1httpd_selinux(8) SELinux Policy httpd httpd_selinux(8)
2
6 httpd_selinux - Security Enhanced Linux Policy for the httpd processes
7
9 Security-Enhanced Linux secures the httpd processes via flexible manda‐
10 tory access control.
11 The httpd processes execute with the httpd_t SELinux type. You can
13 check if you have these processes running by executing the ps command
14 with the -Z qualifier.
15 For example:
17 ps -eZ | grep httpd_t
19
23 The httpd_t SELinux type can be entered via the httpd_exec_t file type.
24 The default entrypoint paths for the httpd_t domain are the following:
26 /usr/sbin/httpd(.worker)?, /usr/sbin/apache(2)?, /usr/lib/apache-
28 ssl/.+, /usr/sbin/apache-ssl(2)?, /usr/sbin/nginx, /usr/sbin/thttpd,
29 /usr/sbin/php-fpm, /usr/sbin/cherokee, /usr/sbin/lighttpd,
30 /usr/sbin/apachectl, /usr/sbin/httpd.event, /usr/bin/mongrel_rails,
31 /usr/sbin/htcacheclean
32
34 SELinux defines process types (domains) for each process running on the
35 system
36 You can see the context of a process using the -Z option to ps
38 Policy governs the access confined processes have to files. SELinux
40 httpd policy is very flexible allowing users to setup their httpd pro‐
41 cesses in as secure a method as possible.
42 The following process types are defined for httpd:
44 httpd_t, httpd_helper_t, httpd_php_t, httpd_rotatelogs_t, httpd_suexec_t, httpd_sys_script_t, httpd_user_script_t, httpd_passwd_t, httpd_unconfined_script_t
46 Note: semanage permissive -a httpd_t can be used to make the process
48 type httpd_t permissive. SELinux does not deny access to permissive
49 process types, but the AVC (SELinux denials) messages are still gener‐
50 ated.
51
54 SELinux policy is customizable based on least access required. httpd
55 policy is extremely flexible and has several booleans that allow you to
56 manipulate the policy and run httpd with the tightest access possible.
57 If you want to allow httpd to use built in scripting (usually php), you
61 must turn on the httpd_builtin_scripting boolean. Enabled by default.
62 setsebool -P httpd_builtin_scripting 1
64 If you want to allow httpd to act as a FTP client connecting to the ftp
68 port and ephemeral ports, you must turn on the httpd_can_connect_ftp
69 boolean. Disabled by default.
70 setsebool -P httpd_can_connect_ftp 1
72 If you want to allow httpd to connect to the ldap port, you must turn
76 on the httpd_can_connect_ldap boolean. Disabled by default.
77 setsebool -P httpd_can_connect_ldap 1
79 If you want to allow http daemon to connect to mythtv, you must turn on
83 the httpd_can_connect_mythtv boolean. Disabled by default.
84 setsebool -P httpd_can_connect_mythtv 1
86 If you want to allow http daemon to connect to zabbix, you must turn on
90 the httpd_can_connect_zabbix boolean. Disabled by default.
91 setsebool -P httpd_can_connect_zabbix 1
93 If you want to allow HTTPD scripts and modules to connect to the net‐
97 work using TCP, you must turn on the httpd_can_network_connect boolean.
98 Disabled by default.
99 setsebool -P httpd_can_network_connect 1
101 If you want to allow HTTPD scripts and modules to connect to cobbler
105 over the network, you must turn on the httpd_can_network_connect_cob‐
106 bler boolean. Disabled by default.
107 setsebool -P httpd_can_network_connect_cobbler 1
109 If you want to allow HTTPD scripts and modules to connect to databases
113 over the network, you must turn on the httpd_can_network_connect_db
114 boolean. Disabled by default.
115 setsebool -P httpd_can_network_connect_db 1
117 If you want to allow httpd to connect to memcache server, you must turn
121 on the httpd_can_network_memcache boolean. Disabled by default.
122 setsebool -P httpd_can_network_memcache 1
124 If you want to allow httpd to act as a relay, you must turn on the
128 httpd_can_network_relay boolean. Disabled by default.
129 setsebool -P httpd_can_network_relay 1
131 If you want to allow http daemon to send mail, you must turn on the
135 httpd_can_sendmail boolean. Disabled by default.
136 setsebool -P httpd_can_sendmail 1
138 If you want to allow Apache to communicate with avahi service via dbus,
142 you must turn on the httpd_dbus_avahi boolean. Enabled by default.
143 setsebool -P httpd_dbus_avahi 1
145 If you want to allow Apache to communicate with sssd service via dbus,
149 you must turn on the httpd_dbus_sssd boolean. Disabled by default.
