1httpd_selinux(8)             SELinux Policy httpd             httpd_selinux(8)
2
3
4

NAME

6       httpd_selinux - Security Enhanced Linux Policy for the httpd processes
7

DESCRIPTION

9       Security-Enhanced Linux secures the httpd processes via flexible manda‐
10       tory access control.
11
12       The httpd processes execute with the  httpd_t  SELinux  type.  You  can
13       check  if  you have these processes running by executing the ps command
14       with the -Z qualifier.
15
16       For example:
17
18       ps -eZ | grep httpd_t
19
20
21

ENTRYPOINTS

23       The httpd_t SELinux type can be entered via the httpd_exec_t file type.
24
25       The default entrypoint paths for the httpd_t domain are the following:
26
27       /usr/sbin/httpd(.worker)?,    /usr/sbin/apache(2)?,    /usr/lib/apache-
28       ssl/.+,  /usr/sbin/apache-ssl(2)?,  /usr/sbin/nginx,  /usr/sbin/thttpd,
29       /usr/sbin/php-fpm,       /usr/sbin/cherokee,        /usr/sbin/lighttpd,
30       /usr/sbin/apachectl,   /usr/sbin/httpd.event,   /usr/bin/mongrel_rails,
31       /usr/sbin/htcacheclean
32

PROCESS TYPES

34       SELinux defines process types (domains) for each process running on the
35       system
36
37       You can see the context of a process using the -Z option to ps
38
39       Policy  governs  the  access confined processes have to files.  SELinux
40       httpd policy is very flexible allowing users to setup their httpd  pro‐
41       cesses in as secure a method as possible.
42
43       The following process types are defined for httpd:
44
45       httpd_t, httpd_helper_t, httpd_php_t, httpd_rotatelogs_t, httpd_suexec_t, httpd_sys_script_t, httpd_user_script_t, httpd_passwd_t, httpd_unconfined_script_t
46
47       Note:  semanage  permissive  -a httpd_t can be used to make the process
48       type httpd_t permissive. SELinux does not  deny  access  to  permissive
49       process  types, but the AVC (SELinux denials) messages are still gener‐
50       ated.
51
52

