1httpd_selinux(8)             SELinux Policy httpd             httpd_selinux(8)
2
3
4

NAME

6       httpd_selinux - Security Enhanced Linux Policy for the httpd processes
7

DESCRIPTION

9       Security-Enhanced Linux secures the httpd processes via flexible manda‐
10       tory access control.
11
12       The httpd processes execute with the  httpd_t  SELinux  type.  You  can
13       check  if  you have these processes running by executing the ps command
14       with the -Z qualifier.
15
16       For example:
17
18       ps -eZ | grep httpd_t
19
20
21

ENTRYPOINTS

23       The httpd_t SELinux type can be entered via the httpd_exec_t file type.
24
25       The default entrypoint paths for the httpd_t domain are the following:
26
27       /usr/sbin/httpd(.worker)?,    /usr/sbin/apache(2)?,    /usr/lib/apache-
28       ssl/.+,  /usr/sbin/apache-ssl(2)?,  /usr/sbin/nginx,  /usr/sbin/thttpd,
29       /usr/sbin/php-fpm,       /usr/sbin/cherokee,        /usr/sbin/lighttpd,
30       /usr/sbin/apachectl,   /usr/sbin/httpd.event,   /usr/bin/mongrel_rails,
31       /usr/sbin/htcacheclean
32

PROCESS TYPES

34       SELinux defines process types (domains) for each process running on the
35       system
36
37       You can see the context of a process using the -Z option to ps
38
39       Policy  governs  the  access confined processes have to files.  SELinux
40       httpd policy is very flexible allowing users to setup their httpd  pro‐
41       cesses in as secure a method as possible.
42
43       The following process types are defined for httpd:
44
45       httpd_t, httpd_helper_t, httpd_php_t, httpd_rotatelogs_t, httpd_suexec_t, httpd_sys_script_t, httpd_user_script_t, httpd_passwd_t, httpd_unconfined_script_t
46
47       Note:  semanage  permissive  -a httpd_t can be used to make the process
48       type httpd_t permissive. SELinux does not  deny  access  to  permissive
49       process  types, but the AVC (SELinux denials) messages are still gener‐
50       ated.
51
52

