1httpd_selinux(8)             SELinux Policy httpd             httpd_selinux(8)
2
3
4

NAME

6       httpd_selinux - Security Enhanced Linux Policy for the httpd processes
7

DESCRIPTION

9       Security-Enhanced Linux secures the httpd processes via flexible manda‐
10       tory access control.
11
12       The httpd processes execute with the  httpd_t  SELinux  type.  You  can
13       check  if  you have these processes running by executing the ps command
14       with the -Z qualifier.
15
16       For example:
17
18       ps -eZ | grep httpd_t
19
20
21

ENTRYPOINTS

23       The httpd_t SELinux type can be entered via the httpd_exec_t file type.
24
25       The default entrypoint paths for the httpd_t domain are the following:
26
27       /usr/sbin/httpd(.worker)?,    /usr/sbin/apache(2)?,    /usr/lib/apache-
28       ssl/.+,  /usr/sbin/apache-ssl(2)?,  /usr/sbin/nginx,  /usr/sbin/thttpd,
29       /usr/sbin/php-fpm,       /usr/sbin/cherokee,        /usr/sbin/lighttpd,
30       /usr/sbin/apachectl,   /usr/sbin/httpd.event,   /usr/bin/mongrel_rails,
31       /usr/sbin/htcacheclean
32

PROCESS TYPES

34       SELinux defines process types (domains) for each process running on the
35       system
36
37       You can see the context of a process using the -Z option to ps
38
39       Policy  governs  the  access confined processes have to files.  SELinux
40       httpd policy is very flexible allowing users to setup their httpd  pro‐
41       cesses in as secure a method as possible.
42
43       The following process types are defined for httpd:
44
45       httpd_t, httpd_helper_t, httpd_php_t, httpd_rotatelogs_t, httpd_suexec_t, httpd_sys_script_t, httpd_user_script_t, httpd_passwd_t, httpd_unconfined_script_t
46
47       Note:  semanage  permissive  -a httpd_t can be used to make the process
48       type httpd_t permissive. SELinux does not  deny  access  to  permissive
49       process  types, but the AVC (SELinux denials) messages are still gener‐
50       ated.
51
52