BOOLEANS

54       SELinux policy is customizable based on least access  required.   httpd
55       policy is extremely flexible and has several booleans that allow you to
56       manipulate the policy and run httpd with the tightest access possible.
57
58
59
60       If you want to allow httpd to use built in scripting (usually php), you
61       must turn on the httpd_builtin_scripting boolean. Enabled by default.
62
63       setsebool -P httpd_builtin_scripting 1
64
65
66
67       If you want to allow httpd to act as a FTP client connecting to the ftp
68       port and ephemeral ports, you must turn  on  the  httpd_can_connect_ftp
69       boolean. Disabled by default.
70
71       setsebool -P httpd_can_connect_ftp 1
72
73
74
75       If  you  want to allow httpd to connect to the ldap port, you must turn
76       on the httpd_can_connect_ldap boolean. Disabled by default.
77
78       setsebool -P httpd_can_connect_ldap 1
79
80
81
82       If you want to allow http daemon to connect to mythtv, you must turn on
83       the httpd_can_connect_mythtv boolean. Disabled by default.
84
85       setsebool -P httpd_can_connect_mythtv 1
86
87
88
89       If you want to allow http daemon to connect to zabbix, you must turn on
90       the httpd_can_connect_zabbix boolean. Disabled by default.
91
92       setsebool -P httpd_can_connect_zabbix 1
93
94
95
96       If you want to allow HTTPD scripts and modules to connect to  the  net‐
97       work using TCP, you must turn on the httpd_can_network_connect boolean.
98       Disabled by default.
99
100       setsebool -P httpd_can_network_connect 1
101
102
103
104       If you want to allow HTTPD scripts and modules to  connect  to  cobbler
105       over  the  network, you must turn on the httpd_can_network_connect_cob‐
106       bler boolean. Disabled by default.
107
108       setsebool -P httpd_can_network_connect_cobbler 1
109
110
111
112       If you want to allow HTTPD scripts and modules to connect to  databases
113       over  the  network,  you  must turn on the httpd_can_network_connect_db
114       boolean. Disabled by default.
115
116       setsebool -P httpd_can_network_connect_db 1
117
118
119
120       If you want to allow httpd to connect to memcache server, you must turn
121       on the httpd_can_network_memcache boolean. Disabled by default.
122
123       setsebool -P httpd_can_network_memcache 1
124
125
126
127       If  you  want  to  allow  httpd to act as a relay, you must turn on the
128       httpd_can_network_relay boolean. Disabled by default.
129
130       setsebool -P httpd_can_network_relay 1
131
132
133
134       If you want to allow http daemon to send mail, you  must  turn  on  the
135       httpd_can_sendmail boolean. Disabled by default.
136
137       setsebool -P httpd_can_sendmail 1
138
139
140
141       If you want to allow Apache to communicate with avahi service via dbus,
142       you must turn on the httpd_dbus_avahi boolean. Enabled by default.
143
144       setsebool -P httpd_dbus_avahi 1
145
146
147
148       If you want to allow Apache to communicate with sssd service via  dbus,
149       you must turn on the httpd_dbus_sssd boolean. Disabled by default.
150
151       setsebool -P httpd_dbus_sssd 1
152
153
154
155       If  you  want  to  allow  httpd  cgi  support,  you  must  turn  on the
156       httpd_enable_cgi boolean. Enabled by default.
157
158       setsebool -P httpd_enable_cgi 1
159
160
161
162       If you want to allow httpd to act as a FTP server by listening  on  the
163       ftp  port,  you  must turn on the httpd_enable_ftp_server boolean. Dis‐
164       abled by default.
165
166       setsebool -P httpd_enable_ftp_server 1
167
168
169
170       If you want to allow httpd to read home directories, you must  turn  on
171       the httpd_enable_homedirs boolean. Disabled by default.
172
173       setsebool -P httpd_enable_homedirs 1
174
175
176
177       If  you  want to allow httpd scripts and modules execmem/execstack, you
178       must turn on the httpd_execmem boolean. Disabled by default.
179
180       setsebool -P httpd_execmem 1
181
182
183
184       If you want to allow HTTPD to connect to port 80 for graceful shutdown,
185       you  must  turn  on  the  httpd_graceful_shutdown  boolean. Disabled by
186       default.
187
188       setsebool -P httpd_graceful_shutdown 1
189
190
191
192       If you want to allow httpd processes to manage IPA  content,  you  must
193       turn on the httpd_manage_ipa boolean. Disabled by default.
194
195       setsebool -P httpd_manage_ipa 1
196
197
198
199       If you want to allow Apache to use mod_auth_ntlm_winbind, you must turn
200       on the httpd_mod_auth_ntlm_winbind boolean. Disabled by default.
201
202       setsebool -P httpd_mod_auth_ntlm_winbind 1
203
204
205
206       If you want to allow Apache to use mod_auth_pam, you must turn  on  the
207       httpd_mod_auth_pam boolean. Disabled by default.
208
209       setsebool -P httpd_mod_auth_pam 1
210
211
212
213       If  you  want to allow httpd to read user content, you must turn on the
214       httpd_read_user_content boolean. Disabled by default.
215
216       setsebool -P httpd_read_user_content 1
217
218
219
220       If you want to allow httpd processes to run IPA helper, you  must  turn
221       on the httpd_run_ipa boolean. Disabled by default.
222
223       setsebool -P httpd_run_ipa 1
224
225
226
227       If  you  want  to  allow Apache to run preupgrade, you must turn on the
228       httpd_run_preupgrade boolean. Disabled by default.
229
230       setsebool -P httpd_run_preupgrade 1
231
232
233
234       If you want to allow Apache to run in stickshift mode,  not  transition
235       to  passenger,  you must turn on the httpd_run_stickshift boolean. Dis‐
236       abled by default.
237
238       setsebool -P httpd_run_stickshift 1
239
240
241
242       If you want to allow HTTPD scripts and modules to server cobbler files,
243       you  must  turn  on  the httpd_serve_cobbler_files boolean. Disabled by
244       default.
245
246       setsebool -P httpd_serve_cobbler_files 1
247
248
249
250       If you want to allow httpd daemon to change its  resource  limits,  you
251       must turn on the httpd_setrlimit boolean. Disabled by default.
252
253       setsebool -P httpd_setrlimit 1
254
255
256
257       If you want to allow HTTPD to run SSI executables in the same domain as
258       system CGI scripts, you must turn on the httpd_ssi_exec  boolean.  Dis‐
259       abled by default.
260
261       setsebool -P httpd_ssi_exec 1
262
263
264
265       If you want to unify HTTPD to communicate with the terminal. Needed for
266       entering the passphrase for certificates at the terminal, you must turn
267       on the httpd_tty_comm boolean. Disabled by default.
268
269       setsebool -P httpd_tty_comm 1
270
271
272
273       If  you  want to allow httpd to access cifs file systems, you must turn
274       on the httpd_use_cifs boolean. Disabled by default.
275
276       setsebool -P httpd_use_cifs 1
277
278
279
280       If you want to allow httpd to access FUSE file systems, you  must  turn
281       on the httpd_use_fusefs boolean. Disabled by default.
282
283       setsebool -P httpd_use_fusefs 1
284
285
286
287       If you want to allow httpd to access nfs file systems, you must turn on
288       the httpd_use_nfs boolean. Disabled by default.
289
290       setsebool -P httpd_use_nfs 1
291
292
293
294       If you want to allow httpd to use opencryptoki, you must  turn  on  the
295       httpd_use_opencryptoki boolean. Disabled by default.
296
297       setsebool -P httpd_use_opencryptoki 1
298
299
300
301       If  you want to allow httpd to access openstack ports, you must turn on
302       the httpd_use_openstack boolean. Disabled by default.
303
304       setsebool -P httpd_use_openstack 1
305
306
307
308       If you want to allow httpd to connect to  sasl, you must  turn  on  the
309       httpd_use_sasl boolean. Disabled by default.
310
311       setsebool -P httpd_use_sasl 1
312
313
314
315       If  you  want to allow Apache to query NS records, you must turn on the
316       httpd_verify_dns boolean. Disabled by default.
317
318       setsebool -P httpd_verify_dns 1
319
320
321
322       If you want to deny any process from ptracing or  debugging  any  other
323       processes,  you  must  turn  on  the  deny_ptrace  boolean.  Enabled by
324       default.
325
326       setsebool -P deny_ptrace 1
327
328
329
330       If you want to allow all domains to execute in fips_mode, you must turn
331       on the fips_mode boolean. Enabled by default.
332
333       setsebool -P fips_mode 1
334
335
336
337       If you want to determine whether Git system daemon can access cifs file
338       systems, you must turn on the git_system_use_cifs boolean. Disabled  by
339       default.
340
341       setsebool -P git_system_use_cifs 1
342
343
344
345       If  you want to determine whether Git system daemon can access nfs file
346       systems, you must turn on the git_system_use_nfs boolean.  Disabled  by
347       default.
348
349       setsebool -P git_system_use_nfs 1
350
351
352
353       If  you  want  to allow confined applications to run with kerberos, you
354       must turn on the kerberos_enabled boolean. Disabled by default.
355
356       setsebool -P kerberos_enabled 1
357
358
359