BOOLEANS

54       SELinux policy is customizable based on least access  required.   httpd
55       policy is extremely flexible and has several booleans that allow you to
56       manipulate the policy and run httpd with the tightest access possible.
57
58
59
60       If you want to allow httpd to use built in scripting (usually php), you
61       must turn on the httpd_builtin_scripting boolean. Enabled by default.
62
63       setsebool -P httpd_builtin_scripting 1
64
65
66
67       If you want to allow httpd to act as a FTP client connecting to the ftp
68       port and ephemeral ports, you must turn  on  the  httpd_can_connect_ftp
69       boolean. Disabled by default.
70
71       setsebool -P httpd_can_connect_ftp 1
72
73
74
75       If  you  want to allow httpd to connect to the ldap port, you must turn
76       on the httpd_can_connect_ldap boolean. Disabled by default.
77
78       setsebool -P httpd_can_connect_ldap 1
79
80
81
82       If you want to allow http daemon to connect to mythtv, you must turn on
83       the httpd_can_connect_mythtv boolean. Disabled by default.
84
85       setsebool -P httpd_can_connect_mythtv 1
86
87
88
89       If you want to allow http daemon to connect to zabbix, you must turn on
90       the httpd_can_connect_zabbix boolean. Disabled by default.
91
92       setsebool -P httpd_can_connect_zabbix 1
93
94
95
96       If you want to allow HTTPD scripts and modules to connect to  the  net‐
97       work using TCP, you must turn on the httpd_can_network_connect boolean.
98       Disabled by default.
99
100       setsebool -P httpd_can_network_connect 1
101
102
103
104       If you want to allow HTTPD scripts and modules to  connect  to  cobbler
105       over  the  network, you must turn on the httpd_can_network_connect_cob‐
106       bler boolean. Disabled by default.
107
108       setsebool -P httpd_can_network_connect_cobbler 1
109
110
111
112       If you want to allow HTTPD scripts and modules to connect to  databases
113       over  the  network,  you  must turn on the httpd_can_network_connect_db
114       boolean. Disabled by default.
115
116       setsebool -P httpd_can_network_connect_db 1
117
118
119
120       If you want to allow httpd to connect to memcache server, you must turn
121       on the httpd_can_network_memcache boolean. Disabled by default.
122
123       setsebool -P httpd_can_network_memcache 1
124
125
126
127       If  you  want  to  allow  httpd to act as a relay, you must turn on the
128       httpd_can_network_relay boolean. Disabled by default.
129
130       setsebool -P httpd_can_network_relay 1
131
132
133
134       If you want to allow http daemon to send mail, you  must  turn  on  the
135       httpd_can_sendmail boolean. Disabled by default.
136
137       setsebool -P httpd_can_sendmail 1
138
139
140
141       If you want to allow Apache to communicate with avahi service via dbus,
142       you must turn on the httpd_dbus_avahi boolean. Enabled by default.
143
144       setsebool -P httpd_dbus_avahi 1
145
146
147
148       If you want to allow Apache to communicate with sssd service via  dbus,
149       you must turn on the httpd_dbus_sssd boolean. Disabled by default.
150
151       setsebool -P httpd_dbus_sssd 1
152
153
154
155       If  you  want  to  allow  httpd  cgi  support,  you  must  turn  on the
156       httpd_enable_cgi boolean. Enabled by default.
157
158       setsebool -P httpd_enable_cgi 1
159
160
161
162       If you want to allow httpd to act as a FTP server by listening  on  the
163       ftp  port,  you  must turn on the httpd_enable_ftp_server boolean. Dis‐
164       abled by default.
165
166       setsebool -P httpd_enable_ftp_server 1
167
168
169
170       If you want to allow httpd to read home directories, you must  turn  on
171       the httpd_enable_homedirs boolean. Disabled by default.
172
173       setsebool -P httpd_enable_homedirs 1
174
175
176
177       If  you  want to allow httpd scripts and modules execmem/execstack, you
178       must turn on the httpd_execmem boolean. Disabled by default.
179
180       setsebool -P httpd_execmem 1
181
182
183
184       If you want to allow HTTPD to connect to port 80 for graceful shutdown,
185       you  must  turn  on  the  httpd_graceful_shutdown  boolean. Disabled by
186       default.
187
188       setsebool -P httpd_graceful_shutdown 1
189
190
191
192       If you want to allow httpd processes to manage IPA  content,  you  must
193       turn on the httpd_manage_ipa boolean. Disabled by default.
194
195       setsebool -P httpd_manage_ipa 1
196
197
198
199       If you want to allow Apache to use mod_auth_ntlm_winbind, you must turn
200       on the httpd_mod_auth_ntlm_winbind boolean. Disabled by default.
201
202       setsebool -P httpd_mod_auth_ntlm_winbind 1
203
204
205
206       If you want to allow Apache to use mod_auth_pam, you must turn  on  the
207       httpd_mod_auth_pam boolean. Disabled by default.
208
209       setsebool -P httpd_mod_auth_pam 1
210
211
212
213       If  you  want to allow httpd to read user content, you must turn on the
214       httpd_read_user_content boolean. Disabled by default.
215
216       setsebool -P httpd_read_user_content 1
217
218
219
220       If you want to allow httpd processes to run IPA helper, you  must  turn
221       on the httpd_run_ipa boolean. Disabled by default.
222
223       setsebool -P httpd_run_ipa 1
224
225
226
227       If  you  want  to  allow Apache to run preupgrade, you must turn on the
228       httpd_run_preupgrade boolean. Disabled by default.
229
230       setsebool -P httpd_run_preupgrade 1
231
232
233
234       If you want to allow Apache to run in stickshift mode,  not  transition
235       to  passenger,  you must turn on the httpd_run_stickshift boolean. Dis‐
236       abled by default.
237
238       setsebool -P httpd_run_stickshift 1
239
240
241
242       If you want to allow HTTPD scripts and modules to server cobbler files,
243       you  must  turn  on  the httpd_serve_cobbler_files boolean. Disabled by
244       default.
245
246       setsebool -P httpd_serve_cobbler_files 1
247
248
249
250       If you want to allow httpd daemon to change its  resource  limits,  you
251       must turn on the httpd_setrlimit boolean. Disabled by default.
252
253       setsebool -P httpd_setrlimit 1
254
255
256
257       If you want to allow HTTPD to run SSI executables in the same domain as
258       system CGI scripts, you must turn on the httpd_ssi_exec  boolean.  Dis‐
259       abled by default.
260
261       setsebool -P httpd_ssi_exec 1
262
263
264
265       If you want to unify HTTPD to communicate with the terminal. Needed for
266       entering the passphrase for certificates at the terminal, you must turn
267       on the httpd_tty_comm boolean. Disabled by default.
268
269       setsebool -P httpd_tty_comm 1
270
271
272
273       If  you  want to allow httpd to access cifs file systems, you must turn
274       on the httpd_use_cifs boolean. Disabled by default.
275
276       setsebool -P httpd_use_cifs 1
277
278
279
280       If you want to allow httpd to access FUSE file systems, you  must  turn
281       on the httpd_use_fusefs boolean. Disabled by default.
282
283       setsebool -P httpd_use_fusefs 1
284
285
286
287       If you want to allow httpd to access nfs file systems, you must turn on
288       the httpd_use_nfs boolean. Disabled by default.
289
290       setsebool -P httpd_use_nfs 1
291
292
293
294       If you want to allow httpd to use opencryptoki, you must  turn  on  the
295       httpd_use_opencryptoki boolean. Disabled by default.
296
297       setsebool -P httpd_use_opencryptoki 1
298
299
300
301       If  you want to allow httpd to access openstack ports, you must turn on
302       the httpd_use_openstack boolean. Disabled by default.
303
304       setsebool -P httpd_use_openstack 1
305
306
307
308       If you want to allow httpd to connect to  sasl, you must  turn  on  the
309       httpd_use_sasl boolean. Disabled by default.
310
311       setsebool -P httpd_use_sasl 1
312
313
314
315       If  you  want to allow Apache to query NS records, you must turn on the
316       httpd_verify_dns boolean. Disabled by default.
317
318       setsebool -P httpd_verify_dns 1
319
320
321
322       If you want to allow users to resolve user passwd entries directly from
323       ldap  rather  then  using  a  sssd server, you must turn on the authlo‐
324       gin_nsswitch_use_ldap boolean. Disabled by default.
325
326       setsebool -P authlogin_nsswitch_use_ldap 1
327
328
329
330       If you want to deny any process from ptracing or  debugging  any  other
331       processes,  you  must  turn  on  the  deny_ptrace  boolean.  Enabled by
332       default.
333
334       setsebool -P deny_ptrace 1
335
336
337
338       If you want to allow all domains to execute in fips_mode, you must turn
339       on the fips_mode boolean. Enabled by default.
340
341       setsebool -P fips_mode 1
342
343
344
345       If you want to determine whether Git system daemon can access cifs file
346       systems, you must turn on the git_system_use_cifs boolean. Disabled  by
347       default.
348
349       setsebool -P git_system_use_cifs 1
350
351
352
353       If  you want to determine whether Git system daemon can access nfs file
354       systems, you must turn on the git_system_use_nfs boolean.  Disabled  by
355       default.
356
357       setsebool -P git_system_use_nfs 1
358
359
360
361       If  you  want  to allow confined applications to run with kerberos, you
362       must turn on the kerberos_enabled boolean. Disabled by default.
363
364       setsebool -P kerberos_enabled 1
365
366
367
368       If you want to allow system to run with  NIS,  you  must  turn  on  the
369       nis_enabled boolean. Disabled by default.
370
371       setsebool -P nis_enabled 1
372
373
374
375       If  you  want to allow confined applications to use nscd shared memory,
376       you must turn on the nscd_use_shm boolean. Disabled by default.
377
378       setsebool -P nscd_use_shm 1
379
380
381

