cloud(/.*)?,   /var/spool/viewvc(/.*)?,  /var/lib/nextcloud(/.*)?,
1096            /var/lib/pootle/po(/.*)?, /var/lib/phpMyAdmin(/.*)?, /var/www/moo‐
1097            dledata(/.*)?,      /srv/gallery2/smarty(/.*)?,      /var/www/moo‐
1098            dle/data(/.*)?, /var/lib/graphite-web(/.*)?,  /var/log/shibboleth-
1099            www(/.*)?,    /var/www/gallery/albums(/.*)?,    /var/www/html/own‐
1100            cloud/data(/.*)?,              /var/www/html/nextcloud/data(/.*)?,
1101            /usr/share/wordpress-mu/wp-content(/.*)?, /usr/share/wordpress/wp-
1102            content/upgrade(/.*)?,                /usr/share/wordpress/wp-con‐
1103            tent/uploads(/.*)?, /var/www/html/configuration.php
1104
1105
1106       httpd_sys_script_exec_t
1107
1108       - Set files with the httpd_sys_script_exec_t type, if you want to tran‐
1109       sition an executable to the httpd_sys_script_t domain.
1110
1111
1112       Paths:
1113            /opt/.*.cgi,      /usr/.*.cgi,       /var/www/[^/]*/cgi-bin(/.*)?,
1114            /var/www/perl(/.*)?,            /var/www/html/[^/]*/cgi-bin(/.*)?,
1115            /usr/lib/cgi-bin(/.*)?,                    /var/www/cgi-bin(/.*)?,
1116            /var/www/svn/hooks(/.*)?,             /usr/share/wordpress/.*.php,
1117            /usr/local/nagios/sbin(/.*)?,             /usr/share/wordpress/wp-
1118            includes/.*.php, /usr/share/wordpress-mu/wp-config.php
1119
1120
1121       httpd_tmp_t
1122
1123       -  Set files with the httpd_tmp_t type, if you want to store httpd tem‐
1124       porary files in the /tmp directories.
1125
1126
1127       Paths:
1128            /var/run/user/apache(/.*)?, /var/www/openshift/console/tmp(/.*)?
1129
1130
1131       httpd_tmpfs_t
1132
1133       - Set files with the httpd_tmpfs_t type, if you  want  to  store  httpd
1134       files on a tmpfs file system.
1135
1136
1137
1138       httpd_unconfined_script_exec_t
1139
1140       -  Set  files with the httpd_unconfined_script_exec_t type, if you want
1141       to transition an executable to the httpd_unconfined_script_t domain.
1142
1143
1144
1145       httpd_unit_file_t
1146
1147       - Set files with the httpd_unit_file_t type, if you want to  treat  the
1148       files as httpd unit content.
1149
1150
1151       Paths:
1152            /usr/lib/systemd/system/httpd.*,  /usr/lib/systemd/system/nginx.*,
1153            /usr/lib/systemd/system/thttpd.*,     /usr/lib/systemd/system/php-
1154            fpm.*
1155
1156
1157       httpd_user_content_t
1158
1159       -  Set  files  with the httpd_user_content_t type, if you want to treat
1160       the files as httpd user content.
1161
1162
1163
1164       httpd_user_htaccess_t
1165
1166       - Set files with the httpd_user_htaccess_t type, if you want  to  treat
1167       the file as a httpd user access file.
1168
1169
1170
1171       httpd_user_ra_content_t
1172
1173       - Set files with the httpd_user_ra_content_t type, if you want to treat
1174       the files as httpd user read/append content.
1175
1176
1177
1178       httpd_user_rw_content_t
1179
1180       - Set files with the httpd_user_rw_content_t type, if you want to treat
1181       the files as httpd user read/write content.
1182
1183
1184
1185       httpd_user_script_exec_t
1186
1187       -  Set  files  with  the  httpd_user_script_exec_t type, if you want to
1188       transition an executable to the httpd_user_script_t domain.
1189
1190
1191
1192       httpd_var_lib_t
1193
1194       - Set files with the httpd_var_lib_t type, if you  want  to  store  the
1195       httpd files under the /var/lib directory.
1196
1197
1198       Paths:
1199            /var/lib/rt(3|4)/data/RT-Shredder(/.*)?,       /var/lib/dav(/.*)?,
1200            /var/lib/php(/.*)?,   /var/lib/glpi(/.*)?,   /var/lib/httpd(/.*)?,
1201            /var/lib/nginx(/.*)?,     /var/lib/z-push(/.*)?,     /var/lib/gan‐
1202            glia(/.*)?,    /var/lib/ipsilon(/.*)?,    /var/lib/cherokee(/.*)?,
1203            /var/lib/lighttpd(/.*)?,              /var/lib/mod_security(/.*)?,
1204            /var/lib/roundcubemail(/.*)?,                      /var/opt/rh/rh-
1205            nginx18/lib/nginx(/.*)?
1206
1207
1208       httpd_var_run_t
1209
1210       -  Set  files  with  the httpd_var_run_t type, if you want to store the
1211       httpd files under the /run or /var/run directory.
1212
1213
1214       Paths:
1215            /var/run/wsgi.*,        /var/run/mod_.*,         /var/run/httpd.*,
1216            /var/run/nginx.*,    /var/run/apache.*,    /var/run/php-fpm(/.*)?,
1217            /var/run/fcgiwrap(/.*)?,                  /var/run/lighttpd(/.*)?,
1218            /var/lib/php/session(/.*)?,          /var/lib/php/wsdlcache(/.*)?,
1219            /var/run/dirsrv/admin-serv.*,                      /var/opt/rh/rh-
1220            nginx18/run/nginx(/.*)?,                   /var/www/openshift/bro‐
1221            ker/httpd/run(/.*)?,   /var/www/openshift/console/httpd/run(/.*)?,
1222            /opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)?,
1223            /var/run/thttpd.pid, /var/run/gcache_port, /var/run/cherokee.pid
1224
1225
1226       Note: File context can be temporarily modified with the chcon  command.
1227       If  you want to permanently change the file context you need to use the
1228       semanage fcontext command.  This will modify the SELinux labeling data‐
1229       base.  You will need to use restorecon to apply the labels.
1230
1231

