1httpd_sys_script_selinux(S8E)Linux Policy httpd_sys_scrhitpttpd_sys_script_selinux(8)
2
3
4

NAME

6       httpd_sys_script_selinux  -  Security  Enhanced  Linux  Policy  for the
7       httpd_sys_script processes
8

DESCRIPTION

10       Security-Enhanced Linux  secures  the  httpd_sys_script  processes  via
11       flexible mandatory access control.
12
13       The  httpd_sys_script  processes  execute  with  the httpd_sys_script_t
14       SELinux type. You can check if you have these processes running by exe‐
15       cuting the ps command with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep httpd_sys_script_t
20
21
22

ENTRYPOINTS

24       The  httpd_sys_script_t  SELinux  type  can  be entered via the cifs_t,
25       httpd_sys_content_t, nfs_t, httpd_sys_script_exec_t, httpdcontent  file
26       types.
27
28       The  default entrypoint paths for the httpd_sys_script_t domain are the
29       following:
30
31       /srv/([^/]*/)?www(/.*)?,       /var/www(/.*)?,        /etc/htdig(/.*)?,
32       /srv/gallery2(/.*)?,     /var/lib/trac(/.*)?,     /var/lib/htdig(/.*)?,
33       /var/www/icons(/.*)?,  /usr/share/glpi(/.*)?,   /usr/share/htdig(/.*)?,
34       /usr/share/drupal.*,  /usr/share/z-push(/.*)?, /var/www/svn/conf(/.*)?,
35       /usr/share/icecast(/.*)?,                     /var/lib/cacti/rra(/.*)?,
36       /usr/share/ntop/html(/.*)?,                /usr/share/nginx/html(/.*)?,
37       /usr/share/doc/ghc/html(/.*)?,          /usr/share/openca/htdocs(/.*)?,
38       /usr/share/selinux-policy[^/]*/html(/.*)?,   /opt/.*.cgi,  /usr/.*.cgi,
39       /var/www/[^/]*/cgi-bin(/.*)?,                      /var/www/perl(/.*)?,
40       /var/www/html/[^/]*/cgi-bin(/.*)?,              /usr/lib/cgi-bin(/.*)?,
41       /var/www/cgi-bin(/.*)?,   /var/www/svn/hooks(/.*)?,    /usr/share/word‐
42       press/.*.php, /usr/local/nagios/sbin(/.*)?, /usr/share/wordpress/wp-in‐
43       cludes/.*.php, /usr/share/wordpress-mu/wp-config.php
44

PROCESS TYPES

46       SELinux defines process types (domains) for each process running on the
47       system
48
49       You can see the context of a process using the -Z option to ps
50
51       Policy  governs  the  access confined processes have to files.  SELinux
52       httpd_sys_script policy is very flexible allowing users to setup  their
53       httpd_sys_script processes in as secure a method as possible.
54
55       The following process types are defined for httpd_sys_script:
56
57       httpd_sys_script_t
58
59       Note: semanage permissive -a httpd_sys_script_t can be used to make the
60       process type httpd_sys_script_t permissive. SELinux does not  deny  ac‐
61       cess  to  permissive  process types, but the AVC (SELinux denials) mes‐
62       sages are still generated.
63
64