NSSWITCH DOMAIN

383       If you want to allow users to resolve user passwd entries directly from
384       ldap  rather then using a sssd server for the httpd_t, you must turn on
385       the authlogin_nsswitch_use_ldap boolean.
386
387       setsebool -P authlogin_nsswitch_use_ldap 1
388
389
390       If you want to allow confined applications to run with kerberos for the
391       httpd_t, you must turn on the kerberos_enabled boolean.
392
393       setsebool -P kerberos_enabled 1
394
395

PORT TYPES

397       SELinux defines port types to represent TCP and UDP ports.
398
399       You  can  see  the  types associated with a port by using the following
400       command:
401
402       semanage port -l
403
404
405       Policy governs the access  confined  processes  have  to  these  ports.
406       SELinux  httpd  policy  is  very flexible allowing users to setup their
407       httpd processes in as secure a method as possible.
408
409       The following port types are defined for httpd:
410
411
412       http_cache_port_t
413
414
415
416       Default Defined Ports:
417                 tcp 8080,8118,8123,10001-10010
418                 udp 3130
419
420
421       http_port_t
422
423
424
425       Default Defined Ports:
426                 tcp 80,81,443,488,8008,8009,8443,9000
427

MANAGED FILES

429       The SELinux process type httpd_t can manage files labeled with the fol‐
430       lowing  file  types.   The paths listed are the default paths for these
431       file types.  Note the processes UID still need to have DAC permissions.
432
433       abrt_retrace_spool_t
434
435            /var/spool/faf(/.*)?
436            /var/spool/abrt-retrace(/.*)?
437            /var/spool/retrace-server(/.*)?
438
439       anon_inodefs_t
440
441
442       apcupsd_cgi_rw_content_t
443
444
445       awstats_rw_content_t
446
447
448       bugzilla_rw_content_t
449
450            /var/lib/bugzilla(/.*)?
451
452       cifs_t
453
454
455       cluster_conf_t
456
457            /etc/cluster(/.*)?
458
459       cluster_var_lib_t
460
461            /var/lib/pcsd(/.*)?
462            /var/lib/cluster(/.*)?
463            /var/lib/openais(/.*)?
464            /var/lib/pengine(/.*)?
465            /var/lib/corosync(/.*)?
466            /usr/lib/heartbeat(/.*)?
467            /var/lib/heartbeat(/.*)?
468            /var/lib/pacemaker(/.*)?
469
470       cluster_var_run_t
471
472            /var/run/crm(/.*)?
473            /var/run/cman_.*
474            /var/run/rsctmp(/.*)?
475            /var/run/aisexec.*
476            /var/run/heartbeat(/.*)?
477            /var/run/corosync-qnetd(/.*)?
478            /var/run/corosync-qdevice(/.*)?
479            /var/run/corosync.pid
480            /var/run/cpglockd.pid
481            /var/run/rgmanager.pid
482            /var/run/cluster/rgmanager.sk
483
484       cobbler_var_lib_t
485
486            /var/lib/cobbler(/.*)?
487            /var/www/cobbler(/.*)?
488            /var/cache/cobbler(/.*)?
489            /var/lib/tftpboot/etc(/.*)?
490            /var/lib/tftpboot/ppc(/.*)?
491            /var/lib/tftpboot/boot(/.*)?
492            /var/lib/tftpboot/grub(/.*)?
493            /var/lib/tftpboot/s390x(/.*)?
494            /var/lib/tftpboot/images(/.*)?
495            /var/lib/tftpboot/aarch64(/.*)?
496            /var/lib/tftpboot/images2(/.*)?
497            /var/lib/tftpboot/pxelinux.cfg(/.*)?
498            /var/lib/tftpboot/yaboot
499            /var/lib/tftpboot/memdisk
500            /var/lib/tftpboot/menu.c32
501            /var/lib/tftpboot/pxelinux.0
502
503       collectd_rw_content_t
504
505
506       cvs_rw_content_t
507
508
509       dirsrv_config_t
510
511            /etc/dirsrv(/.*)?
512
513       dirsrv_var_log_t
514
515            /var/log/dirsrv(/.*)?
516
517       dirsrv_var_run_t
518
519            /var/run/slapd.*
520            /var/run/dirsrv(/.*)?
521
522       dirsrvadmin_config_t
523
524            /etc/dirsrv/dsgw(/.*)?
525            /etc/dirsrv/admin-serv(/.*)?
526
527       dirsrvadmin_rw_content_t
528
529
530       dirsrvadmin_tmp_t
531
532
533       dspam_rw_content_t
534
535            /var/lib/dspam/data(/.*)?
536
537       fusefs_t
538
539            /var/run/user/[^/]*/gvfs
540
541       git_rw_content_t
542
543            /var/cache/cgit(/.*)?
544            /var/cache/gitweb-caching(/.*)?
545
546       httpd_cache_t
547
548            /var/cache/rt(3|4)(/.*)?
549            /var/cache/ssl.*.sem
550            /var/cache/mod_.*
551            /var/cache/php-.*
552            /var/cache/httpd(/.*)?
553            /var/cache/mason(/.*)?
554            /var/cache/nginx(/.*)?
555            /var/cache/mod_ssl(/.*)?
556            /var/cache/lighttpd(/.*)?
557            /var/cache/mediawiki(/.*)?
558            /var/cache/mod_proxy(/.*)?
559            /var/cache/mod_gnutls(/.*)?
560            /var/cache/php-mmcache(/.*)?
561            /var/cache/php-eaccelerator(/.*)?
562
563       httpd_lock_t
564
565
566       httpd_squirrelmail_t
567
568            /var/lib/squirrelmail/prefs(/.*)?
569
570       httpd_sys_rw_content_t
571
572            /etc/rt(/.*)?
573            /etc/glpi(/.*)?
574            /etc/horde(/.*)?
575            /etc/drupal.*
576            /etc/z-push(/.*)?
577            /var/lib/svn(/.*)?
578            /var/www/svn(/.*)?
579            /etc/owncloud(/.*)?
580            /var/www/html(/.*)?/uploads(/.*)?
581            /var/www/html(/.*)?/wp-content(/.*)?
582            /var/www/html(/.*)?/wp_backups(/.*)?
583            /var/www/html(/.*)?/sites/default/files(/.*)?
584            /var/www/html(/.*)?/sites/default/settings.php
585            /etc/mock/koji(/.*)?
586            /etc/nextcloud(/.*)?
587            /var/lib/drupal.*
588            /etc/zabbix/web(/.*)?
589            /var/lib/moodle(/.*)?
590            /var/log/z-push(/.*)?
591            /var/spool/gosa(/.*)?
592            /etc/WebCalendar(/.*)?
593            /usr/share/joomla(/.*)?
594            /var/lib/dokuwiki(/.*)?
595            /var/lib/owncloud(/.*)?
596            /var/spool/viewvc(/.*)?
597            /var/lib/nextcloud(/.*)?
598            /var/lib/pootle/po(/.*)?
599            /var/lib/phpMyAdmin(/.*)?
600            /var/www/moodledata(/.*)?