BOOLEANS

54       SELinux policy is customizable based on least access  required.   httpd
55       policy is extremely flexible and has several booleans that allow you to
56       manipulate the policy and run httpd with the tightest access possible.
57
58
59
60       If you want to allow httpd to use built in scripting (usually php), you
61       must turn on the httpd_builtin_scripting boolean. Enabled by default.
62
63       setsebool -P httpd_builtin_scripting 1
64
65
66
67       If you want to allow httpd to act as a FTP client connecting to the ftp
68       port and ephemeral ports, you must turn  on  the  httpd_can_connect_ftp
69       boolean. Disabled by default.
70
71       setsebool -P httpd_can_connect_ftp 1
72
73
74
75       If  you  want to allow httpd to connect to the ldap port, you must turn
76       on the httpd_can_connect_ldap boolean. Disabled by default.
77
78       setsebool -P httpd_can_connect_ldap 1
79
80
81
82       If you want to allow http daemon to connect to mythtv, you must turn on
83       the httpd_can_connect_mythtv boolean. Disabled by default.
84
85       setsebool -P httpd_can_connect_mythtv 1
86
87
88
89       If you want to allow http daemon to connect to zabbix, you must turn on
90       the httpd_can_connect_zabbix boolean. Disabled by default.
91
92       setsebool -P httpd_can_connect_zabbix 1
93
94
95
96       If you want to allow HTTPD scripts and modules to connect to  the  net‐
97       work using TCP, you must turn on the httpd_can_network_connect boolean.
98       Disabled by default.
99
100       setsebool -P httpd_can_network_connect 1
101
102
103
104       If you want to allow HTTPD scripts and modules to  connect  to  cobbler
105       over  the  network, you must turn on the httpd_can_network_connect_cob‐
106       bler boolean. Disabled by default.
107
108       setsebool -P httpd_can_network_connect_cobbler 1
109
110
111
112       If you want to allow HTTPD scripts and modules to connect to  databases
113       over  the  network,  you  must turn on the httpd_can_network_connect_db
114       boolean. Disabled by default.
115
116       setsebool -P httpd_can_network_connect_db 1
117
118
119
120       If you want to allow httpd to connect to memcache server, you must turn
121       on the httpd_can_network_memcache boolean. Disabled by default.
122
123       setsebool -P httpd_can_network_memcache 1
124
125
126
127       If  you  want  to  allow  httpd to act as a relay, you must turn on the
128       httpd_can_network_relay boolean. Disabled by default.
129
130       setsebool -P httpd_can_network_relay 1
131
132
133
134       If you want to allow http daemon to send mail, you  must  turn  on  the
135       httpd_can_sendmail boolean. Disabled by default.
136
137       setsebool -P httpd_can_sendmail 1
138
139
140
141       If you want to allow Apache to communicate with avahi service via dbus,
142       you must turn on the httpd_dbus_avahi boolean. Disabled by default.
143
144       setsebool -P httpd_dbus_avahi 1
145
146
147
148       If you want to allow Apache to communicate with sssd service via  dbus,
149       you must turn on the httpd_dbus_sssd boolean. Disabled by default.
150
151       setsebool -P httpd_dbus_sssd 1
152
153
154
155       If  you want to allow httpd cgi support, you must turn on the httpd_en‐
156       able_cgi boolean. Enabled by default.
157
158       setsebool -P httpd_enable_cgi 1
159
160
161
162       If you want to allow httpd to act as a FTP server by listening  on  the
163       ftp  port,  you  must turn on the httpd_enable_ftp_server boolean. Dis‐
164       abled by default.
165
166       setsebool -P httpd_enable_ftp_server 1
167
168
169
170       If you want to allow httpd to read home directories, you must  turn  on
171       the httpd_enable_homedirs boolean. Disabled by default.
172
173       setsebool -P httpd_enable_homedirs 1
174
175
176
177       If  you  want to allow httpd scripts and modules execmem/execstack, you
178       must turn on the httpd_execmem boolean. Disabled by default.
179
180       setsebool -P httpd_execmem 1
181
182
183
184       If you want to allow HTTPD to connect to port 80 for graceful shutdown,
185       you  must  turn on the httpd_graceful_shutdown boolean. Disabled by de‐
186       fault.
187
188       setsebool -P httpd_graceful_shutdown 1
189
190
191
192       If you want to allow httpd processes to manage IPA  content,  you  must
193       turn on the httpd_manage_ipa boolean. Disabled by default.
194
195       setsebool -P httpd_manage_ipa 1
196
197
198
199       If you want to allow Apache to use mod_auth_ntlm_winbind, you must turn
200       on the httpd_mod_auth_ntlm_winbind boolean. Disabled by default.