150 setsebool -P httpd_dbus_sssd 1
152 If you want to allow httpd cgi support, you must turn on the
156 httpd_enable_cgi boolean. Enabled by default.
157 setsebool -P httpd_enable_cgi 1
159 If you want to allow httpd to act as a FTP server by listening on the
163 ftp port, you must turn on the httpd_enable_ftp_server boolean. Dis‐
164 abled by default.
165 setsebool -P httpd_enable_ftp_server 1
167 If you want to allow httpd to read home directories, you must turn on
171 the httpd_enable_homedirs boolean. Disabled by default.
172 setsebool -P httpd_enable_homedirs 1
174 If you want to allow httpd scripts and modules execmem/execstack, you
178 must turn on the httpd_execmem boolean. Disabled by default.
179 setsebool -P httpd_execmem 1
181 If you want to allow HTTPD to connect to port 80 for graceful shutdown,
185 you must turn on the httpd_graceful_shutdown boolean. Disabled by
186 default.
187 setsebool -P httpd_graceful_shutdown 1
189 If you want to allow httpd processes to manage IPA content, you must
193 turn on the httpd_manage_ipa boolean. Disabled by default.
194 setsebool -P httpd_manage_ipa 1
196 If you want to allow Apache to use mod_auth_ntlm_winbind, you must turn
200 on the httpd_mod_auth_ntlm_winbind boolean. Disabled by default.
201 setsebool -P httpd_mod_auth_ntlm_winbind 1
203 If you want to allow Apache to use mod_auth_pam, you must turn on the
207 httpd_mod_auth_pam boolean. Disabled by default.
208 setsebool -P httpd_mod_auth_pam 1
210 If you want to allow httpd to read user content, you must turn on the
214 httpd_read_user_content boolean. Disabled by default.
215 setsebool -P httpd_read_user_content 1
217 If you want to allow httpd processes to run IPA helper, you must turn
221 on the httpd_run_ipa boolean. Disabled by default.
222 setsebool -P httpd_run_ipa 1
224 If you want to allow Apache to run preupgrade, you must turn on the
228 httpd_run_preupgrade boolean. Disabled by default.
229 setsebool -P httpd_run_preupgrade 1
231 If you want to allow Apache to run in stickshift mode, not transition
235 to passenger, you must turn on the httpd_run_stickshift boolean. Dis‐
236 abled by default.
237 setsebool -P httpd_run_stickshift 1
239 If you want to allow HTTPD scripts and modules to server cobbler files,
243 you must turn on the httpd_serve_cobbler_files boolean. Disabled by
244 default.
245 setsebool -P httpd_serve_cobbler_files 1
247 If you want to allow httpd daemon to change its resource limits, you
251 must turn on the httpd_setrlimit boolean. Disabled by default.
252 setsebool -P httpd_setrlimit 1
254 If you want to allow HTTPD to run SSI executables in the same domain as
258 system CGI scripts, you must turn on the httpd_ssi_exec boolean. Dis‐
259 abled by default.
260 setsebool -P httpd_ssi_exec 1
262 If you want to unify HTTPD to communicate with the terminal. Needed for
266 entering the passphrase for certificates at the terminal, you must turn
267 on the httpd_tty_comm boolean. Disabled by default.
268 setsebool -P httpd_tty_comm 1
270 If you want to allow httpd to access cifs file systems, you must turn
274 on the httpd_use_cifs boolean. Disabled by default.
275 setsebool -P httpd_use_cifs 1
277 If you want to allow httpd to access FUSE file systems, you must turn
281 on the httpd_use_fusefs boolean. Disabled by default.
282 setsebool -P httpd_use_fusefs 1
284 If you want to allow httpd to access nfs file systems, you must turn on
288 the httpd_use_nfs boolean. Disabled by default.
289 setsebool -P httpd_use_nfs 1
291 If you want to allow httpd to use opencryptoki, you must turn on the
295 httpd_use_opencryptoki boolean. Disabled by default.
296 setsebool -P httpd_use_opencryptoki 1
298 If you want to allow httpd to access openstack ports, you must turn on
302 the httpd_use_openstack boolean. Disabled by default.
303 setsebool -P httpd_use_openstack 1
305 If you want to allow httpd to connect to sasl, you must turn on the
309 httpd_use_sasl boolean. Disabled by default.
310 setsebool -P httpd_use_sasl 1
312 If you want to allow Apache to query NS records, you must turn on the
316 httpd_verify_dns boolean. Disabled by default.
317 setsebool -P httpd_verify_dns 1
319 If you want to deny any process from ptracing or debugging any other
323 processes, you must turn on the deny_ptrace boolean. Enabled by
324 default.