NSSWITCH DOMAIN

361       If you want to allow users to resolve user passwd entries directly from
362       ldap  rather then using a sssd server for the httpd_t, you must turn on
363       the authlogin_nsswitch_use_ldap boolean.
364
365       setsebool -P authlogin_nsswitch_use_ldap 1
366
367
368       If you want to allow confined applications to run with kerberos for the
369       httpd_t, you must turn on the kerberos_enabled boolean.
370
371       setsebool -P kerberos_enabled 1
372
373

PORT TYPES

375       SELinux defines port types to represent TCP and UDP ports.
376
377       You  can  see  the  types associated with a port by using the following
378       command:
379
380       semanage port -l
381
382
383       Policy governs the access  confined  processes  have  to  these  ports.
384       SELinux  httpd  policy  is  very flexible allowing users to setup their
385       httpd processes in as secure a method as possible.
386
387       The following port types are defined for httpd:
388
389
390       http_cache_port_t
391
392
393
394       Default Defined Ports:
395                 tcp 8080,8118,8123,10001-10010
396                 udp 3130
397
398
399       http_port_t
400
401
402
403       Default Defined Ports:
404                 tcp 80,81,443,488,8008,8009,8443,9000
405

MANAGED FILES

407       The SELinux process type httpd_t can manage files labeled with the fol‐
408       lowing  file  types.   The paths listed are the default paths for these
409       file types.  Note the processes UID still need to have DAC permissions.
410
411       abrt_retrace_spool_t
412
413            /var/spool/faf(/.*)?
414            /var/spool/abrt-retrace(/.*)?
415            /var/spool/retrace-server(/.*)?
416
417       anon_inodefs_t
418
419
420       cifs_t
421
422
423       cluster_conf_t
424
425            /etc/cluster(/.*)?
426
427       cluster_var_lib_t
428
429            /var/lib/pcsd(/.*)?
430            /var/lib/cluster(/.*)?
431            /var/lib/openais(/.*)?
432            /var/lib/pengine(/.*)?
433            /var/lib/corosync(/.*)?
434            /usr/lib/heartbeat(/.*)?
435            /var/lib/heartbeat(/.*)?
436            /var/lib/pacemaker(/.*)?
437
438       cluster_var_run_t
439
440            /var/run/crm(/.*)?
441            /var/run/cman_.*
442            /var/run/rsctmp(/.*)?
443            /var/run/aisexec.*
444            /var/run/heartbeat(/.*)?
445            /var/run/corosync-qnetd(/.*)?
446            /var/run/corosync-qdevice(/.*)?
447            /var/run/corosync.pid
448            /var/run/cpglockd.pid
449            /var/run/rgmanager.pid
450            /var/run/cluster/rgmanager.sk
451
452       cobbler_var_lib_t
453
454            /var/lib/cobbler(/.*)?
455            /var/www/cobbler(/.*)?
456            /var/cache/cobbler(/.*)?
457            /var/lib/tftpboot/etc(/.*)?
458            /var/lib/tftpboot/ppc(/.*)?
459            /var/lib/tftpboot/boot(/.*)?
460            /var/lib/tftpboot/grub(/.*)?
461            /var/lib/tftpboot/s390x(/.*)?
462            /var/lib/tftpboot/images(/.*)?
463            /var/lib/tftpboot/aarch64(/.*)?
464            /var/lib/tftpboot/images2(/.*)?
465            /var/lib/tftpboot/pxelinux.cfg(/.*)?
466            /var/lib/tftpboot/yaboot
467            /var/lib/tftpboot/memdisk
468            /var/lib/tftpboot/menu.c32
469            /var/lib/tftpboot/pxelinux.0
470
471       dirsrv_config_t
472
473            /etc/dirsrv(/.*)?
474
475       dirsrv_var_log_t
476
477            /var/log/dirsrv(/.*)?
478
479       dirsrv_var_run_t
480
481            /var/run/slapd.*
482            /var/run/dirsrv(/.*)?
483
484       dirsrvadmin_config_t
485
486            /etc/dirsrv/dsgw(/.*)?
487            /etc/dirsrv/admin-serv(/.*)?
488
489       fusefs_t
490
491            /var/run/user/[^/]*/gvfs
492
493       httpd_cache_t
494
495            /var/cache/rt(3|4)(/.*)?
496            /var/cache/ssl.*.sem
497            /var/cache/mod_.*
498            /var/cache/php-.*
499            /var/cache/httpd(/.*)?
500            /var/cache/mason(/.*)?
501            /var/cache/nginx(/.*)?
502            /var/cache/mod_ssl(/.*)?
503            /var/cache/lighttpd(/.*)?
504            /var/cache/mediawiki(/.*)?
505            /var/cache/mod_proxy(/.*)?