201
202       setsebool -P httpd_mod_auth_ntlm_winbind 1
203
204
205
206       If you want to allow Apache to use mod_auth_pam, you must turn  on  the
207       httpd_mod_auth_pam boolean. Disabled by default.
208
209       setsebool -P httpd_mod_auth_pam 1
210
211
212
213       If  you  want to allow httpd to read user content, you must turn on the
214       httpd_read_user_content boolean. Disabled by default.
215
216       setsebool -P httpd_read_user_content 1
217
218
219
220       If you want to allow httpd processes to run IPA helper, you  must  turn
221       on the httpd_run_ipa boolean. Disabled by default.
222
223       setsebool -P httpd_run_ipa 1
224
225
226
227       If  you  want  to  allow Apache to run preupgrade, you must turn on the
228       httpd_run_preupgrade boolean. Disabled by default.
229
230       setsebool -P httpd_run_preupgrade 1
231
232
233
234       If you want to allow Apache to run in stickshift mode,  not  transition
235       to  passenger,  you must turn on the httpd_run_stickshift boolean. Dis‐
236       abled by default.
237
238       setsebool -P httpd_run_stickshift 1
239
240
241
242       If you want to allow HTTPD scripts and modules to server cobbler files,
243       you must turn on the httpd_serve_cobbler_files boolean. Disabled by de‐
244       fault.
245
246       setsebool -P httpd_serve_cobbler_files 1
247
248
249
250       If you want to allow httpd daemon to change its  resource  limits,  you
251       must turn on the httpd_setrlimit boolean. Disabled by default.
252
253       setsebool -P httpd_setrlimit 1
254
255
256
257       If you want to allow HTTPD to run SSI executables in the same domain as
258       system CGI scripts, you must turn on the httpd_ssi_exec  boolean.  Dis‐
259       abled by default.
260
261       setsebool -P httpd_ssi_exec 1
262
263
264
265       If you want to unify HTTPD to communicate with the terminal. Needed for
266       entering the passphrase for certificates at the terminal, you must turn
267       on the httpd_tty_comm boolean. Disabled by default.
268
269       setsebool -P httpd_tty_comm 1
270
271
272
273       If  you  want to allow httpd to access cifs file systems, you must turn
274       on the httpd_use_cifs boolean. Disabled by default.
275
276       setsebool -P httpd_use_cifs 1
277
278
279
280       If you want to allow httpd to access FUSE file systems, you  must  turn
281       on the httpd_use_fusefs boolean. Disabled by default.
282
283       setsebool -P httpd_use_fusefs 1
284
285
286
287       If you want to allow httpd to access nfs file systems, you must turn on
288       the httpd_use_nfs boolean. Disabled by default.
289
290       setsebool -P httpd_use_nfs 1
291
292
293
294       If you want to allow httpd to use opencryptoki, you must  turn  on  the
295       httpd_use_opencryptoki boolean. Disabled by default.
296
297       setsebool -P httpd_use_opencryptoki 1
298
299
300
301       If  you want to allow httpd to access openstack ports, you must turn on
302       the httpd_use_openstack boolean. Disabled by default.
303
304       setsebool -P httpd_use_openstack 1
305
306
307
308       If you want to allow httpd to connect to  sasl, you must  turn  on  the
309       httpd_use_sasl boolean. Disabled by default.
310
311       setsebool -P httpd_use_sasl 1
312
313
314
315       If  you  want to allow Apache to query NS records, you must turn on the
316       httpd_verify_dns boolean. Disabled by default.
317
318       setsebool -P httpd_verify_dns 1
319
320
321
322       If you want to deny any process from ptracing or  debugging  any  other
323       processes,  you  must  turn  on the deny_ptrace boolean. Enabled by de‐
324       fault.
325
326       setsebool -P deny_ptrace 1
327
328
329
330       If you want to allow all domains to execute in fips_mode, you must turn
331       on the fips_mode boolean. Enabled by default.
332
333       setsebool -P fips_mode 1
334
335
336
337       If you want to determine whether Git system daemon can access cifs file
338       systems, you must turn on the git_system_use_cifs boolean. Disabled  by
339       default.
340
341       setsebool -P git_system_use_cifs 1
342
343
344
345       If  you want to determine whether Git system daemon can access nfs file
346       systems, you must turn on the git_system_use_nfs boolean.  Disabled  by
347       default.
348
349       setsebool -P git_system_use_nfs 1
350
351
352
353       If  you  want  to allow confined applications to run with kerberos, you
354       must turn on the kerberos_enabled boolean. Enabled by default.
355
356       setsebool -P kerberos_enabled 1
357
358
359