325 setsebool -P deny_ptrace 1
327 If you want to allow all domains to execute in fips_mode, you must turn
331 on the fips_mode boolean. Enabled by default.
332 setsebool -P fips_mode 1
334 If you want to determine whether Git system daemon can access cifs file
338 systems, you must turn on the git_system_use_cifs boolean. Disabled by
339 default.
340 setsebool -P git_system_use_cifs 1
342 If you want to determine whether Git system daemon can access nfs file
346 systems, you must turn on the git_system_use_nfs boolean. Disabled by
347 default.
348 setsebool -P git_system_use_nfs 1
350 If you want to allow confined applications to run with kerberos, you
354 must turn on the kerberos_enabled boolean. Disabled by default.
355 setsebool -P kerberos_enabled 1
357
361 If you want to allow users to resolve user passwd entries directly from
362 ldap rather then using a sssd server for the httpd_t, you must turn on
363 the authlogin_nsswitch_use_ldap boolean.
364 setsebool -P authlogin_nsswitch_use_ldap 1
366 If you want to allow confined applications to run with kerberos for the
369 httpd_t, you must turn on the kerberos_enabled boolean.
370 setsebool -P kerberos_enabled 1
372
375 SELinux defines port types to represent TCP and UDP ports.
376 You can see the types associated with a port by using the following
378 command:
379 semanage port -l
381 Policy governs the access confined processes have to these ports.
384 SELinux httpd policy is very flexible allowing users to setup their
385 httpd processes in as secure a method as possible.
386 The following port types are defined for httpd:
388 http_cache_port_t
391 Default Defined Ports:
395 tcp 8080,8118,8123,10001-10010
396 udp 3130
397 http_port_t
400 Default Defined Ports:
404 tcp 80,81,443,488,8008,8009,8443,9000
405
407 The SELinux process type httpd_t can manage files labeled with the fol‐
408 lowing file types. The paths listed are the default paths for these
409 file types. Note the processes UID still need to have DAC permissions.
410 abrt_retrace_spool_t
412 /var/spool/faf(/.*)?
414 /var/spool/abrt-retrace(/.*)?
415 /var/spool/retrace-server(/.*)?
416 anon_inodefs_t
418 cifs_t
421 cluster_conf_t
424 /etc/cluster(/.*)?
426 cluster_var_lib_t
428 /var/lib/pcsd(/.*)?
430 /var/lib/cluster(/.*)?
431 /var/lib/openais(/.*)?
432 /var/lib/pengine(/.*)?
433 /var/lib/corosync(/.*)?
434 /usr/lib/heartbeat(/.*)?
435 /var/lib/heartbeat(/.*)?
436 /var/lib/pacemaker(/.*)?
437 cluster_var_run_t
439 /var/run/crm(/.*)?
441 /var/run/cman_.*
442 /var/run/rsctmp(/.*)?
443 /var/run/aisexec.*
444 /var/run/heartbeat(/.*)?
445 /var/run/corosync-qnetd(/.*)?
446 /var/run/corosync-qdevice(/.*)?
447 /var/run/corosync.pid
448 /var/run/cpglockd.pid
449 /var/run/rgmanager.pid
450 /var/run/cluster/rgmanager.sk
451 cobbler_var_lib_t
453 /var/lib/cobbler(/.*)?
455 /var/www/cobbler(/.*)?
456 /var/cache/cobbler(/.*)?
457 /var/lib/tftpboot/etc(/.*)?
458 /var/lib/tftpboot/ppc(/.*)?
459 /var/lib/tftpboot/boot(/.*)?
460 /var/lib/tftpboot/grub(/.*)?
461 /var/lib/tftpboot/s390x(/.*)?
462 /var/lib/tftpboot/images(/.*)?
463 /var/lib/tftpboot/aarch64(/.*)?
464 /var/lib/tftpboot/images2(/.*)?
465 /var/lib/tftpboot/pxelinux.cfg(/.*)?
466 /var/lib/tftpboot/yaboot
467 /var/lib/tftpboot/memdisk
468 /var/lib/tftpboot/menu.c32
469 /var/lib/tftpboot/pxelinux.0
470 dirsrv_config_t
472 /etc/dirsrv(/.*)?
474 dirsrv_var_log_t
476 /var/log/dirsrv(/.*)?
478 dirsrv_var_run_t
480 /var/run/slapd.*
482 /var/run/dirsrv(/.*)?
483 dirsrvadmin_config_t
485 /etc/dirsrv/dsgw(/.*)?
487 /etc/dirsrv/admin-serv(/.*)?