506            /var/cache/mod_gnutls(/.*)?
507            /var/cache/php-mmcache(/.*)?
508            /var/cache/php-eaccelerator(/.*)?
509
510       httpd_lock_t
511
512
513       httpd_squirrelmail_t
514
515            /var/lib/squirrelmail/prefs(/.*)?
516
517       httpd_tmpfs_t
518
519
520       httpd_user_rw_content_t
521
522
523       httpd_var_lib_t
524
525            /var/lib/rt(3|4)/data/RT-Shredder(/.*)?
526            /var/lib/dav(/.*)?
527            /var/lib/php(/.*)?
528            /var/lib/glpi(/.*)?
529            /var/lib/httpd(/.*)?
530            /var/lib/nginx(/.*)?
531            /var/lib/z-push(/.*)?
532            /var/lib/ganglia(/.*)?
533            /var/lib/ipsilon(/.*)?
534            /var/lib/cherokee(/.*)?
535            /var/lib/lighttpd(/.*)?
536            /var/lib/mod_security(/.*)?
537            /var/lib/roundcubemail(/.*)?
538            /var/opt/rh/rh-nginx18/lib/nginx(/.*)?
539
540       httpd_var_run_t
541
542            /var/run/wsgi.*
543            /var/run/mod_.*
544            /var/run/httpd.*
545            /var/run/nginx.*
546            /var/run/apache.*
547            /var/run/php-fpm(/.*)?
548            /var/run/fcgiwrap(/.*)?
549            /var/run/lighttpd(/.*)?
550            /var/lib/php/session(/.*)?
551            /var/lib/php/wsdlcache(/.*)?
552            /var/run/dirsrv/admin-serv.*
553            /var/opt/rh/rh-nginx18/run/nginx(/.*)?
554            /var/www/openshift/broker/httpd/run(/.*)?
555            /var/www/openshift/console/httpd/run(/.*)?
556            /opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)?
557            /var/run/thttpd.pid
558            /var/run/gcache_port
559            /var/run/cherokee.pid
560
561       httpdcontent
562
563
564       hugetlbfs_t
565
566            /dev/hugepages
567            /usr/lib/udev/devices/hugepages
568
569       ipa_cert_t
570
571            /etc/httpd/alias/ipasession.key
572
573       ipa_var_run_t
574
575            /var/run/ipa(/.*)?
576
577       jetty_cache_t
578
579            /var/cache/jetty(/.*)?
580
581       jetty_log_t
582
583            /var/log/jetty(/.*)?
584
585       jetty_unit_file_t
586
587            /usr/lib/systemd/system/jetty.service
588
589       jetty_var_lib_t
590
591            /var/lib/jetty(/.*)?
592
593       jetty_var_run_t
594
595            /var/run/jetty(/.*)?
596
597       memcached_var_run_t
598
599            /var/run/memcached(/.*)?
600            /var/run/ipa_memcached(/.*)?
601
602       mirrormanager_var_run_t
603
604            /var/run/mirrormanager(/.*)?
605
606       named_cache_t
607
608            /var/named/data(/.*)?
609            /var/lib/softhsm(/.*)?
610            /var/lib/unbound(/.*)?
611            /var/named/slaves(/.*)?
612            /var/named/dynamic(/.*)?
613            /var/named/chroot/var/tmp(/.*)?
614            /var/named/chroot/var/named/data(/.*)?
615            /var/named/chroot/var/named/slaves(/.*)?
616            /var/named/chroot/var/named/dynamic(/.*)?
617
618       nfs_t
619
620
621       passenger_var_lib_t
622
623            /var/lib/passenger(/.*)?
624
625       passenger_var_run_t
626
627            /var/run/passenger(/.*)?
628
629       pkcs_slotd_lock_t
630
631            /var/lock/opencryptoki(/.*)?
632
633       pkcs_slotd_var_lib_t
634
635            /var/lib/opencryptoki(/.*)?
636
637       pki_apache_config
638
639
640       pki_apache_var_lib
641
642
643       pki_apache_var_log
644
645
646       postfix_spool_t
647
648            /var/spool/postfix.*
649            /var/spool/postfix/defer(/.*)?
650            /var/spool/postfix/flush(/.*)?
651            /var/spool/postfix/deferred(/.*)?
652            /var/spool/postfix/maildrop(/.*)?
653
654       preupgrade_data_t
655
656            /var/lib/preupgrade(/.*)?
657            /var/log/preupgrade(/.*)?
658
659       root_t
660
661            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
662            /
663            /initrd
664
665       security_t
666
667            /selinux
668
669       systemd_passwd_var_run_t
670
671            /var/run/systemd/ask-password(/.*)?
672            /var/run/systemd/ask-password-block(/.*)?
673
674       zoneminder_var_lib_t
675
676            /var/lib/zoneminder(/.*)?
677
678