NSSWITCH DOMAIN

361       If you want to allow users to resolve user passwd entries directly from
362       ldap  rather then using a sssd server for the httpd_t, you must turn on
363       the authlogin_nsswitch_use_ldap boolean.
364
365       setsebool -P authlogin_nsswitch_use_ldap 1
366
367
368       If you want to allow confined applications to run with kerberos for the
369       httpd_t, you must turn on the kerberos_enabled boolean.
370
371       setsebool -P kerberos_enabled 1
372
373

PORT TYPES

375       SELinux defines port types to represent TCP and UDP ports.
376
377       You  can  see  the  types associated with a port by using the following
378       command:
379
380       semanage port -l
381
382
383       Policy governs the access  confined  processes  have  to  these  ports.
384       SELinux  httpd  policy  is  very flexible allowing users to setup their
385       httpd processes in as secure a method as possible.
386
387       The following port types are defined for httpd:
388
389
390       http_cache_port_t
391
392
393
394       Default Defined Ports:
395                 tcp 8080,8118,8123,10001-10010
396                 udp 3130
397
398
399       http_port_t
400
401
402
403       Default Defined Ports:
404                 tcp 80,81,443,488,8008,8009,8443,9000
405

MANAGED FILES

407       The SELinux process type httpd_t can manage files labeled with the fol‐
408       lowing  file  types.   The paths listed are the default paths for these
409       file types.  Note the processes UID still need to have DAC permissions.
410
411       abrt_retrace_spool_t
412
413            /var/spool/faf(/.*)?
414            /var/spool/abrt-retrace(/.*)?
415            /var/spool/retrace-server(/.*)?
416
417       cifs_t
418
419
420       cluster_conf_t
421
422            /etc/cluster(/.*)?
423
424       cluster_var_lib_t
425
426            /var/lib/pcsd(/.*)?
427            /var/lib/cluster(/.*)?
428            /var/lib/openais(/.*)?
429            /var/lib/pengine(/.*)?
430            /var/lib/corosync(/.*)?
431            /usr/lib/heartbeat(/.*)?
432            /var/lib/heartbeat(/.*)?
433            /var/lib/pacemaker(/.*)?
434
435       cluster_var_run_t
436
437            /var/run/crm(/.*)?
438            /var/run/cman_.*
439            /var/run/rsctmp(/.*)?
440            /var/run/aisexec.*
441            /var/run/heartbeat(/.*)?
442            /var/run/pcsd-ruby.socket
443            /var/run/corosync-qnetd(/.*)?
444            /var/run/corosync-qdevice(/.*)?
445            /var/run/corosync.pid
446            /var/run/cpglockd.pid
447            /var/run/rgmanager.pid
448            /var/run/cluster/rgmanager.sk
449
450       cobbler_var_lib_t
451
452            /var/lib/cobbler(/.*)?
453            /var/www/cobbler(/.*)?
454            /var/cache/cobbler(/.*)?
455            /var/lib/tftpboot/etc(/.*)?
456            /var/lib/tftpboot/ppc(/.*)?
457            /var/lib/tftpboot/boot(/.*)?
458            /var/lib/tftpboot/grub(/.*)?
459            /var/lib/tftpboot/s390x(/.*)?
460            /var/lib/tftpboot/images(/.*)?
461            /var/lib/tftpboot/aarch64(/.*)?
462            /var/lib/tftpboot/images2(/.*)?
463            /var/lib/tftpboot/pxelinux.cfg(/.*)?
464            /var/lib/tftpboot/yaboot
465            /var/lib/tftpboot/memdisk
466            /var/lib/tftpboot/menu.c32
467            /var/lib/tftpboot/pxelinux.0
468
469       dirsrv_config_t
470
471            /etc/dirsrv(/.*)?
472
473       dirsrv_var_log_t
474
475            /var/log/dirsrv(/.*)?
476
477       dirsrv_var_run_t
478
479            /var/run/slapd.*
480            /var/run/dirsrv(/.*)?
481
482       dirsrvadmin_config_t
483
484            /etc/dirsrv/dsgw(/.*)?
485            /etc/dirsrv/admin-serv(/.*)?
486
487       dirsrvadmin_tmp_t
488
489
490       fusefs_t
491
492            /var/run/user/[0-9]+/gvfs
493
494       httpd_cache_t
495
496            /var/cache/rt(3|4)(/.*)?
497            /var/cache/ssl.*.sem
498            /var/cache/mod_.*
499            /var/cache/php-.*
500            /var/cache/httpd(/.*)?
501            /var/cache/mason(/.*)?
502            /var/cache/nginx(/.*)?
503            /var/cache/mod_ssl(/.*)?
504            /var/cache/lighttpd(/.*)?
505            /var/cache/mediawiki(/.*)?
506            /var/cache/mod_proxy(/.*)?
507            /var/cache/mod_gnutls(/.*)?
508            /var/cache/php-mmcache(/.*)?
509            /var/cache/php-eaccelerator(/.*)?
510
511       httpd_lock_t
512
513
514       httpd_squirrelmail_t
515
516            /var/lib/squirrelmail/prefs(/.*)?
517
518       httpd_tmp_t
519
520            /var/run/user/apache(/.*)?
521            /var/www/openshift/console/tmp(/.*)?
522