488 fusefs_t
490 /var/run/user/[^/]*/gvfs
492 httpd_cache_t
494 /var/cache/rt(3|4)(/.*)?
496 /var/cache/ssl.*.sem
497 /var/cache/mod_.*
498 /var/cache/php-.*
499 /var/cache/httpd(/.*)?
500 /var/cache/mason(/.*)?
501 /var/cache/nginx(/.*)?
502 /var/cache/mod_ssl(/.*)?
503 /var/cache/lighttpd(/.*)?
504 /var/cache/mediawiki(/.*)?
505 /var/cache/mod_proxy(/.*)?
506 /var/cache/mod_gnutls(/.*)?
507 /var/cache/php-mmcache(/.*)?
508 /var/cache/php-eaccelerator(/.*)?
509 httpd_lock_t
511 httpd_squirrelmail_t
514 /var/lib/squirrelmail/prefs(/.*)?
516 httpd_tmpfs_t
518 httpd_user_rw_content_t
521 httpd_var_lib_t
524 /var/lib/rt(3|4)/data/RT-Shredder(/.*)?
526 /var/lib/dav(/.*)?
527 /var/lib/php(/.*)?
528 /var/lib/glpi(/.*)?
529 /var/lib/httpd(/.*)?
530 /var/lib/nginx(/.*)?
531 /var/lib/z-push(/.*)?
532 /var/lib/ganglia(/.*)?
533 /var/lib/ipsilon(/.*)?
534 /var/lib/cherokee(/.*)?
535 /var/lib/lighttpd(/.*)?
536 /var/lib/mod_security(/.*)?
537 /var/lib/roundcubemail(/.*)?
538 /var/opt/rh/rh-nginx18/lib/nginx(/.*)?
539 httpd_var_run_t
541 /var/run/wsgi.*
543 /var/run/mod_.*
544 /var/run/httpd.*
545 /var/run/nginx.*
546 /var/run/apache.*
547 /var/run/php-fpm(/.*)?
548 /var/run/fcgiwrap(/.*)?
549 /var/run/lighttpd(/.*)?
550 /var/lib/php/session(/.*)?
551 /var/lib/php/wsdlcache(/.*)?
552 /var/run/dirsrv/admin-serv.*
553 /var/opt/rh/rh-nginx18/run/nginx(/.*)?
554 /var/www/openshift/broker/httpd/run(/.*)?
555 /var/www/openshift/console/httpd/run(/.*)?
556 /opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)?
557 /var/run/thttpd.pid
558 /var/run/gcache_port
559 /var/run/cherokee.pid
560 httpdcontent
562 hugetlbfs_t
565 /dev/hugepages
567 /usr/lib/udev/devices/hugepages
568 ipa_cert_t
570 /etc/httpd/alias/ipasession.key
572 ipa_var_run_t
574 /var/run/ipa(/.*)?
576 jetty_cache_t
578 /var/cache/jetty(/.*)?
580 jetty_log_t
582 /var/log/jetty(/.*)?
584 jetty_unit_file_t
586 /usr/lib/systemd/system/jetty.service
588 jetty_var_lib_t
590 /var/lib/jetty(/.*)?
592 jetty_var_run_t
594 /var/run/jetty(/.*)?
596 memcached_var_run_t
598 /var/run/memcached(/.*)?
600 /var/run/ipa_memcached(/.*)?
601 mirrormanager_var_run_t
603 /var/run/mirrormanager(/.*)?
605 named_cache_t
607 /var/named/data(/.*)?
609 /var/lib/softhsm(/.*)?
610 /var/lib/unbound(/.*)?
611 /var/named/slaves(/.*)?
612 /var/named/dynamic(/.*)?
613 /var/named/chroot/var/tmp(/.*)?
614 /var/named/chroot/var/named/data(/.*)?
615 /var/named/chroot/var/named/slaves(/.*)?
616 /var/named/chroot/var/named/dynamic(/.*)?
617 nfs_t
619 passenger_var_lib_t
622 /var/lib/passenger(/.*)?
624 passenger_var_run_t
626 /var/run/passenger(/.*)?
628 pkcs_slotd_lock_t
630 /var/lock/opencryptoki(/.*)?
632 pkcs_slotd_var_lib_t
634 /var/lib/opencryptoki(/.*)?
636 pki_apache_config
638 pki_apache_var_lib
641 pki_apache_var_log
644 postfix_spool_t
647 /var/spool/postfix.*
649 /var/spool/postfix/defer(/.*)?
650 /var/spool/postfix/flush(/.*)?
651 /var/spool/postfix/deferred(/.*)?
652 /var/spool/postfix/maildrop(/.*)?
653 preupgrade_data_t
655 /var/lib/preupgrade(/.*)?