FILE CONTEXTS

680       SELinux requires files to have an extended attribute to define the file
681       type.
682
683       You can see the context of a file using the -Z option to ls
684
685       Policy  governs  the  access  confined  processes  have to these files.
686       SELinux httpd policy is very flexible allowing  users  to  setup  their
687       httpd processes in as secure a method as possible.
688
689       EQUIVALENCE DIRECTORIES
690
691
692       httpd  policy  stores  data  with multiple different file context types
693       under the /var/lib/php directory.  If you would like to store the  data
694       in  a different directory you can use the semanage command to create an
695       equivalence mapping.  If you wanted to store this data under  the  /srv
696       directory you would execute the following command:
697
698       semanage fcontext -a -e /var/lib/php /srv/php
699       restorecon -R -v /srv/php
700
701       httpd  policy  stores  data  with multiple different file context types
702       under the /var/www directory.  If you would like to store the data in a
703       different  directory  you  can  use  the  semanage command to create an
704       equivalence mapping.  If you wanted to store this data under  the  /srv
705       directory you would execute the following command:
706
707       semanage fcontext -a -e /var/www /srv/www
708       restorecon -R -v /srv/www
709
710       STANDARD FILE CONTEXT
711
712       SELinux  defines the file context types for the httpd, if you wanted to
713       store files with these types in a diffent paths, you  need  to  execute
714       the  semanage  command  to  sepecify  alternate  labeling  and then use
715       restorecon to put the labels on disk.
716
717       semanage fcontext -a -t httpd_var_run_t '/srv/myhttpd_content(/.*)?'
718       restorecon -R -v /srv/myhttpd_content
719
720       Note: SELinux often uses regular expressions  to  specify  labels  that
721       match multiple files.
722
723       The following file types are defined for httpd:
724
725
726
727       httpd_cache_t
728
729       - Set files with the httpd_cache_t type, if you want to store the files
730       under the /var/cache directory.
731
732
733       Paths:
734            /var/cache/rt(3|4)(/.*)?, /var/cache/ssl.*.sem, /var/cache/mod_.*,
735            /var/cache/php-.*, /var/cache/httpd(/.*)?, /var/cache/mason(/.*)?,
736            /var/cache/nginx(/.*)?,                  /var/cache/mod_ssl(/.*)?,
737            /var/cache/lighttpd(/.*)?,             /var/cache/mediawiki(/.*)?,
738            /var/cache/mod_proxy(/.*)?,           /var/cache/mod_gnutls(/.*)?,
739            /var/cache/php-mmcache(/.*)?, /var/cache/php-eaccelerator(/.*)?
740
741
742       httpd_config_t
743
744       -  Set  files  with  the  httpd_config_t type, if you want to treat the
745       files as httpd configuration data, usually stored under the /etc direc‐
746       tory.
747
748
749       Paths:
750            /etc/httpd(/.*)?,     /etc/nginx(/.*)?,     /etc/apache(2)?(/.*)?,
751            /etc/cherokee(/.*)?,       /etc/lighttpd(/.*)?,       /etc/apache-
752            ssl(2)?(/.*)?,  /var/lib/openshift/.httpd.d(/.*)?, /etc/opt/rh/rh-
753            nginx18/nginx(/.*)?,           /var/lib/stickshift/.httpd.d(/.*)?,
754            /etc/vhosts, /etc/thttpd.conf
755
756
757       httpd_exec_t
758
759       -  Set  files  with the httpd_exec_t type, if you want to transition an
760       executable to the httpd_t domain.
761
762
763       Paths:
764            /usr/sbin/httpd(.worker)?, /usr/sbin/apache(2)?,  /usr/lib/apache-
765            ssl/.+,         /usr/sbin/apache-ssl(2)?,         /usr/sbin/nginx,
766            /usr/sbin/thttpd,      /usr/sbin/php-fpm,      /usr/sbin/cherokee,
767            /usr/sbin/lighttpd,   /usr/sbin/apachectl,  /usr/sbin/httpd.event,
768            /usr/bin/mongrel_rails, /usr/sbin/htcacheclean
769
770
771       httpd_helper_exec_t
772
773       - Set files with the httpd_helper_exec_t type, if you want  to  transi‐
774       tion an executable to the httpd_helper_t domain.
775
776
777
778       httpd_initrc_exec_t
779
780       -  Set  files with the httpd_initrc_exec_t type, if you want to transi‐
781       tion an executable to the httpd_initrc_t domain.
782
783
784       Paths:
785            /etc/init.d/cherokee,                      /etc/rc.d/init.d/httpd,
786            /etc/rc.d/init.d/lighttpd
787
788
789       httpd_keytab_t
790
791       -  Set  files  with  the  httpd_keytab_t type, if you want to treat the
792       files as kerberos keytab files.
793
794
795
796       httpd_lock_t
797
798       - Set files with the httpd_lock_t type, if you want to treat the  files
799       as httpd lock data, stored under the /var/lock directory
800
801
802
803       httpd_log_t
804
805       - Set files with the httpd_log_t type, if you want to treat the data as
806       httpd log data, usually stored under the /var/log directory.
807
808
809       Paths:
810            /srv/([^/]*/)?www/logs(/.*)?,           /var/www(/.*)?/logs(/.*)?,
811            /var/log/glpi(/.*)?,  /var/log/cacti(/.*)?,  /var/log/httpd(/.*)?,