523       httpd_tmpfs_t
524
525
526       httpd_user_rw_content_t
527
528
529       httpd_var_lib_t
530
531            /var/lib/rt(3|4)/data/RT-Shredder(/.*)?
532            /var/lib/dav(/.*)?
533            /var/lib/php(/.*)?
534            /var/lib/glpi(/.*)?
535            /var/lib/httpd(/.*)?
536            /var/lib/nginx(/.*)?
537            /var/lib/z-push(/.*)?
538            /var/lib/ganglia(/.*)?
539            /var/lib/ipsilon(/.*)?
540            /var/lib/cherokee(/.*)?
541            /var/lib/lighttpd(/.*)?
542            /var/lib/mod_security(/.*)?
543            /var/lib/roundcubemail(/.*)?
544            /var/opt/rh/rh-nginx18/lib/nginx(/.*)?
545
546       httpd_var_run_t
547
548            /var/run/wsgi.*
549            /var/run/mod_.*
550            /var/run/httpd.*
551            /var/run/nginx.*
552            /var/run/apache.*
553            /var/run/php-fpm(/.*)?
554            /var/run/fcgiwrap(/.*)?
555            /var/run/lighttpd(/.*)?
556            /var/lib/php/session(/.*)?
557            /var/lib/php/wsdlcache(/.*)?
558            /var/run/dirsrv/admin-serv.*
559            /var/opt/rh/rh-nginx18/run/nginx(/.*)?
560            /var/www/openshift/broker/httpd/run(/.*)?
561            /var/www/openshift/console/httpd/run(/.*)?
562            /opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)?
563            /var/run/thttpd.pid
564            /var/run/gcache_port
565            /var/run/cherokee.pid
566
567       httpdcontent
568
569
570       hugetlbfs_t
571
572            /dev/hugepages
573            /usr/lib/udev/devices/hugepages
574
575       ipa_cert_t
576
577            /etc/httpd/alias/ipasession.key
578
579       ipa_var_run_t
580
581            /var/run/ipa(/.*)?
582
583       jetty_cache_t
584
585            /var/cache/jetty(/.*)?
586
587       jetty_log_t
588
589            /var/log/jetty(/.*)?
590
591       jetty_tmp_t
592
593
594       jetty_unit_file_t
595
596            /usr/lib/systemd/system/jetty.service
597
598       jetty_var_lib_t
599
600            /var/lib/jetty(/.*)?
601
602       jetty_var_run_t
603
604            /var/run/jetty(/.*)?
605
606       krb5_host_rcache_t
607
608            /var/tmp/krb5_0.rcache2
609            /var/cache/krb5rcache(/.*)?
610            /var/tmp/nfs_0
611            /var/tmp/DNS_25
612            /var/tmp/host_0
613            /var/tmp/imap_0
614            /var/tmp/HTTP_23
615            /var/tmp/HTTP_48
616            /var/tmp/ldap_55
617            /var/tmp/ldap_487
618            /var/tmp/ldapmap1_0
619
620       memcached_var_run_t
621
622            /var/run/memcached(/.*)?
623            /var/run/ipa_memcached(/.*)?
624
625       mirrormanager_var_run_t
626
627            /var/run/mirrormanager(/.*)?
628
629       named_cache_t
630
631            /var/named/data(/.*)?
632            /var/lib/softhsm(/.*)?
633            /var/lib/unbound(/.*)?
634            /var/named/slaves(/.*)?
635            /var/named/dynamic(/.*)?
636            /var/named/chroot/var/tmp(/.*)?
637            /var/named/chroot/var/named/data(/.*)?
638            /var/named/chroot/var/named/slaves(/.*)?
639            /var/named/chroot/var/named/dynamic(/.*)?
640
641       nfs_t
642
643
644       passenger_tmp_t
645
646
647       passenger_var_lib_t
648
649            /var/lib/passenger(/.*)?
650
651       passenger_var_run_t
652
653            /var/run/passenger(/.*)?
654
655       pkcs_slotd_lock_t
656
657            /var/lock/opencryptoki(/.*)?
658
659       pkcs_slotd_var_lib_t
660
661            /var/lib/opencryptoki(/.*)?
662
663       pki_apache_config
664
665
666       pki_apache_var_lib
667
668
669       pki_apache_var_log
670
671
672       postfix_spool_t
673
674            /var/spool/postfix.*
675            /var/spool/postfix/defer(/.*)?
676            /var/spool/postfix/flush(/.*)?
677            /var/spool/postfix/deferred(/.*)?
678            /var/spool/postfix/maildrop(/.*)?
679
680       preupgrade_data_t
681
682            /var/lib/preupgrade(/.*)?
683            /var/log/preupgrade(/.*)?
684
685       root_t
686
687            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
688            /
689            /initrd
690
691       security_t
692
693            /selinux
694
695       squirrelmail_spool_t
696
697            /var/spool/squirrelmail(/.*)?
698
699       systemd_passwd_var_run_t
700
701            /var/run/systemd/ask-password(/.*)?
702            /var/run/systemd/ask-password-block(/.*)?
703
704       zarafa_var_lib_t
705
706            /var/lib/zarafa(/.*)?
707            /var/lib/zarafa-webapp(/.*)?
708            /var/lib/zarafa-webaccess(/.*)?
709
710       zoneminder_var_lib_t
711
712            /var/lib/zoneminder(/.*)?
713
714