657 /var/log/preupgrade(/.*)?
658 root_t
660 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
662 /
663 /initrd
664 security_t
666 /selinux
668 systemd_passwd_var_run_t
670 /var/run/systemd/ask-password(/.*)?
672 /var/run/systemd/ask-password-block(/.*)?
673 zoneminder_var_lib_t
675 /var/lib/zoneminder(/.*)?
677
680 SELinux requires files to have an extended attribute to define the file
681 type.
682 You can see the context of a file using the -Z option to ls
684 Policy governs the access confined processes have to these files.
686 SELinux httpd policy is very flexible allowing users to setup their
687 httpd processes in as secure a method as possible.
688 EQUIVALENCE DIRECTORIES
690 httpd policy stores data with multiple different file context types
693 under the /var/lib/php directory. If you would like to store the data
694 in a different directory you can use the semanage command to create an
695 equivalence mapping. If you wanted to store this data under the /srv
696 directory you would execute the following command:
697 semanage fcontext -a -e /var/lib/php /srv/php
699 restorecon -R -v /srv/php
700 httpd policy stores data with multiple different file context types
702 under the /var/www directory. If you would like to store the data in a
703 different directory you can use the semanage command to create an
704 equivalence mapping. If you wanted to store this data under the /srv
705 directory you would execute the following command:
706 semanage fcontext -a -e /var/www /srv/www
708 restorecon -R -v /srv/www
709 STANDARD FILE CONTEXT
711 SELinux defines the file context types for the httpd, if you wanted to
713 store files with these types in a diffent paths, you need to execute
714 the semanage command to sepecify alternate labeling and then use
715 restorecon to put the labels on disk.
716 semanage fcontext -a -t httpd_var_run_t '/srv/myhttpd_content(/.*)?'
718 restorecon -R -v /srv/myhttpd_content
719 Note: SELinux often uses regular expressions to specify labels that
721 match multiple files.
722 The following file types are defined for httpd:
724 httpd_cache_t
728 - Set files with the httpd_cache_t type, if you want to store the files
730 under the /var/cache directory.
731 Paths:
734 /var/cache/rt(3|4)(/.*)?, /var/cache/ssl.*.sem, /var/cache/mod_.*,
735 /var/cache/php-.*, /var/cache/httpd(/.*)?, /var/cache/mason(/.*)?,
736 /var/cache/nginx(/.*)?, /var/cache/mod_ssl(/.*)?,
737 /var/cache/lighttpd(/.*)?, /var/cache/mediawiki(/.*)?,
738 /var/cache/mod_proxy(/.*)?, /var/cache/mod_gnutls(/.*)?,
739 /var/cache/php-mmcache(/.*)?, /var/cache/php-eaccelerator(/.*)?
740 httpd_config_t
743 - Set files with the httpd_config_t type, if you want to treat the
745 files as httpd configuration data, usually stored under the /etc direc‐
746 tory.
747 Paths:
750 /etc/httpd(/.*)?, /etc/nginx(/.*)?, /etc/apache(2)?(/.*)?,
751 /etc/cherokee(/.*)?, /etc/lighttpd(/.*)?, /etc/apache-
752 ssl(2)?(/.*)?, /var/lib/openshift/.httpd.d(/.*)?, /etc/opt/rh/rh-
753 nginx18/nginx(/.*)?, /var/lib/stickshift/.httpd.d(/.*)?,
754 /etc/vhosts, /etc/thttpd.conf
755 httpd_exec_t
758 - Set files with the httpd_exec_t type, if you want to transition an
760 executable to the httpd_t domain.
761 Paths:
764 /usr/sbin/httpd(.worker)?, /usr/sbin/apache(2)?, /usr/lib/apache-
765 ssl/.+, /usr/sbin/apache-ssl(2)?, /usr/sbin/nginx,
766 /usr/sbin/thttpd, /usr/sbin/php-fpm, /usr/sbin/cherokee,
767 /usr/sbin/lighttpd, /usr/sbin/apachectl, /usr/sbin/httpd.event,
768 /usr/bin/mongrel_rails, /usr/sbin/htcacheclean
769 httpd_helper_exec_t
772 - Set files with the httpd_helper_exec_t type, if you want to transi‐
774 tion an executable to the httpd_helper_t domain.
775 httpd_initrc_exec_t
779 - Set files with the httpd_initrc_exec_t type, if you want to transi‐
781 tion an executable to the httpd_initrc_t domain.
782 Paths:
785 /etc/init.d/cherokee, /etc/rc.d/init.d/httpd,
786 /etc/rc.d/init.d/lighttpd
787 httpd_keytab_t
790 - Set files with the httpd_keytab_t type, if you want to treat the
792 files as kerberos keytab files.