812            /var/log/nginx(/.*)?,  /var/log/apache(2)?(/.*)?,   /var/log/hori‐
813            zon(/.*)?,     /var/log/php-fpm(/.*)?,    /var/log/cherokee(/.*)?,
814            /var/log/lighttpd(/.*)?,                     /var/log/suphp.log.*,
815            /var/log/thttpd.log.*,              /var/log/apache-ssl(2)?(/.*)?,
816            /var/log/cgiwrap.log.*,       /var/www/stickshift/[^/]*/log(/.*)?,
817            /var/log/graphite-web(/.*)?,          /var/www/miq/vmdb/log(/.*)?,
818            /var/log/roundcubemail(/.*)?,           /var/log/php_errors.log.*,
819            /var/log/dirsrv/admin-serv(/.*)?,                  /var/opt/rh/rh-
820            nginx18/log(/.*)?,            /var/lib/openshift/.log/httpd(/.*)?,
821            /var/www/openshift/console/log(/.*)?,      /var/www/openshift/bro‐
822            ker/httpd/logs(/.*)?, /var/www/openshift/console/httpd/logs(/.*)?,
823            /etc/httpd/logs
824
825
826       httpd_modules_t
827
828       -  Set  files  with  the httpd_modules_t type, if you want to treat the
829       files as httpd modules.
830
831
832       Paths:
833            /usr/lib/httpd(/.*)?,    /usr/lib/apache(/.*)?,    /usr/lib/chero‐
834            kee(/.*)?,      /usr/lib/lighttpd(/.*)?,     /usr/lib/apache2/mod‐
835            ules(/.*)?, /etc/httpd/modules
836
837
838       httpd_passwd_exec_t
839
840       - Set files with the httpd_passwd_exec_t type, if you want  to  transi‐
841       tion an executable to the httpd_passwd_t domain.
842
843
844
845       httpd_php_exec_t
846
847       -  Set  files with the httpd_php_exec_t type, if you want to transition
848       an executable to the httpd_php_t domain.
849
850
851
852       httpd_php_tmp_t
853
854       - Set files with the httpd_php_tmp_t type, if you want to  store  httpd
855       php temporary files in the /tmp directories.
856
857
858
859       httpd_rotatelogs_exec_t
860
861       - Set files with the httpd_rotatelogs_exec_t type, if you want to tran‐
862       sition an executable to the httpd_rotatelogs_t domain.
863
864
865
866       httpd_squirrelmail_t
867
868       - Set files with the httpd_squirrelmail_t type, if you  want  to  treat
869       the files as httpd squirrelmail data.
870
871
872
873       httpd_suexec_exec_t
874
875       -  Set  files with the httpd_suexec_exec_t type, if you want to transi‐
876       tion an executable to the httpd_suexec_t domain.
877
878
879       Paths:
880            /usr/lib/apache(2)?/suexec(2)?,       /usr/lib/cgi-bin/(nph-)?cgi‐
881            wrap(d)?, /usr/sbin/suexec
882
883
884       httpd_suexec_tmp_t
885
886       -  Set  files  with  the  httpd_suexec_tmp_t type, if you want to store
887       httpd suexec temporary files in the /tmp directories.
888
889
890
891       httpd_sys_content_t
892
893       - Set files with the httpd_sys_content_t type, if you want to treat the
894       files as httpd sys content.
895
896
897       Paths:
898            /srv/([^/]*/)?www(/.*)?,     /var/www(/.*)?,     /etc/htdig(/.*)?,
899            /srv/gallery2(/.*)?,  /var/lib/trac(/.*)?,   /var/lib/htdig(/.*)?,
900            /var/www/icons(/.*)?,                       /usr/share/glpi(/.*)?,
901            /usr/share/htdig(/.*)?,     /usr/share/drupal.*,     /usr/share/z-
902            push(/.*)?,   /var/www/svn/conf(/.*)?,   /usr/share/icecast(/.*)?,
903            /var/lib/cacti/rra(/.*)?,              /usr/share/ntop/html(/.*)?,
904            /usr/share/nginx/html(/.*)?,        /usr/share/doc/ghc/html(/.*)?,
905            /usr/share/openca/htdocs(/.*)?,            /usr/share/selinux-pol‐
906            icy[^/]*/html(/.*)?
907
908
909       httpd_sys_htaccess_t
910
911       -  Set  files  with the httpd_sys_htaccess_t type, if you want to treat
912       the file as a httpd sys access file.
913
914
915
916       httpd_sys_ra_content_t
917
918       - Set files with the httpd_sys_ra_content_t type, if you want to  treat
919       the files as httpd sys read/append content.
920
921
922
923       httpd_sys_rw_content_t
924
925       -  Set files with the httpd_sys_rw_content_t type, if you want to treat
926       the files as httpd sys read/write content.
927
928
929       Paths:
930            /etc/rt(/.*)?, /etc/glpi(/.*)?,  /etc/horde(/.*)?,  /etc/drupal.*,
931            /etc/z-push(/.*)?,     /var/lib/svn(/.*)?,     /var/www/svn(/.*)?,
932            /etc/owncloud(/.*)?,            /var/www/html(/.*)?/uploads(/.*)?,
933            /var/www/html(/.*)?/wp-content(/.*)?, /var/www/html(/.*)?/wp_back‐
934            ups(/.*)?,          /var/www/html(/.*)?/sites/default/files(/.*)?,
935            /var/www/html(/.*)?/sites/default/settings.php,
936            /etc/mock/koji(/.*)?,   /etc/nextcloud(/.*)?,   /var/lib/drupal.*,
937            /etc/zabbix/web(/.*)?,      /var/lib/moodle(/.*)?,     /var/log/z-
938            push(/.*)?,     /var/spool/gosa(/.*)?,     /etc/WebCalendar(/.*)?,
939            /usr/share/joomla(/.*)?,   /var/lib/dokuwiki(/.*)?,  /var/lib/own‐
940            cloud(/.*)?,  /var/spool/viewvc(/.*)?,   /var/lib/nextcloud(/.*)?,
941            /var/lib/pootle/po(/.*)?, /var/lib/phpMyAdmin(/.*)?, /var/www/moo‐
942            dledata(/.*)?,      /srv/gallery2/smarty(/.*)?,      /var/www/moo‐
