httpd_sys_script_selinux(8)

1httpd_sys_script_selinux(S8E)Linux Policy httpd_sys_scrhitpttpd_sys_script_selinux(8)
2
3
4

NAME

6       httpd_sys_script_selinux  -  Security  Enhanced  Linux  Policy  for the
7       httpd_sys_script processes
8

DESCRIPTION

10       Security-Enhanced Linux  secures  the  httpd_sys_script  processes  via
11       flexible mandatory access control.
12
13       The  httpd_sys_script  processes  execute  with  the httpd_sys_script_t
14       SELinux type. You can check if you have these processes running by exe‐
15       cuting the ps command with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep httpd_sys_script_t
20
21
22

ENTRYPOINTS

24       The  httpd_sys_script_t  SELinux  type  can  be  entered via the nfs_t,
25       httpd_sys_content_t, cifs_t, httpd_sys_script_exec_t, httpdcontent file
26       types.
27
28       The  default entrypoint paths for the httpd_sys_script_t domain are the
29       following:
30
31       /srv/([^/]*/)?www(/.*)?,       /var/www(/.*)?,        /etc/htdig(/.*)?,
32       /srv/gallery2(/.*)?,     /var/lib/trac(/.*)?,     /var/lib/htdig(/.*)?,
33       /var/www/icons(/.*)?,  /usr/share/glpi(/.*)?,   /usr/share/htdig(/.*)?,
34       /usr/share/drupal.*,  /usr/share/z-push(/.*)?, /var/www/svn/conf(/.*)?,
35       /usr/share/icecast(/.*)?,                     /var/lib/cacti/rra(/.*)?,
36       /usr/share/ntop/html(/.*)?,                /usr/share/nginx/html(/.*)?,
37       /usr/share/doc/ghc/html(/.*)?,          /usr/share/openca/htdocs(/.*)?,
38       /usr/share/selinux-policy[^/]*/html(/.*)?,   /opt/.*.cgi,  /usr/.*.cgi,
39       /var/www/[^/]*/cgi-bin(/.*)?,                      /var/www/perl(/.*)?,
40       /var/www/html/[^/]*/cgi-bin(/.*)?,              /usr/lib/cgi-bin(/.*)?,
41       /var/www/cgi-bin(/.*)?,   /var/www/svn/hooks(/.*)?,    /usr/share/word‐
42       press/.*.php,   /usr/local/nagios/sbin(/.*)?,  /usr/share/wordpress/wp-
43       includes/.*.php, /usr/share/wordpress-mu/wp-config.php
44

PROCESS TYPES

46       SELinux defines process types (domains) for each process running on the
47       system
48
49       You can see the context of a process using the -Z option to ps
50
51       Policy  governs  the  access confined processes have to files.  SELinux
52       httpd_sys_script policy is very flexible allowing users to setup  their
53       httpd_sys_script processes in as secure a method as possible.
54
55       The following process types are defined for httpd_sys_script:
56
57       httpd_sys_script_t
58
59       Note: semanage permissive -a httpd_sys_script_t can be used to make the
60       process type  httpd_sys_script_t  permissive.  SELinux  does  not  deny
61       access  to permissive process types, but the AVC (SELinux denials) mes‐
62       sages are still generated.
63
64