FILE CONTEXTS

716       SELinux requires files to have an extended attribute to define the file
717       type.
718
719       You can see the context of a file using the -Z option to ls
720
721       Policy  governs  the  access  confined  processes  have to these files.
722       SELinux httpd policy is very flexible allowing  users  to  setup  their
723       httpd processes in as secure a method as possible.
724
725       EQUIVALENCE DIRECTORIES
726
727
728       httpd policy stores data with multiple different file context types un‐
729       der the /var/lib/php directory.  If you would like to store the data in
730       a  different  directory  you  can use the semanage command to create an
731       equivalence mapping.  If you wanted to store this data under  the  /srv
732       directory you would execute the following command:
733
734       semanage fcontext -a -e /var/lib/php /srv/php
735       restorecon -R -v /srv/php
736
737       httpd policy stores data with multiple different file context types un‐
738       der the /var/www directory.  If you would like to store the data  in  a
739       different  directory  you  can  use  the  semanage command to create an
740       equivalence mapping.  If you wanted to store this data under  the  /srv
741       directory you would execute the following command:
742
743       semanage fcontext -a -e /var/www /srv/www
744       restorecon -R -v /srv/www
745
746       STANDARD FILE CONTEXT
747
748       SELinux  defines the file context types for the httpd, if you wanted to
749       store files with these types in a diffent paths, you  need  to  execute
750       the  semanage  command  to  specify alternate labeling and then use re‐
751       storecon to put the labels on disk.
752
753       semanage fcontext -a -t httpd_var_run_t '/srv/myhttpd_content(/.*)?'
754       restorecon -R -v /srv/myhttpd_content
755
756       Note: SELinux often uses regular expressions  to  specify  labels  that
757       match multiple files.
758
759       The following file types are defined for httpd:
760
761
762
763       httpd_cache_t
764
765       - Set files with the httpd_cache_t type, if you want to store the files
766       under the /var/cache directory.
767
768
769       Paths:
770            /var/cache/rt(3|4)(/.*)?, /var/cache/ssl.*.sem, /var/cache/mod_.*,
771            /var/cache/php-.*, /var/cache/httpd(/.*)?, /var/cache/mason(/.*)?,
772            /var/cache/nginx(/.*)?,                  /var/cache/mod_ssl(/.*)?,
773            /var/cache/lighttpd(/.*)?,             /var/cache/mediawiki(/.*)?,
774            /var/cache/mod_proxy(/.*)?,           /var/cache/mod_gnutls(/.*)?,
775            /var/cache/php-mmcache(/.*)?, /var/cache/php-eaccelerator(/.*)?
776
777
778       httpd_config_t
779
780       -  Set  files  with  the  httpd_config_t type, if you want to treat the
781       files as httpd configuration data, usually stored under the /etc direc‐
782       tory.
783
784
785       Paths:
786            /etc/httpd(/.*)?,     /etc/nginx(/.*)?,     /etc/apache(2)?(/.*)?,
787            /etc/cherokee(/.*)?,       /etc/lighttpd(/.*)?,       /etc/apache-
788            ssl(2)?(/.*)?,  /var/lib/openshift/.httpd.d(/.*)?, /etc/opt/rh/rh-
789            nginx18/nginx(/.*)?,           /var/lib/stickshift/.httpd.d(/.*)?,
790            /etc/vhosts, /etc/thttpd.conf
791
792
793       httpd_exec_t
794
795       -  Set  files  with the httpd_exec_t type, if you want to transition an