601            /srv/gallery2/smarty(/.*)?
602            /var/www/moodle/data(/.*)?
603            /var/lib/graphite-web(/.*)?
604            /var/log/shibboleth-www(/.*)?
605            /var/www/gallery/albums(/.*)?
606            /var/www/html/owncloud/data(/.*)?
607            /var/www/html/nextcloud/data(/.*)?
608            /usr/share/wordpress-mu/wp-content(/.*)?
609            /usr/share/wordpress/wp-content/upgrade(/.*)?
610            /usr/share/wordpress/wp-content/uploads(/.*)?
611            /var/www/html/configuration.php
612
613       httpd_tmp_t
614
615            /var/run/user/apache(/.*)?
616            /var/www/openshift/console/tmp(/.*)?
617
618       httpd_tmpfs_t
619
620
621       httpd_user_rw_content_t
622
623
624       httpd_var_lib_t
625
626            /var/lib/rt(3|4)/data/RT-Shredder(/.*)?
627            /var/lib/dav(/.*)?
628            /var/lib/php(/.*)?
629            /var/lib/glpi(/.*)?
630            /var/lib/httpd(/.*)?
631            /var/lib/nginx(/.*)?
632            /var/lib/z-push(/.*)?
633            /var/lib/ganglia(/.*)?
634            /var/lib/ipsilon(/.*)?
635            /var/lib/cherokee(/.*)?
636            /var/lib/lighttpd(/.*)?
637            /var/lib/mod_security(/.*)?
638            /var/lib/roundcubemail(/.*)?
639            /var/opt/rh/rh-nginx18/lib/nginx(/.*)?
640
641       httpd_var_run_t
642
643            /var/run/wsgi.*
644            /var/run/mod_.*
645            /var/run/httpd.*
646            /var/run/nginx.*
647            /var/run/apache.*
648            /var/run/php-fpm(/.*)?
649            /var/run/fcgiwrap(/.*)?
650            /var/run/lighttpd(/.*)?
651            /var/lib/php/session(/.*)?
652            /var/lib/php/wsdlcache(/.*)?
653            /var/run/dirsrv/admin-serv.*
654            /var/opt/rh/rh-nginx18/run/nginx(/.*)?
655            /var/www/openshift/broker/httpd/run(/.*)?
656            /var/www/openshift/console/httpd/run(/.*)?
657            /opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)?
658            /var/run/thttpd.pid
659            /var/run/gcache_port
660            /var/run/cherokee.pid
661
662       httpdcontent
663
664
665       hugetlbfs_t
666
667            /dev/hugepages
668            /usr/lib/udev/devices/hugepages
669
670       ipa_cert_t
671
672            /etc/httpd/alias/ipasession.key
673
674       ipa_var_run_t
675
676            /var/run/ipa(/.*)?
677
678       jetty_cache_t
679
680            /var/cache/jetty(/.*)?
681
682       jetty_log_t
683
684            /var/log/jetty(/.*)?
685
686       jetty_tmp_t
687
688
689       jetty_unit_file_t
690
691            /usr/lib/systemd/system/jetty.service
692
693       jetty_var_lib_t
694
695            /var/lib/jetty(/.*)?
696
697       jetty_var_run_t
698
699            /var/run/jetty(/.*)?
700
701       keystone_cgi_rw_content_t
702
703
704       krb5_host_rcache_t
705
706            /var/cache/krb5rcache(/.*)?
707            /var/tmp/nfs_0
708            /var/tmp/DNS_25
709            /var/tmp/host_0
710            /var/tmp/imap_0
711            /var/tmp/HTTP_23
712            /var/tmp/HTTP_48
713            /var/tmp/ldap_55
714            /var/tmp/ldap_487
715            /var/tmp/ldapmap1_0
716
717       man2html_rw_content_t
718
719            /var/cache/man2html(/.*)?
720
721       mediawiki_rw_content_t
722
723            /var/www/wiki[0-9]?(/.*)?
724
725       memcached_var_run_t
726
727            /var/run/memcached(/.*)?
728            /var/run/ipa_memcached(/.*)?
729
730       mirrormanager_var_run_t
731
732            /var/run/mirrormanager(/.*)?
733
734       mojomojo_rw_content_t
735
736            /var/lib/mojomojo(/.*)?
737
738       munin_rw_content_t
739
740
741       mythtv_rw_content_t
742
743
744       nagios_rw_content_t
745
746
747       named_cache_t
748
749            /var/named/data(/.*)?
750            /var/lib/softhsm(/.*)?
751            /var/lib/unbound(/.*)?
752            /var/named/slaves(/.*)?
753            /var/named/dynamic(/.*)?
754            /var/named/chroot/var/tmp(/.*)?
755            /var/named/chroot/var/named/data(/.*)?
756            /var/named/chroot/var/named/slaves(/.*)?
757            /var/named/chroot/var/named/dynamic(/.*)?
758
759       nfs_t
760
761
762       nutups_cgi_rw_content_t
763
764
765       openshift_rw_content_t
766
767
768       passenger_tmp_t
769
770
771       passenger_var_lib_t
772
773            /var/lib/passenger(/.*)?
774
775       passenger_var_run_t
776
777            /var/run/passenger(/.*)?
778
779       pkcs_slotd_lock_t
780
781            /var/lock/opencryptoki(/.*)?
782
783       pkcs_slotd_var_lib_t
784
785            /var/lib/opencryptoki(/.*)?
786
787       pki_apache_config
788
789
790       pki_apache_var_lib
791
792
793       pki_apache_var_log
794
795
796       postfix_spool_t
797
798            /var/spool/postfix.*
799            /var/spool/postfix/defer(/.*)?
800            /var/spool/postfix/flush(/.*)?
801            /var/spool/postfix/deferred(/.*)?
802            /var/spool/postfix/maildrop(/.*)?
803
804       preupgrade_data_t
805
806            /var/lib/preupgrade(/.*)?
807            /var/log/preupgrade(/.*)?
808
809       prewikka_rw_content_t
810
811
812       public_content_rw_t
813
814            /var/spool/abrt-upload(/.*)?
815
816       root_t
817
818            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
819            /
820            /initrd
821
822       security_t
823
824            /selinux
825
826       smokeping_cgi_rw_content_t
827
828
829       squid_rw_content_t
830
831
832       squirrelmail_spool_t
833
834            /var/spool/squirrelmail(/.*)?
835
836       systemd_passwd_var_run_t
837
838            /var/run/systemd/ask-password(/.*)?
839            /var/run/systemd/ask-password-block(/.*)?
840
841       w3c_validator_rw_content_t
842
843
844       webalizer_rw_content_t
845
846            /var/www/usage(/.*)?
847
848       zarafa_var_lib_t
849
850            /var/lib/zarafa(/.*)?
851            /var/lib/zarafa-webapp(/.*)?
852            /var/lib/zarafa-webaccess(/.*)?
853
854       zoneminder_rw_content_t
855
856
857       zoneminder_var_lib_t
858
859            /var/lib/zoneminder(/.*)?
860
861