BOOLEANS

66       SELinux  policy  is  customizable  based  on  least  access   required.
67       httpd_sys_script  policy is extremely flexible and has several booleans
68       that allow you to manipulate the policy and run  httpd_sys_script  with
69       the tightest access possible.
70
71
72
73       If you want to allow all domains to execute in fips_mode, you must turn
74       on the fips_mode boolean. Enabled by default.
75
76       setsebool -P fips_mode 1
77
78
79
80       If you want to allow HTTPD scripts and modules to connect to  databases
81       over  the  network,  you  must turn on the httpd_can_network_connect_db
82       boolean. Disabled by default.
83
84       setsebool -P httpd_can_network_connect_db 1
85
86
87
88       If you want to allow http daemon to send mail, you  must  turn  on  the
89       httpd_can_sendmail boolean. Disabled by default.
90
91       setsebool -P httpd_can_sendmail 1
92
93
94
95       If  you  want  to  allow  httpd  cgi  support,  you  must  turn  on the
96       httpd_enable_cgi boolean. Enabled by default.
97
98       setsebool -P httpd_enable_cgi 1
99
100
101
102       If you want to allow httpd to read home directories, you must  turn  on
103       the httpd_enable_homedirs boolean. Disabled by default.
104
105       setsebool -P httpd_enable_homedirs 1
106
107
108
109       If  you  want to allow httpd scripts and modules execmem/execstack, you
110       must turn on the httpd_execmem boolean. Disabled by default.
111
112       setsebool -P httpd_execmem 1
113
114
115
116       If you want to allow httpd to read user content, you must turn  on  the
117       httpd_read_user_content boolean. Disabled by default.
118
119       setsebool -P httpd_read_user_content 1
120
121
122
123       If you want to allow HTTPD to run SSI executables in the same domain as
124       system CGI scripts, you must turn on the httpd_ssi_exec  boolean.  Dis‐
125       abled by default.
126
127       setsebool -P httpd_ssi_exec 1
128
129
130
131       If  you  want to allow httpd to access cifs file systems, you must turn
132       on the httpd_use_cifs boolean. Disabled by default.
133
134       setsebool -P httpd_use_cifs 1
135
136
137
138       If you want to allow httpd to access FUSE file systems, you  must  turn
139       on the httpd_use_fusefs boolean. Disabled by default.
140
141       setsebool -P httpd_use_fusefs 1
142
143
144
145       If you want to allow httpd to access nfs file systems, you must turn on
146       the httpd_use_nfs boolean. Disabled by default.
147
148       setsebool -P httpd_use_nfs 1
149
150
151
152       If you want to allow httpd to access openstack ports, you must turn  on
153       the httpd_use_openstack boolean. Disabled by default.
154
155       setsebool -P httpd_use_openstack 1
156
157
158
159       If  you  want  to  allow  system  to run with NIS, you must turn on the
160       nis_enabled boolean. Disabled by default.
161
162       setsebool -P nis_enabled 1
163
164
165

MANAGED FILES

167       The SELinux process type httpd_sys_script_t can  manage  files  labeled
168       with  the following file types.  The paths listed are the default paths
169       for these file types.  Note the processes UID still need  to  have  DAC
170       permissions.
171
172       anon_inodefs_t
173
174
175       fusefs_t
176
177            /var/run/user/[^/]*/gvfs
178
179       httpd_sys_rw_content_t
180
181            /etc/rt(/.*)?
182            /etc/glpi(/.*)?
183            /etc/horde(/.*)?
184            /etc/drupal.*
185            /etc/z-push(/.*)?
186            /var/lib/svn(/.*)?
187            /var/www/svn(/.*)?
188            /etc/owncloud(/.*)?
189            /var/www/html(/.*)?/uploads(/.*)?
190            /var/www/html(/.*)?/wp-content(/.*)?
191            /var/www/html(/.*)?/wp_backups(/.*)?
192            /var/www/html(/.*)?/sites/default/files(/.*)?
193            /var/www/html(/.*)?/sites/default/settings.php
194            /etc/mock/koji(/.*)?
195            /etc/nextcloud(/.*)?
196            /var/lib/drupal.*
197            /etc/zabbix/web(/.*)?
198            /var/lib/moodle(/.*)?
199            /var/log/z-push(/.*)?
200            /var/spool/gosa(/.*)?
201            /etc/WebCalendar(/.*)?
202            /usr/share/joomla(/.*)?
203            /var/lib/dokuwiki(/.*)?
204            /var/lib/owncloud(/.*)?
205            /var/spool/viewvc(/.*)?
206            /var/lib/nextcloud(/.*)?
207            /var/lib/pootle/po(/.*)?
208            /var/lib/phpMyAdmin(/.*)?
209            /var/www/moodledata(/.*)?
210            /srv/gallery2/smarty(/.*)?
211            /var/www/moodle/data(/.*)?
212            /var/lib/graphite-web(/.*)?
213            /var/log/shibboleth-www(/.*)?
214            /var/www/gallery/albums(/.*)?
215            /var/www/html/owncloud/data(/.*)?
216            /var/www/html/nextcloud/data(/.*)?
217            /usr/share/wordpress-mu/wp-content(/.*)?
218            /usr/share/wordpress/wp-content/upgrade(/.*)?
219            /usr/share/wordpress/wp-content/uploads(/.*)?
220            /var/www/html/configuration.php
221
222       httpdcontent
223
224
225