BOOLEANS

66       SELinux  policy  is  customizable  based  on  least  access   required.
67       httpd_sys_script  policy is extremely flexible and has several booleans
68       that allow you to manipulate the policy and run  httpd_sys_script  with
69       the tightest access possible.
70
71
72
73       If you want to allow all domains to execute in fips_mode, you must turn
74       on the fips_mode boolean. Enabled by default.
75
76       setsebool -P fips_mode 1
77
78
79
80       If you want to allow httpd to manage the courier spool sock files,  you
81       must  turn  on  the httpd_can_manage_courier_spool boolean. Disabled by
82       default.
83
84       setsebool -P httpd_can_manage_courier_spool 1
85
86
87
88       If you want to allow HTTPD scripts and modules to connect to  databases
89       over  the  network,  you  must turn on the httpd_can_network_connect_db
90       boolean. Disabled by default.
91
92       setsebool -P httpd_can_network_connect_db 1
93
94
95
96       If you want to allow http daemon to send mail, you  must  turn  on  the
97       httpd_can_sendmail boolean. Disabled by default.
98
99       setsebool -P httpd_can_sendmail 1
100
101
102
103       If  you want to allow httpd cgi support, you must turn on the httpd_en‐
104       able_cgi boolean. Enabled by default.
105
106       setsebool -P httpd_enable_cgi 1
107
108
109
110       If you want to allow httpd to read home directories, you must  turn  on
111       the httpd_enable_homedirs boolean. Disabled by default.
112
113       setsebool -P httpd_enable_homedirs 1
114
115
116
117       If  you  want to allow httpd scripts and modules execmem/execstack, you
118       must turn on the httpd_execmem boolean. Disabled by default.
119
120       setsebool -P httpd_execmem 1
121
122
123
124       If you want to allow httpd to read user content, you must turn  on  the
125       httpd_read_user_content boolean. Disabled by default.
126
127       setsebool -P httpd_read_user_content 1
128
129
130
131       If you want to allow HTTPD to run SSI executables in the same domain as
132       system CGI scripts, you must turn on the httpd_ssi_exec  boolean.  Dis‐
133       abled by default.
134
135       setsebool -P httpd_ssi_exec 1
136
137
138
139       If  you  want to allow httpd to access cifs file systems, you must turn
140       on the httpd_use_cifs boolean. Disabled by default.
141
142       setsebool -P httpd_use_cifs 1
143
144
145
146       If you want to allow httpd to access FUSE file systems, you  must  turn
147       on the httpd_use_fusefs boolean. Disabled by default.
148
149       setsebool -P httpd_use_fusefs 1
150
151
152
153       If you want to allow httpd to access nfs file systems, you must turn on
154       the httpd_use_nfs boolean. Disabled by default.
155
156       setsebool -P httpd_use_nfs 1
157
158
159
160       If you want to allow httpd to access openstack ports, you must turn  on
161       the httpd_use_openstack boolean. Disabled by default.
162
163       setsebool -P httpd_use_openstack 1
164
165
166
167       If  you  want  to  allow  system  to run with NIS, you must turn on the
168       nis_enabled boolean. Disabled by default.
169
170       setsebool -P nis_enabled 1
171
172
173

MANAGED FILES

175       The SELinux process type httpd_sys_script_t can  manage  files  labeled
176       with  the following file types.  The paths listed are the default paths
177       for these file types.  Note the processes UID still need  to  have  DAC
178       permissions.
179
180       fusefs_t
181
182            /var/run/user/[^/]*/gvfs
183
184       httpd_sys_rw_content_t
185
186            /etc/rt(/.*)?
187            /etc/glpi(/.*)?
188            /etc/horde(/.*)?
189            /etc/drupal.*
190            /etc/z-push(/.*)?
191            /var/lib/svn(/.*)?
192            /var/www/svn(/.*)?
193            /etc/owncloud(/.*)?
194            /var/www/html(/.*)?/uploads(/.*)?
195            /var/www/html(/.*)?/wp-content(/.*)?
196            /var/www/html(/.*)?/wp_backups(/.*)?
197            /var/www/html(/.*)?/sites/default/files(/.*)?
198            /var/www/html(/.*)?/sites/default/settings.php
199            /etc/mock/koji(/.*)?
200            /etc/nextcloud(/.*)?
201            /var/lib/drupal.*
202            /etc/zabbix/web(/.*)?
203            /var/lib/moodle(/.*)?
204            /var/log/z-push(/.*)?
205            /var/spool/gosa(/.*)?
206            /etc/WebCalendar(/.*)?
207            /usr/share/joomla(/.*)?
208            /var/lib/dokuwiki(/.*)?
209            /var/lib/owncloud(/.*)?
210            /var/spool/viewvc(/.*)?
211            /var/lib/nextcloud(/.*)?
212            /var/lib/pootle/po(/.*)?
213            /var/lib/phpMyAdmin(/.*)?
214            /var/www/moodledata(/.*)?
215            /srv/gallery2/smarty(/.*)?
216            /var/www/moodle/data(/.*)?
217            /var/lib/graphite-web(/.*)?
218            /var/log/shibboleth-www(/.*)?
219            /var/www/gallery/albums(/.*)?
220            /var/www/html/owncloud/data(/.*)?
221            /var/www/html/nextcloud/data(/.*)?
222            /usr/share/wordpress-mu/wp-content(/.*)?
223            /usr/share/wordpress/wp-content/upgrade(/.*)?
224            /usr/share/wordpress/wp-content/uploads(/.*)?
225            /var/www/html/configuration.php
226
227       httpd_tmp_t
228
229            /var/run/user/apache(/.*)?
230            /var/www/openshift/console/tmp(/.*)?
231
232       httpdcontent
233
234
235       hugetlbfs_t
236
237            /dev/hugepages
238            /usr/lib/udev/devices/hugepages
239
240       krb5_host_rcache_t
241
242            /var/tmp/krb5_0.rcache2
243            /var/cache/krb5rcache(/.*)?
244            /var/tmp/nfs_0
245            /var/tmp/DNS_25
246            /var/tmp/host_0
247            /var/tmp/imap_0
248            /var/tmp/HTTP_23
249            /var/tmp/HTTP_48
250            /var/tmp/ldap_55
251            /var/tmp/ldap_487
252            /var/tmp/ldapmap1_0
253
254