FILE CONTEXTS

863       SELinux requires files to have an extended attribute to define the file
864       type.
865
866       You can see the context of a file using the -Z option to ls
867
868       Policy  governs  the  access  confined  processes  have to these files.
869       SELinux httpd policy is very flexible allowing  users  to  setup  their
870       httpd processes in as secure a method as possible.
871
872       EQUIVALENCE DIRECTORIES
873
874
875       httpd  policy  stores  data  with multiple different file context types
876       under the /var/lib/php directory.  If you would like to store the  data
877       in  a different directory you can use the semanage command to create an
878       equivalence mapping.  If you wanted to store this data under  the  /srv
879       dirctory you would execute the following command:
880
881       semanage fcontext -a -e /var/lib/php /srv/php
882       restorecon -R -v /srv/php
883
884       httpd  policy  stores  data  with multiple different file context types
885       under the /var/www directory.  If you would like to store the data in a
886       different  directory  you  can  use  the  semanage command to create an
887       equivalence mapping.  If you wanted to store this data under  the  /srv
888       dirctory you would execute the following command:
889
890       semanage fcontext -a -e /var/www /srv/www
891       restorecon -R -v /srv/www
892
893       STANDARD FILE CONTEXT
894
895       SELinux  defines the file context types for the httpd, if you wanted to
896       store files with these types in a diffent paths, you  need  to  execute
897       the  semanage  command  to  sepecify  alternate  labeling  and then use
898       restorecon to put the labels on disk.
899
900       semanage fcontext -a -t httpd_var_run_t '/srv/myhttpd_content(/.*)?'
901       restorecon -R -v /srv/myhttpd_content
902
903       Note: SELinux often uses regular expressions  to  specify  labels  that
904       match multiple files.
905
906       The following file types are defined for httpd:
907
908
909
910       httpd_cache_t
911
912       - Set files with the httpd_cache_t type, if you want to store the files
913       under the /var/cache directory.
914
915
916       Paths:
917            /var/cache/rt(3|4)(/.*)?, /var/cache/ssl.*.sem, /var/cache/mod_.*,
918            /var/cache/php-.*, /var/cache/httpd(/.*)?, /var/cache/mason(/.*)?,
919            /var/cache/nginx(/.*)?,                  /var/cache/mod_ssl(/.*)?,
920            /var/cache/lighttpd(/.*)?,             /var/cache/mediawiki(/.*)?,
921            /var/cache/mod_proxy(/.*)?,           /var/cache/mod_gnutls(/.*)?,
922            /var/cache/php-mmcache(/.*)?, /var/cache/php-eaccelerator(/.*)?
923
924
925       httpd_config_t
926
927       -  Set  files  with  the  httpd_config_t type, if you want to treat the
928       files as httpd configuration data, usually stored under the /etc direc‐
929       tory.
930
931
932       Paths:
933            /etc/httpd(/.*)?,     /etc/nginx(/.*)?,     /etc/apache(2)?(/.*)?,
934            /etc/cherokee(/.*)?,       /etc/lighttpd(/.*)?,       /etc/apache-
935            ssl(2)?(/.*)?,  /var/lib/openshift/.httpd.d(/.*)?, /etc/opt/rh/rh-
936            nginx18/nginx(/.*)?,           /var/lib/stickshift/.httpd.d(/.*)?,
937            /etc/vhosts, /etc/thttpd.conf
938
939
940       httpd_exec_t
941
942       -  Set  files  with the httpd_exec_t type, if you want to transition an
943       executable to the httpd_t domain.
944
945
946       Paths:
947            /usr/sbin/httpd(.worker)?, /usr/sbin/apache(2)?,  /usr/lib/apache-
948            ssl/.+,         /usr/sbin/apache-ssl(2)?,         /usr/sbin/nginx,
949            /usr/sbin/thttpd,      /usr/sbin/php-fpm,      /usr/sbin/cherokee,
950            /usr/sbin/lighttpd,   /usr/sbin/apachectl,  /usr/sbin/httpd.event,
951            /usr/bin/mongrel_rails, /usr/sbin/htcacheclean
952
953
954       httpd_helper_exec_t
955
956       - Set files with the httpd_helper_exec_t type, if you want  to  transi‐
957       tion an executable to the httpd_helper_t domain.
958
959
960
961       httpd_initrc_exec_t
962
963       -  Set  files with the httpd_initrc_exec_t type, if you want to transi‐
964       tion an executable to the httpd_initrc_t domain.
965
966
967       Paths:
968            /etc/init.d/cherokee,                      /etc/rc.d/init.d/httpd,
969            /etc/rc.d/init.d/lighttpd
970
971
972       httpd_keytab_t
973
974       -  Set  files  with  the  httpd_keytab_t type, if you want to treat the
975       files as kerberos keytab files.
976
977
978
979       httpd_lock_t
980
981       - Set files with the httpd_lock_t type, if you want to treat the  files
982       as httpd lock data, stored under the /var/lock directory
983
984
985
986       httpd_log_t
987
988       - Set files with the httpd_log_t type, if you want to treat the data as
989       httpd log data, usually stored under the /var/log directory.
990
991
992       Paths:
993            /srv/([^/]*/)?www/logs(/.*)?,           /var/www(/.*)?/logs(/.*)?,
994            /var/log/glpi(/.*)?,  /var/log/cacti(/.*)?,  /var/log/httpd(/.*)?,
995            /var/log/nginx(/.*)?,  /var/log/apache(2)?(/.*)?,   /var/log/hori‐