FILE CONTEXTS

227       SELinux requires files to have an extended attribute to define the file
228       type.
229
230       You can see the context of a file using the -Z option to ls
231
232       Policy governs the access  confined  processes  have  to  these  files.
233       SELinux httpd_sys_script policy is very flexible allowing users to set‐
234       up their httpd_sys_script processes in as secure a method as possible.
235
236       The following file types are defined for httpd_sys_script:
237
238
239
240       httpd_sys_script_exec_t
241
242       - Set files with the httpd_sys_script_exec_t type, if you want to tran‐
243       sition an executable to the httpd_sys_script_t domain.
244
245
246       Paths:
247            /opt/.*.cgi,       /usr/.*.cgi,      /var/www/[^/]*/cgi-bin(/.*)?,
248            /var/www/perl(/.*)?,            /var/www/html/[^/]*/cgi-bin(/.*)?,
249            /usr/lib/cgi-bin(/.*)?,                    /var/www/cgi-bin(/.*)?,
250            /var/www/svn/hooks(/.*)?,             /usr/share/wordpress/.*.php,
251            /usr/local/nagios/sbin(/.*)?,             /usr/share/wordpress/wp-
252            includes/.*.php, /usr/share/wordpress-mu/wp-config.php
253
254
255       Note: File context can be temporarily modified with the chcon  command.
256       If  you want to permanently change the file context you need to use the
257       semanage fcontext command.  This will modify the SELinux labeling data‐
258       base.  You will need to use restorecon to apply the labels.
259
260

SHARING FILES

262       If  you  want to share files with multiple domains (Apache, FTP, rsync,
263       Samba), you can set a file context of public_content_t and  public_con‐
264       tent_rw_t.   These  context  allow any of the above domains to read the
265       content.  If you want a particular domain to write to  the  public_con‐
266       tent_rw_t domain, you must set the appropriate boolean.
267
268       Allow httpd_sys_script servers to read the /var/httpd_sys_script direc‐
269       tory by adding the public_content_t file type to the directory  and  by
270       restoring the file type.
271
272       semanage fcontext -a -t public_content_t "/var/httpd_sys_script(/.*)?"
273       restorecon -F -R -v /var/httpd_sys_script
274
275       Allow     httpd_sys_script     servers     to     read     and    write
276       /var/httpd_sys_script/incoming by adding the  public_content_rw_t  type
277       to the directory and by restoring the file type.  You also need to turn
278       on the httpd_sys_script_anon_write boolean.
279
280       semanage        fcontext        -a        -t        public_content_rw_t
281       "/var/httpd_sys_script/incoming(/.*)?"
282       restorecon -F -R -v /var/httpd_sys_script/incoming
283       setsebool -P httpd_sys_script_anon_write 1
284
285
286       If  you want to allow apache scripts to write to public content, direc‐
287       tories/files must be labeled public_rw_content_t., you must turn on the
288       httpd_sys_script_anon_write boolean.
289
290       setsebool -P httpd_sys_script_anon_write 1
291
292

COMMANDS

294       semanage  fcontext  can also be used to manipulate default file context
295       mappings.
296
297       semanage permissive can also be used to manipulate  whether  or  not  a
298       process type is permissive.
299
300       semanage  module can also be used to enable/disable/install/remove pol‐
301       icy modules.
302
303       semanage boolean can also be used to manipulate the booleans
304
305
306       system-config-selinux is a GUI tool available to customize SELinux pol‐
307       icy settings.
308
309

AUTHOR

311       This manual page was auto-generated using sepolicy manpage .
312
313