943            dle/data(/.*)?,  /var/lib/graphite-web(/.*)?, /var/log/shibboleth-
944            www(/.*)?,    /var/www/gallery/albums(/.*)?,    /var/www/html/own‐
945            cloud/data(/.*)?,              /var/www/html/nextcloud/data(/.*)?,
946            /usr/share/wordpress-mu/wp-content(/.*)?, /usr/share/wordpress/wp-
947            content/upgrade(/.*)?,                /usr/share/wordpress/wp-con‐
948            tent/uploads(/.*)?, /var/www/html/configuration.php
949
950
951       httpd_sys_script_exec_t
952
953       - Set files with the httpd_sys_script_exec_t type, if you want to tran‐
954       sition an executable to the httpd_sys_script_t domain.
955
956
957       Paths:
958            /opt/.*.cgi,       /usr/.*.cgi,      /var/www/[^/]*/cgi-bin(/.*)?,
959            /var/www/perl(/.*)?,            /var/www/html/[^/]*/cgi-bin(/.*)?,
960            /usr/lib/cgi-bin(/.*)?,                    /var/www/cgi-bin(/.*)?,
961            /var/www/svn/hooks(/.*)?,             /usr/share/wordpress/.*.php,
962            /usr/local/nagios/sbin(/.*)?,             /usr/share/wordpress/wp-
963            includes/.*.php, /usr/share/wordpress-mu/wp-config.php
964
965
966       httpd_tmp_t
967
968       - Set files with the httpd_tmp_t type, if you want to store httpd  tem‐
969       porary files in the /tmp directories.
970
971
972       Paths:
973            /var/run/user/apache(/.*)?, /var/www/openshift/console/tmp(/.*)?
974
975
976       httpd_tmpfs_t
977
978       -  Set  files  with  the httpd_tmpfs_t type, if you want to store httpd
979       files on a tmpfs file system.
980
981
982
983       httpd_unconfined_script_exec_t
984
985       - Set files with the httpd_unconfined_script_exec_t type, if  you  want
986       to transition an executable to the httpd_unconfined_script_t domain.
987
988
989
990       httpd_unit_file_t
991
992       -  Set  files with the httpd_unit_file_t type, if you want to treat the
993       files as httpd unit content.
994
995
996       Paths:
997            /usr/lib/systemd/system/httpd.*,  /usr/lib/systemd/system/nginx.*,
998            /usr/lib/systemd/system/thttpd.*,     /usr/lib/systemd/system/php-
999            fpm.*
1000
1001
1002       httpd_user_content_t
1003
1004       - Set files with the httpd_user_content_t type, if you  want  to  treat
1005       the files as httpd user content.
1006
1007
1008
1009       httpd_user_htaccess_t
1010
1011       -  Set  files with the httpd_user_htaccess_t type, if you want to treat
1012       the file as a httpd user access file.
1013
1014
1015
1016       httpd_user_ra_content_t
1017
1018       - Set files with the httpd_user_ra_content_t type, if you want to treat
1019       the files as httpd user read/append content.
1020
1021
1022
1023       httpd_user_rw_content_t
1024
1025       - Set files with the httpd_user_rw_content_t type, if you want to treat
1026       the files as httpd user read/write content.
1027
1028
1029
1030       httpd_user_script_exec_t
1031
1032       - Set files with the httpd_user_script_exec_t  type,  if  you  want  to
1033       transition an executable to the httpd_user_script_t domain.
1034
1035
1036
1037       httpd_var_lib_t
1038
1039       -  Set  files  with  the httpd_var_lib_t type, if you want to store the
1040       httpd files under the /var/lib directory.
1041
1042
1043       Paths:
1044            /var/lib/rt(3|4)/data/RT-Shredder(/.*)?,       /var/lib/dav(/.*)?,
1045            /var/lib/php(/.*)?,   /var/lib/glpi(/.*)?,   /var/lib/httpd(/.*)?,
1046            /var/lib/nginx(/.*)?,     /var/lib/z-push(/.*)?,     /var/lib/gan‐
1047            glia(/.*)?,    /var/lib/ipsilon(/.*)?,    /var/lib/cherokee(/.*)?,
1048            /var/lib/lighttpd(/.*)?,              /var/lib/mod_security(/.*)?,
1049            /var/lib/roundcubemail(/.*)?,                      /var/opt/rh/rh-
1050            nginx18/lib/nginx(/.*)?
1051
1052
1053       httpd_var_run_t
1054
1055       - Set files with the httpd_var_run_t type, if you  want  to  store  the
1056       httpd files under the /run or /var/run directory.
1057
1058
1059       Paths:
1060            /var/run/wsgi.*,         /var/run/mod_.*,        /var/run/httpd.*,
1061            /var/run/nginx.*,    /var/run/apache.*,    /var/run/php-fpm(/.*)?,
1062            /var/run/fcgiwrap(/.*)?,                  /var/run/lighttpd(/.*)?,
1063            /var/lib/php/session(/.*)?,          /var/lib/php/wsdlcache(/.*)?,
1064            /var/run/dirsrv/admin-serv.*,                      /var/opt/rh/rh-
1065            nginx18/run/nginx(/.*)?,                   /var/www/openshift/bro‐
1066            ker/httpd/run(/.*)?,   /var/www/openshift/console/httpd/run(/.*)?,
1067            /opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)?,
1068            /var/run/thttpd.pid, /var/run/gcache_port, /var/run/cherokee.pid
1069
1070
1071       Note:  File context can be temporarily modified with the chcon command.
1072       If you want to permanently change the file context you need to use  the
1073       semanage fcontext command.  This will modify the SELinux labeling data‐
1074       base.  You will need to use restorecon to apply the labels.
1075
1076