793 httpd_lock_t
797 - Set files with the httpd_lock_t type, if you want to treat the files
799 as httpd lock data, stored under the /var/lock directory
800 httpd_log_t
804 - Set files with the httpd_log_t type, if you want to treat the data as
806 httpd log data, usually stored under the /var/log directory.
807 Paths:
810 /srv/([^/]*/)?www/logs(/.*)?, /var/www(/.*)?/logs(/.*)?,
811 /var/log/glpi(/.*)?, /var/log/cacti(/.*)?, /var/log/httpd(/.*)?,
812 /var/log/nginx(/.*)?, /var/log/apache(2)?(/.*)?, /var/log/hori‐
813 zon(/.*)?, /var/log/php-fpm(/.*)?, /var/log/cherokee(/.*)?,
814 /var/log/lighttpd(/.*)?, /var/log/suphp.log.*,
815 /var/log/thttpd.log.*, /var/log/apache-ssl(2)?(/.*)?,
816 /var/log/cgiwrap.log.*, /var/www/stickshift/[^/]*/log(/.*)?,
817 /var/log/graphite-web(/.*)?, /var/www/miq/vmdb/log(/.*)?,
818 /var/log/roundcubemail(/.*)?, /var/log/php_errors.log.*,
819 /var/log/dirsrv/admin-serv(/.*)?, /var/opt/rh/rh-
820 nginx18/log(/.*)?, /var/lib/openshift/.log/httpd(/.*)?,
821 /var/www/openshift/console/log(/.*)?, /var/www/openshift/bro‐
822 ker/httpd/logs(/.*)?, /var/www/openshift/console/httpd/logs(/.*)?,
823 /etc/httpd/logs
824 httpd_modules_t
827 - Set files with the httpd_modules_t type, if you want to treat the
829 files as httpd modules.
830 Paths:
833 /usr/lib/httpd(/.*)?, /usr/lib/apache(/.*)?, /usr/lib/chero‐
834 kee(/.*)?, /usr/lib/lighttpd(/.*)?, /usr/lib/apache2/mod‐
835 ules(/.*)?, /etc/httpd/modules
836 httpd_passwd_exec_t
839 - Set files with the httpd_passwd_exec_t type, if you want to transi‐
841 tion an executable to the httpd_passwd_t domain.
842 httpd_php_exec_t
846 - Set files with the httpd_php_exec_t type, if you want to transition
848 an executable to the httpd_php_t domain.
849 httpd_php_tmp_t
853 - Set files with the httpd_php_tmp_t type, if you want to store httpd
855 php temporary files in the /tmp directories.
856 httpd_rotatelogs_exec_t
860 - Set files with the httpd_rotatelogs_exec_t type, if you want to tran‐
862 sition an executable to the httpd_rotatelogs_t domain.
863 httpd_squirrelmail_t
867 - Set files with the httpd_squirrelmail_t type, if you want to treat
869 the files as httpd squirrelmail data.
870 httpd_suexec_exec_t
874 - Set files with the httpd_suexec_exec_t type, if you want to transi‐
876 tion an executable to the httpd_suexec_t domain.
877 Paths:
880 /usr/lib/apache(2)?/suexec(2)?, /usr/lib/cgi-bin/(nph-)?cgi‐
881 wrap(d)?, /usr/sbin/suexec
882 httpd_suexec_tmp_t
885 - Set files with the httpd_suexec_tmp_t type, if you want to store
887 httpd suexec temporary files in the /tmp directories.
888 httpd_sys_content_t
892 - Set files with the httpd_sys_content_t type, if you want to treat the
894 files as httpd sys content.
895 Paths:
898 /srv/([^/]*/)?www(/.*)?, /var/www(/.*)?, /etc/htdig(/.*)?,
899 /srv/gallery2(/.*)?, /var/lib/trac(/.*)?, /var/lib/htdig(/.*)?,
900 /var/www/icons(/.*)?, /usr/share/glpi(/.*)?,
901 /usr/share/htdig(/.*)?, /usr/share/drupal.*, /usr/share/z-
902 push(/.*)?, /var/www/svn/conf(/.*)?, /usr/share/icecast(/.*)?,
903 /var/lib/cacti/rra(/.*)?, /usr/share/ntop/html(/.*)?,
904 /usr/share/nginx/html(/.*)?, /usr/share/doc/ghc/html(/.*)?,
905 /usr/share/openca/htdocs(/.*)?, /usr/share/selinux-pol‐
906 icy[^/]*/html(/.*)?
907 httpd_sys_htaccess_t
910 - Set files with the httpd_sys_htaccess_t type, if you want to treat
912 the file as a httpd sys access file.