796       executable to the httpd_t domain.
797
798
799       Paths:
800            /usr/sbin/httpd(.worker)?, /usr/sbin/apache(2)?,  /usr/lib/apache-
801            ssl/.+,         /usr/sbin/apache-ssl(2)?,         /usr/sbin/nginx,
802            /usr/sbin/thttpd,      /usr/sbin/php-fpm,      /usr/sbin/cherokee,
803            /usr/sbin/lighttpd,   /usr/sbin/apachectl,  /usr/sbin/httpd.event,
804            /usr/bin/mongrel_rails, /usr/sbin/htcacheclean
805
806
807       httpd_helper_exec_t
808
809       - Set files with the httpd_helper_exec_t type, if you want  to  transi‐
810       tion an executable to the httpd_helper_t domain.
811
812
813
814       httpd_initrc_exec_t
815
816       -  Set  files with the httpd_initrc_exec_t type, if you want to transi‐
817       tion an executable to the httpd_initrc_t domain.
818
819
820       Paths:
821            /etc/init.d/cherokee,                      /etc/rc.d/init.d/httpd,
822            /etc/rc.d/init.d/lighttpd
823
824
825       httpd_keytab_t
826
827       -  Set  files  with  the  httpd_keytab_t type, if you want to treat the
828       files as kerberos keytab files.
829
830
831
832       httpd_lock_t
833
834       - Set files with the httpd_lock_t type, if you want to treat the  files
835       as httpd lock data, stored under the /var/lock directory
836
837
838
839       httpd_log_t
840
841       - Set files with the httpd_log_t type, if you want to treat the data as
842       httpd log data, usually stored under the /var/log directory.
843
844
845       Paths:
846            /srv/([^/]*/)?www/logs(/.*)?,           /var/www(/.*)?/logs(/.*)?,
847            /var/log/glpi(/.*)?,  /var/log/cacti(/.*)?,  /var/log/httpd(/.*)?,
848            /var/log/nginx(/.*)?,  /var/log/apache(2)?(/.*)?,   /var/log/hori‐
849            zon(/.*)?,     /var/log/php-fpm(/.*)?,    /var/log/cherokee(/.*)?,
850            /var/log/lighttpd(/.*)?,                     /var/log/suphp.log.*,
851            /var/log/thttpd.log.*,              /var/log/apache-ssl(2)?(/.*)?,
852            /var/log/cgiwrap.log.*,       /var/www/stickshift/[^/]*/log(/.*)?,
853            /var/log/graphite-web(/.*)?,          /var/www/miq/vmdb/log(/.*)?,
854            /var/log/roundcubemail(/.*)?,           /var/log/php_errors.log.*,
855            /var/log/dirsrv/admin-serv(/.*)?,               /var/opt/rh/rh-ng‐
856            inx18/log(/.*)?,              /var/lib/openshift/.log/httpd(/.*)?,
857            /var/www/openshift/console/log(/.*)?,      /var/www/openshift/bro‐
858            ker/httpd/logs(/.*)?, /var/www/openshift/console/httpd/logs(/.*)?
859
860
861       httpd_modules_t
862
863       - Set files with the httpd_modules_t type, if you  want  to  treat  the
864       files as httpd modules.
865
866
867       Paths:
868            /usr/lib/httpd(/.*)?,    /usr/lib/apache(/.*)?,    /usr/lib/chero‐
869            kee(/.*)?, /usr/lib/lighttpd(/.*)?, /usr/lib/apache2/modules(/.*)?
870
871
872       httpd_passwd_exec_t
873
874       - Set files with the httpd_passwd_exec_t type, if you want  to  transi‐
875       tion an executable to the httpd_passwd_t domain.
876
877
878
879       httpd_php_exec_t
880
881       -  Set  files with the httpd_php_exec_t type, if you want to transition
882       an executable to the httpd_php_t domain.
883
884
885
886       httpd_php_tmp_t
887
888       - Set files with the httpd_php_tmp_t type, if you want to  store  httpd
889       php temporary files in the /tmp directories.
890
891
892
893       httpd_rotatelogs_exec_t