996            zon(/.*)?,     /var/log/php-fpm(/.*)?,    /var/log/cherokee(/.*)?,
997            /var/log/lighttpd(/.*)?,                     /var/log/suphp.log.*,
998            /var/log/thttpd.log.*,              /var/log/apache-ssl(2)?(/.*)?,
999            /var/log/cgiwrap.log.*,       /var/www/stickshift/[^/]*/log(/.*)?,
1000            /var/log/graphite-web(/.*)?,          /var/www/miq/vmdb/log(/.*)?,
1001            /var/log/roundcubemail(/.*)?,           /var/log/php_errors.log.*,
1002            /var/log/dirsrv/admin-serv(/.*)?,                  /var/opt/rh/rh-
1003            nginx18/log(/.*)?,            /var/lib/openshift/.log/httpd(/.*)?,
1004            /var/www/openshift/console/log(/.*)?,      /var/www/openshift/bro‐
1005            ker/httpd/logs(/.*)?, /var/www/openshift/console/httpd/logs(/.*)?,
1006            /etc/httpd/logs
1007
1008
1009       httpd_modules_t
1010
1011       -  Set  files  with  the httpd_modules_t type, if you want to treat the
1012       files as httpd modules.
1013
1014
1015       Paths:
1016            /usr/lib/httpd(/.*)?,    /usr/lib/apache(/.*)?,    /usr/lib/chero‐
1017            kee(/.*)?,      /usr/lib/lighttpd(/.*)?,     /usr/lib/apache2/mod‐
1018            ules(/.*)?, /etc/httpd/modules
1019
1020
1021       httpd_passwd_exec_t
1022
1023       - Set files with the httpd_passwd_exec_t type, if you want  to  transi‐
1024       tion an executable to the httpd_passwd_t domain.
1025
1026
1027
1028       httpd_php_exec_t
1029
1030       -  Set  files with the httpd_php_exec_t type, if you want to transition
1031       an executable to the httpd_php_t domain.
1032
1033
1034
1035       httpd_php_tmp_t
1036
1037       - Set files with the httpd_php_tmp_t type, if you want to  store  httpd
1038       php temporary files in the /tmp directories.
1039
1040
1041
1042       httpd_rotatelogs_exec_t
1043
1044       - Set files with the httpd_rotatelogs_exec_t type, if you want to tran‐
1045       sition an executable to the httpd_rotatelogs_t domain.
1046
1047
1048
1049       httpd_squirrelmail_t
1050
1051       - Set files with the httpd_squirrelmail_t type, if you  want  to  treat
1052       the files as httpd squirrelmail data.
1053
1054
1055
1056       httpd_suexec_exec_t
1057
1058       -  Set  files with the httpd_suexec_exec_t type, if you want to transi‐
1059       tion an executable to the httpd_suexec_t domain.
1060
1061
1062       Paths:
1063            /usr/lib/apache(2)?/suexec(2)?,       /usr/lib/cgi-bin/(nph-)?cgi‐
1064            wrap(d)?, /usr/sbin/suexec
1065
1066
1067       httpd_suexec_tmp_t
1068
1069       -  Set  files  with  the  httpd_suexec_tmp_t type, if you want to store
1070       httpd suexec temporary files in the /tmp directories.
1071
1072
1073
1074       httpd_sys_content_t
1075
1076       - Set files with the httpd_sys_content_t type, if you want to treat the
1077       files as httpd sys content.
1078
1079
1080       Paths:
1081            /srv/([^/]*/)?www(/.*)?,     /var/www(/.*)?,     /etc/htdig(/.*)?,
1082            /srv/gallery2(/.*)?,  /var/lib/trac(/.*)?,   /var/lib/htdig(/.*)?,
1083            /var/www/icons(/.*)?,                       /usr/share/glpi(/.*)?,
1084            /usr/share/htdig(/.*)?,     /usr/share/drupal.*,     /usr/share/z-
1085            push(/.*)?,   /var/www/svn/conf(/.*)?,   /usr/share/icecast(/.*)?,
1086            /var/lib/cacti/rra(/.*)?,              /usr/share/ntop/html(/.*)?,
1087            /usr/share/nginx/html(/.*)?,        /usr/share/doc/ghc/html(/.*)?,
1088            /usr/share/openca/htdocs(/.*)?,            /usr/share/selinux-pol‐
1089            icy[^/]*/html(/.*)?
1090
1091
1092       httpd_sys_htaccess_t
1093
1094       -  Set  files  with the httpd_sys_htaccess_t type, if you want to treat
1095       the file as a httpd sys access file.
1096
1097
1098
1099       httpd_sys_ra_content_t
1100
1101       - Set files with the httpd_sys_ra_content_t type, if you want to  treat
1102       the files as httpd sys read/append content.
1103
1104
1105
1106       httpd_sys_rw_content_t
1107
1108       -  Set files with the httpd_sys_rw_content_t type, if you want to treat
1109       the files as httpd sys read/write content.
1110
1111
1112       Paths:
1113            /etc/rt(/.*)?, /etc/glpi(/.*)?,  /etc/horde(/.*)?,  /etc/drupal.*,
1114            /etc/z-push(/.*)?,     /var/lib/svn(/.*)?,     /var/www/svn(/.*)?,
1115            /etc/owncloud(/.*)?,            /var/www/html(/.*)?/uploads(/.*)?,
1116            /var/www/html(/.*)?/wp-content(/.*)?, /var/www/html(/.*)?/wp_back‐
1117            ups(/.*)?,          /var/www/html(/.*)?/sites/default/files(/.*)?,
1118            /var/www/html(/.*)?/sites/default/settings.php,
1119            /etc/mock/koji(/.*)?,   /etc/nextcloud(/.*)?,   /var/lib/drupal.*,
1120            /etc/zabbix/web(/.*)?,      /var/lib/moodle(/.*)?,     /var/log/z-
1121            push(/.*)?,     /var/spool/gosa(/.*)?,     /etc/WebCalendar(/.*)?,
1122            /usr/share/joomla(/.*)?,   /var/lib/dokuwiki(/.*)?,  /var/lib/own‐
1123            cloud(/.*)?,  /var/spool/viewvc(/.*)?,   /var/lib/nextcloud(/.*)?,
1124            /var/lib/pootle/po(/.*)?, /var/lib/phpMyAdmin(/.*)?, /var/www/moo‐
1125            dledata(/.*)?,      /srv/gallery2/smarty(/.*)?,      /var/www/moo‐