913 httpd_sys_ra_content_t
917 - Set files with the httpd_sys_ra_content_t type, if you want to treat
919 the files as httpd sys read/append content.
920 httpd_sys_rw_content_t
924 - Set files with the httpd_sys_rw_content_t type, if you want to treat
926 the files as httpd sys read/write content.
927 Paths:
930 /etc/rt(/.*)?, /etc/glpi(/.*)?, /etc/horde(/.*)?, /etc/drupal.*,
931 /etc/z-push(/.*)?, /var/lib/svn(/.*)?, /var/www/svn(/.*)?,
932 /etc/owncloud(/.*)?, /var/www/html(/.*)?/uploads(/.*)?,
933 /var/www/html(/.*)?/wp-content(/.*)?, /var/www/html(/.*)?/wp_back‐
934 ups(/.*)?, /var/www/html(/.*)?/sites/default/files(/.*)?,
935 /var/www/html(/.*)?/sites/default/settings.php,
936 /etc/mock/koji(/.*)?, /etc/nextcloud(/.*)?, /var/lib/drupal.*,
937 /etc/zabbix/web(/.*)?, /var/lib/moodle(/.*)?, /var/log/z-
938 push(/.*)?, /var/spool/gosa(/.*)?, /etc/WebCalendar(/.*)?,
939 /usr/share/joomla(/.*)?, /var/lib/dokuwiki(/.*)?, /var/lib/own‐
940 cloud(/.*)?, /var/spool/viewvc(/.*)?, /var/lib/nextcloud(/.*)?,
941 /var/lib/pootle/po(/.*)?, /var/lib/phpMyAdmin(/.*)?, /var/www/moo‐
942 dledata(/.*)?, /srv/gallery2/smarty(/.*)?, /var/www/moo‐
943 dle/data(/.*)?, /var/lib/graphite-web(/.*)?, /var/log/shibboleth-
944 www(/.*)?, /var/www/gallery/albums(/.*)?, /var/www/html/own‐
945 cloud/data(/.*)?, /var/www/html/nextcloud/data(/.*)?,
946 /usr/share/wordpress-mu/wp-content(/.*)?, /usr/share/wordpress/wp-
947 content/upgrade(/.*)?, /usr/share/wordpress/wp-con‐
948 tent/uploads(/.*)?, /var/www/html/configuration.php
949 httpd_sys_script_exec_t
952 - Set files with the httpd_sys_script_exec_t type, if you want to tran‐
954 sition an executable to the httpd_sys_script_t domain.
955 Paths:
958 /opt/.*.cgi, /usr/.*.cgi, /var/www/[^/]*/cgi-bin(/.*)?,
959 /var/www/perl(/.*)?, /var/www/html/[^/]*/cgi-bin(/.*)?,
960 /usr/lib/cgi-bin(/.*)?, /var/www/cgi-bin(/.*)?,
961 /var/www/svn/hooks(/.*)?, /usr/share/wordpress/.*.php,
962 /usr/local/nagios/sbin(/.*)?, /usr/share/wordpress/wp-
963 includes/.*.php, /usr/share/wordpress-mu/wp-config.php
964 httpd_tmp_t
967 - Set files with the httpd_tmp_t type, if you want to store httpd tem‐
969 porary files in the /tmp directories.
970 Paths:
973 /var/run/user/apache(/.*)?, /var/www/openshift/console/tmp(/.*)?
974 httpd_tmpfs_t
977 - Set files with the httpd_tmpfs_t type, if you want to store httpd
979 files on a tmpfs file system.
980 httpd_unconfined_script_exec_t
984 - Set files with the httpd_unconfined_script_exec_t type, if you want
986 to transition an executable to the httpd_unconfined_script_t domain.
987 httpd_unit_file_t
991 - Set files with the httpd_unit_file_t type, if you want to treat the
993 files as httpd unit content.
994 Paths:
997 /usr/lib/systemd/system/httpd.*, /usr/lib/systemd/system/nginx.*,
998 /usr/lib/systemd/system/thttpd.*, /usr/lib/systemd/system/php-
999 fpm.*
1000 httpd_user_content_t
1003 - Set files with the httpd_user_content_t type, if you want to treat
1005 the files as httpd user content.
1006 httpd_user_htaccess_t
1010 - Set files with the httpd_user_htaccess_t type, if you want to treat
1012 the file as a httpd user access file.
1013 httpd_user_ra_content_t
1017 - Set files with the httpd_user_ra_content_t type, if you want to treat
1019 the files as httpd user read/append content.