SHARING FILES

1078       If you want to share files with multiple domains (Apache,  FTP,  rsync,
1079       Samba),  you can set a file context of public_content_t and public_con‐
1080       tent_rw_t.  These context allow any of the above domains  to  read  the
1081       content.   If  you want a particular domain to write to the public_con‐
1082       tent_rw_t domain, you must set the appropriate boolean.
1083
1084       Allow httpd servers to read the /var/httpd directory by adding the pub‐
1085       lic_content_t  file  type  to  the  directory and by restoring the file
1086       type.
1087
1088       semanage fcontext -a -t public_content_t "/var/httpd(/.*)?"
1089       restorecon -F -R -v /var/httpd
1090
1091       Allow httpd servers to read and write /var/httpd/incoming by adding the
1092       public_content_rw_t  type  to  the  directory and by restoring the file
1093       type.  You also need to turn on the httpd_anon_write boolean.
1094
1095       semanage fcontext -a -t public_content_rw_t "/var/httpd/incoming(/.*)?"
1096       restorecon -F -R -v /var/httpd/incoming
1097       setsebool -P httpd_anon_write 1
1098
1099
1100       If you want to allow Apache to modify public files used for public file
1101       transfer   services.  Directories/Files  must  be  labeled  public_con‐
1102       tent_rw_t., you must turn on the httpd_anon_write boolean.
1103
1104       setsebool -P httpd_anon_write 1
1105
1106

COMMANDS

1108       semanage fcontext can also be used to manipulate default  file  context
1109       mappings.
1110
1111       semanage  permissive  can  also  be used to manipulate whether or not a
1112       process type is permissive.
1113
1114       semanage module can also be used to enable/disable/install/remove  pol‐
1115       icy modules.
1116
1117       semanage port can also be used to manipulate the port definitions
1118
1119       semanage boolean can also be used to manipulate the booleans
1120
1121
1122       system-config-selinux is a GUI tool available to customize SELinux pol‐
1123       icy settings.
1124
1125

AUTHOR

1127       This manual page was auto-generated using sepolicy manpage .
1128
1129

SEE ALSO

1131       selinux(8),  httpd(8),  semanage(8),  restorecon(8),  chcon(1),  sepol‐
1132       icy(8), setsebool(8), httpd_helper_selinux(8), httpd_passwd_selinux(8),
1133       httpd_php_selinux(8),                      httpd_rotatelogs_selinux(8),
1134       httpd_suexec_selinux(8),    httpd_sys_script_selinux(8),   httpd_uncon‐
1135       fined_script_selinux(8), httpd_user_script_selinux(8)
1136
1137
1138
1139httpd                              21-03-26                   httpd_selinux(8)
Impressum