1126            dle/data(/.*)?,  /var/lib/graphite-web(/.*)?, /var/log/shibboleth-
1127            www(/.*)?,    /var/www/gallery/albums(/.*)?,    /var/www/html/own‐
1128            cloud/data(/.*)?,              /var/www/html/nextcloud/data(/.*)?,
1129            /usr/share/wordpress-mu/wp-content(/.*)?, /usr/share/wordpress/wp-
1130            content/upgrade(/.*)?,                /usr/share/wordpress/wp-con‐
1131            tent/uploads(/.*)?, /var/www/html/configuration.php
1132
1133
1134       httpd_sys_script_exec_t
1135
1136       - Set files with the httpd_sys_script_exec_t type, if you want to tran‐
1137       sition an executable to the httpd_sys_script_t domain.
1138
1139
1140       Paths:
1141            /opt/.*.cgi,       /usr/.*.cgi,      /var/www/[^/]*/cgi-bin(/.*)?,
1142            /var/www/perl(/.*)?,            /var/www/html/[^/]*/cgi-bin(/.*)?,
1143            /usr/lib/cgi-bin(/.*)?,                    /var/www/cgi-bin(/.*)?,
1144            /var/www/svn/hooks(/.*)?,             /usr/share/wordpress/.*.php,
1145            /usr/local/nagios/sbin(/.*)?,             /usr/share/wordpress/wp-
1146            includes/.*.php, /usr/share/wordpress-mu/wp-config.php
1147
1148
1149       httpd_tmp_t
1150
1151       - Set files with the httpd_tmp_t type, if you want to store httpd  tem‐
1152       porary files in the /tmp directories.
1153
1154
1155       Paths:
1156            /var/run/user/apache(/.*)?, /var/www/openshift/console/tmp(/.*)?
1157
1158
1159       httpd_tmpfs_t
1160
1161       -  Set  files  with  the httpd_tmpfs_t type, if you want to store httpd
1162       files on a tmpfs file system.
1163
1164
1165
1166       httpd_unconfined_script_exec_t
1167
1168       - Set files with the httpd_unconfined_script_exec_t type, if  you  want
1169       to transition an executable to the httpd_unconfined_script_t domain.
1170
1171
1172
1173       httpd_unit_file_t
1174
1175       -  Set  files with the httpd_unit_file_t type, if you want to treat the
1176       files as httpd unit content.
1177
1178
1179       Paths:
1180            /usr/lib/systemd/system/httpd.*,  /usr/lib/systemd/system/nginx.*,
1181            /usr/lib/systemd/system/thttpd.*,     /usr/lib/systemd/system/php-
1182            fpm.*
1183
1184
1185       httpd_user_content_t
1186
1187       - Set files with the httpd_user_content_t type, if you  want  to  treat
1188       the files as httpd user content.
1189
1190
1191
1192       httpd_user_htaccess_t
1193
1194       -  Set  files with the httpd_user_htaccess_t type, if you want to treat
1195       the file as a httpd user access file.
1196
1197
1198
1199       httpd_user_ra_content_t
1200
1201       - Set files with the httpd_user_ra_content_t type, if you want to treat
1202       the files as httpd user read/append content.
1203
1204
1205
1206       httpd_user_rw_content_t
1207
1208       - Set files with the httpd_user_rw_content_t type, if you want to treat
1209       the files as httpd user read/write content.
1210
1211
1212
1213       httpd_user_script_exec_t
1214
1215       - Set files with the httpd_user_script_exec_t  type,  if  you  want  to
1216       transition an executable to the httpd_user_script_t domain.
1217
1218
1219
1220       httpd_var_lib_t
1221
1222       -  Set  files  with  the httpd_var_lib_t type, if you want to store the
1223       httpd files under the /var/lib directory.
1224
1225
1226       Paths:
1227            /var/lib/rt(3|4)/data/RT-Shredder(/.*)?,       /var/lib/dav(/.*)?,
1228            /var/lib/php(/.*)?,   /var/lib/glpi(/.*)?,   /var/lib/httpd(/.*)?,
1229            /var/lib/nginx(/.*)?,     /var/lib/z-push(/.*)?,     /var/lib/gan‐
1230            glia(/.*)?,    /var/lib/ipsilon(/.*)?,    /var/lib/cherokee(/.*)?,
1231            /var/lib/lighttpd(/.*)?,              /var/lib/mod_security(/.*)?,
1232            /var/lib/roundcubemail(/.*)?,                      /var/opt/rh/rh-
1233            nginx18/lib/nginx(/.*)?
1234
1235
1236       httpd_var_run_t
1237
1238       - Set files with the httpd_var_run_t type, if you  want  to  store  the
1239       httpd files under the /run or /var/run directory.
1240
1241
1242       Paths:
1243            /var/run/wsgi.*,         /var/run/mod_.*,        /var/run/httpd.*,
1244            /var/run/nginx.*,    /var/run/apache.*,    /var/run/php-fpm(/.*)?,
1245            /var/run/fcgiwrap(/.*)?,                  /var/run/lighttpd(/.*)?,
1246            /var/lib/php/session(/.*)?,          /var/lib/php/wsdlcache(/.*)?,
1247            /var/run/dirsrv/admin-serv.*,                      /var/opt/rh/rh-
1248            nginx18/run/nginx(/.*)?,                   /var/www/openshift/bro‐
1249            ker/httpd/run(/.*)?,   /var/www/openshift/console/httpd/run(/.*)?,
1250            /opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)?,
1251            /var/run/thttpd.pid, /var/run/gcache_port, /var/run/cherokee.pid
1252
1253
1254       Note:  File context can be temporarily modified with the chcon command.
1255       If you want to permanently change the file context you need to use  the
1256       semanage fcontext command.  This will modify the SELinux labeling data‐
1257       base.  You will need to use restorecon to apply the labels.
1258
1259