FILE CONTEXTS

256       SELinux requires files to have an extended attribute to define the file
257       type.
258
259       You can see the context of a file using the -Z option to ls
260
261       Policy governs the access  confined  processes  have  to  these  files.
262       SELinux  httpd_sys_script  policy  is  very  flexible allowing users to
263       setup their httpd_sys_script processes in as secure a method as  possi‐
264       ble.
265
266       The following file types are defined for httpd_sys_script:
267
268
269
270       httpd_sys_script_exec_t
271
272       - Set files with the httpd_sys_script_exec_t type, if you want to tran‐
273       sition an executable to the httpd_sys_script_t domain.
274
275
276       Paths:
277            /opt/.*.cgi,      /usr/.*.cgi,       /var/www/[^/]*/cgi-bin(/.*)?,
278            /var/www/perl(/.*)?,            /var/www/html/[^/]*/cgi-bin(/.*)?,
279            /usr/lib/cgi-bin(/.*)?,                    /var/www/cgi-bin(/.*)?,
280            /var/www/svn/hooks(/.*)?,   /usr/share/wordpress/.*.php,  /usr/lo‐
281            cal/nagios/sbin(/.*)?,    /usr/share/wordpress/wp-includes/.*.php,
282            /usr/share/wordpress-mu/wp-config.php
283
284
285       Note:  File context can be temporarily modified with the chcon command.
286       If you want to permanently change the file context you need to use  the
287       semanage fcontext command.  This will modify the SELinux labeling data‐
288       base.  You will need to use restorecon to apply the labels.
289
290

SHARING FILES

292       If you want to share files with multiple domains (Apache,  FTP,  rsync,
293       Samba),  you can set a file context of public_content_t and public_con‐
294       tent_rw_t.  These context allow any of the above domains  to  read  the
295       content.   If  you want a particular domain to write to the public_con‐
296       tent_rw_t domain, you must set the appropriate boolean.
297
298       Allow httpd_sys_script servers to read the /var/httpd_sys_script direc‐
299       tory  by  adding the public_content_t file type to the directory and by
300       restoring the file type.
301
302       semanage fcontext -a -t public_content_t "/var/httpd_sys_script(/.*)?"
303       restorecon -F -R -v /var/httpd_sys_script
304
305       Allow    httpd_sys_script     servers     to     read     and     write
306       /var/httpd_sys_script/incoming  by  adding the public_content_rw_t type
307       to the directory and by restoring the file type.  You also need to turn
308       on the httpd_sys_script_anon_write boolean.
309
310       semanage  fcontext -a -t public_content_rw_t "/var/httpd_sys_script/in‐
311       coming(/.*)?"
312       restorecon -F -R -v /var/httpd_sys_script/incoming
313       setsebool -P httpd_sys_script_anon_write 1
314
315
316       If you want to allow apache scripts to write to public content,  direc‐
317       tories/files must be labeled public_rw_content_t., you must turn on the
318       httpd_sys_script_anon_write boolean.
319
320       setsebool -P httpd_sys_script_anon_write 1
321
322

COMMANDS

324       semanage fcontext can also be used to manipulate default  file  context
325       mappings.
326
327       semanage  permissive  can  also  be used to manipulate whether or not a
328       process type is permissive.
329
330       semanage module can also be used to enable/disable/install/remove  pol‐
331       icy modules.
332
333       semanage boolean can also be used to manipulate the booleans
334
335
336       system-config-selinux is a GUI tool available to customize SELinux pol‐
337       icy settings.
338
339

AUTHOR

341       This manual page was auto-generated using sepolicy manpage .
342
343

SEE ALSO

345       selinux(8), httpd_sys_script(8), semanage(8), restorecon(8),  chcon(1),
346       sepolicy(8), setsebool(8)
347
348
349
350httpd_sys_script                   21-06-09        httpd_sys_script_selinux(8)
Impressum