1020 httpd_user_rw_content_t
1024 - Set files with the httpd_user_rw_content_t type, if you want to treat
1026 the files as httpd user read/write content.
1027 httpd_user_script_exec_t
1031 - Set files with the httpd_user_script_exec_t type, if you want to
1033 transition an executable to the httpd_user_script_t domain.
1034 httpd_var_lib_t
1038 - Set files with the httpd_var_lib_t type, if you want to store the
1040 httpd files under the /var/lib directory.
1041 Paths:
1044 /var/lib/rt(3|4)/data/RT-Shredder(/.*)?, /var/lib/dav(/.*)?,
1045 /var/lib/php(/.*)?, /var/lib/glpi(/.*)?, /var/lib/httpd(/.*)?,
1046 /var/lib/nginx(/.*)?, /var/lib/z-push(/.*)?, /var/lib/gan‐
1047 glia(/.*)?, /var/lib/ipsilon(/.*)?, /var/lib/cherokee(/.*)?,
1048 /var/lib/lighttpd(/.*)?, /var/lib/mod_security(/.*)?,
1049 /var/lib/roundcubemail(/.*)?, /var/opt/rh/rh-
1050 nginx18/lib/nginx(/.*)?
1051 httpd_var_run_t
1054 - Set files with the httpd_var_run_t type, if you want to store the
1056 httpd files under the /run or /var/run directory.
1057 Paths:
1060 /var/run/wsgi.*, /var/run/mod_.*, /var/run/httpd.*,
1061 /var/run/nginx.*, /var/run/apache.*, /var/run/php-fpm(/.*)?,
1062 /var/run/fcgiwrap(/.*)?, /var/run/lighttpd(/.*)?,
1063 /var/lib/php/session(/.*)?, /var/lib/php/wsdlcache(/.*)?,
1064 /var/run/dirsrv/admin-serv.*, /var/opt/rh/rh-
1065 nginx18/run/nginx(/.*)?, /var/www/openshift/bro‐
1066 ker/httpd/run(/.*)?, /var/www/openshift/console/httpd/run(/.*)?,
1067 /opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)?,
1068 /var/run/thttpd.pid, /var/run/gcache_port, /var/run/cherokee.pid
1069 Note: File context can be temporarily modified with the chcon command.
1072 If you want to permanently change the file context you need to use the
1073 semanage fcontext command. This will modify the SELinux labeling data‐
1074 base. You will need to use restorecon to apply the labels.
1075
1078 If you want to share files with multiple domains (Apache, FTP, rsync,
1079 Samba), you can set a file context of public_content_t and public_con‐
1080 tent_rw_t. These context allow any of the above domains to read the
1081 content. If you want a particular domain to write to the public_con‐
1082 tent_rw_t domain, you must set the appropriate boolean.
1083 Allow httpd servers to read the /var/httpd directory by adding the pub‐
1085 lic_content_t file type to the directory and by restoring the file
1086 type.
1087 semanage fcontext -a -t public_content_t "/var/httpd(/.*)?"
1089 restorecon -F -R -v /var/httpd
1090 Allow httpd servers to read and write /var/httpd/incoming by adding the
1092 public_content_rw_t type to the directory and by restoring the file
1093 type. You also need to turn on the httpd_anon_write boolean.
1094 semanage fcontext -a -t public_content_rw_t "/var/httpd/incoming(/.*)?"
1096 restorecon -F -R -v /var/httpd/incoming
1097 setsebool -P httpd_anon_write 1
1098 If you want to allow Apache to modify public files used for public file
1101 transfer services. Directories/Files must be labeled public_con‐
1102 tent_rw_t., you must turn on the httpd_anon_write boolean.
1103 setsebool -P httpd_anon_write 1
1105
1108 semanage fcontext can also be used to manipulate default file context
1109 mappings.
1110 semanage permissive can also be used to manipulate whether or not a
1112 process type is permissive.
1113 semanage module can also be used to enable/disable/install/remove pol‐
1115 icy modules.
1116 semanage port can also be used to manipulate the port definitions
1118 semanage boolean can also be used to manipulate the booleans
1120 system-config-selinux is a GUI tool available to customize SELinux pol‐
1123 icy settings.
1124
1127 This manual page was auto-generated using sepolicy manpage .
1128
1131 selinux(8), httpd(8), semanage(8), restorecon(8), chcon(1), sepol‐
1132 icy(8), setsebool(8), httpd_helper_selinux(8), httpd_passwd_selinux(8),
1133 httpd_php_selinux(8), httpd_rotatelogs_selinux(8),
1134 httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_uncon‐
1135 fined_script_selinux(8), httpd_user_script_selinux(8)
1136httpd 21-03-26 httpd_selinux(8)