SHARING FILES

1261       If you want to share files with multiple domains (Apache,  FTP,  rsync,
1262       Samba),  you can set a file context of public_content_t and public_con‐
1263       tent_rw_t.  These context allow any of the above domains  to  read  the
1264       content.   If  you want a particular domain to write to the public_con‐
1265       tent_rw_t domain, you must set the appropriate boolean.
1266
1267       Allow httpd servers to read the /var/httpd directory by adding the pub‐
1268       lic_content_t  file  type  to  the  directory and by restoring the file
1269       type.
1270
1271       semanage fcontext -a -t public_content_t "/var/httpd(/.*)?"
1272       restorecon -F -R -v /var/httpd
1273
1274       Allow httpd servers to read and write /var/httpd/incoming by adding the
1275       public_content_rw_t  type  to  the  directory and by restoring the file
1276       type.  You also need to turn on the httpd_anon_write boolean.
1277
1278       semanage fcontext -a -t public_content_rw_t "/var/httpd/incoming(/.*)?"
1279       restorecon -F -R -v /var/httpd/incoming
1280       setsebool -P httpd_anon_write 1
1281
1282
1283       If you want to allow Apache to modify public files used for public file
1284       transfer   services.  Directories/Files  must  be  labeled  public_con‐
1285       tent_rw_t., you must turn on the httpd_anon_write boolean.
1286
1287       setsebool -P httpd_anon_write 1
1288
1289

COMMANDS

1291       semanage fcontext can also be used to manipulate default  file  context
1292       mappings.
1293
1294       semanage  permissive  can  also  be used to manipulate whether or not a
1295       process type is permissive.
1296
1297       semanage module can also be used to enable/disable/install/remove  pol‐
1298       icy modules.
1299
1300       semanage port can also be used to manipulate the port definitions
1301
1302       semanage boolean can also be used to manipulate the booleans
1303
1304
1305       system-config-selinux is a GUI tool available to customize SELinux pol‐
1306       icy settings.
1307
1308

AUTHOR

1310       This manual page was auto-generated using sepolicy manpage .
1311
1312

SEE ALSO

1314       selinux(8),  httpd(8),  semanage(8),  restorecon(8),  chcon(1),  sepol‐
1315       icy(8), setsebool(8), httpd_helper_selinux(8), httpd_passwd_selinux(8),
1316       httpd_php_selinux(8),                      httpd_rotatelogs_selinux(8),
1317       httpd_suexec_selinux(8),    httpd_sys_script_selinux(8),   httpd_uncon‐
1318       fined_script_selinux(8), httpd_user_script_selinux(8)
1319
1320
1321
1322httpd                              19-12-02                   httpd_selinux(8)
Impressum