SHARING FILES

1233       If  you  want to share files with multiple domains (Apache, FTP, rsync,
1234       Samba), you can set a file context of public_content_t and  public_con‐
1235       tent_rw_t.   These  context  allow any of the above domains to read the
1236       content.  If you want a particular domain to write to  the  public_con‐
1237       tent_rw_t domain, you must set the appropriate boolean.
1238
1239       Allow httpd servers to read the /var/httpd directory by adding the pub‐
1240       lic_content_t file type to the directory  and  by  restoring  the  file
1241       type.
1242
1243       semanage fcontext -a -t public_content_t "/var/httpd(/.*)?"
1244       restorecon -F -R -v /var/httpd
1245
1246       Allow httpd servers to read and write /var/httpd/incoming by adding the
1247       public_content_rw_t type to the directory and  by  restoring  the  file
1248       type.  You also need to turn on the httpd_anon_write boolean.
1249
1250       semanage fcontext -a -t public_content_rw_t "/var/httpd/incoming(/.*)?"
1251       restorecon -F -R -v /var/httpd/incoming
1252       setsebool -P httpd_anon_write 1
1253
1254
1255       If you want to allow Apache to modify public files used for public file
1256       transfer  services.  Directories/Files  must  be  labeled   public_con‐
1257       tent_rw_t., you must turn on the httpd_anon_write boolean.
1258
1259       setsebool -P httpd_anon_write 1
1260
1261

COMMANDS

1263       semanage  fcontext  can also be used to manipulate default file context
1264       mappings.
1265
1266       semanage permissive can also be used to manipulate  whether  or  not  a
1267       process type is permissive.
1268
1269       semanage  module can also be used to enable/disable/install/remove pol‐
1270       icy modules.
1271
1272       semanage port can also be used to manipulate the port definitions
1273
1274       semanage boolean can also be used to manipulate the booleans
1275
1276
1277       system-config-selinux is a GUI tool available to customize SELinux pol‐
1278       icy settings.
1279
1280

AUTHOR

1282       This manual page was auto-generated using sepolicy manpage .
1283
1284

SEE ALSO

1286       selinux(8),  httpd(8),  semanage(8),  restorecon(8),  chcon(1),  sepol‐
1287       icy(8), setsebool(8), httpd_helper_selinux(8), httpd_passwd_selinux(8),
1288       httpd_php_selinux(8),                      httpd_rotatelogs_selinux(8),
1289       httpd_suexec_selinux(8),   httpd_sys_script_selinux(8),    httpd_uncon‐
1290       fined_script_selinux(8), httpd_user_script_selinux(8)
1291
1292
1293
1294httpd                              19-06-18                   httpd_selinux(8)
Impressum