894
895       - Set files with the httpd_rotatelogs_exec_t type, if you want to tran‐
896       sition an executable to the httpd_rotatelogs_t domain.
897
898
899
900       httpd_squirrelmail_t
901
902       - Set files with the httpd_squirrelmail_t type, if you  want  to  treat
903       the files as httpd squirrelmail data.
904
905
906
907       httpd_suexec_exec_t
908
909       -  Set  files with the httpd_suexec_exec_t type, if you want to transi‐
910       tion an executable to the httpd_suexec_t domain.
911
912
913       Paths:
914            /usr/lib/apache(2)?/suexec(2)?,       /usr/lib/cgi-bin/(nph-)?cgi‐
915            wrap(d)?, /usr/sbin/suexec
916
917
918       httpd_suexec_tmp_t
919
920       -  Set  files  with  the  httpd_suexec_tmp_t type, if you want to store
921       httpd suexec temporary files in the /tmp directories.
922
923
924
925       httpd_sys_content_t
926
927       - Set files with the httpd_sys_content_t type, if you want to treat the
928       files as httpd sys content.
929
930
931       Paths:
932            /srv/([^/]*/)?www(/.*)?,     /var/www(/.*)?,     /etc/htdig(/.*)?,
933            /srv/gallery2(/.*)?,  /var/lib/trac(/.*)?,   /var/lib/htdig(/.*)?,
934            /var/www/icons(/.*)?,     /usr/share/glpi(/.*)?,    /usr/share/ht‐
935            dig(/.*)?,      /usr/share/drupal.*,      /usr/share/z-push(/.*)?,
936            /var/www/svn/conf(/.*)?,                 /usr/share/icecast(/.*)?,
937            /var/lib/cacti/rra(/.*)?,              /usr/share/ntop/html(/.*)?,
938            /usr/share/nginx/html(/.*)?,        /usr/share/doc/ghc/html(/.*)?,
939            /usr/share/openca/htdocs(/.*)?,            /usr/share/selinux-pol‐
940            icy[^/]*/html(/.*)?
941
942
943       httpd_sys_htaccess_t
944
945       -  Set  files  with the httpd_sys_htaccess_t type, if you want to treat
946       the file as a httpd sys access file.
947
948
949
950       httpd_sys_ra_content_t
951
952       - Set files with the httpd_sys_ra_content_t type, if you want to  treat
953       the files as httpd sys read/append content.
954
955
956
957       httpd_sys_rw_content_t
958
959       -  Set files with the httpd_sys_rw_content_t type, if you want to treat
960       the files as httpd sys read/write content.
961
962
963       Paths:
964            /etc/rt(/.*)?, /etc/glpi(/.*)?,  /etc/horde(/.*)?,  /etc/drupal.*,
965            /etc/z-push(/.*)?,     /var/lib/svn(/.*)?,     /var/www/svn(/.*)?,
966            /etc/owncloud(/.*)?,            /var/www/html(/.*)?/uploads(/.*)?,
967            /var/www/html(/.*)?/wp-content(/.*)?, /var/www/html(/.*)?/wp_back‐
968            ups(/.*)?,          /var/www/html(/.*)?/sites/default/files(/.*)?,
969            /var/www/html(/.*)?/sites/default/settings.php,
970            /etc/mock/koji(/.*)?,   /etc/nextcloud(/.*)?,   /var/lib/drupal.*,
971            /etc/zabbix/web(/.*)?,      /var/lib/moodle(/.*)?,     /var/log/z-
972            push(/.*)?,     /var/spool/gosa(/.*)?,     /etc/WebCalendar(/.*)?,
973            /usr/share/joomla(/.*)?,   /var/lib/dokuwiki(/.*)?,  /var/lib/own‐
974            cloud(/.*)?,  /var/spool/viewvc(/.*)?,   /var/lib/nextcloud(/.*)?,
975            /var/lib/pootle/po(/.*)?, /var/lib/phpMyAdmin(/.*)?, /var/www/moo‐
976            dledata(/.*)?,      /srv/gallery2/smarty(/.*)?,      /var/www/moo‐
977            dle/data(/.*)?,  /var/lib/graphite-web(/.*)?, /var/log/shibboleth-
978            www(/.*)?,    /var/www/gallery/albums(/.*)?,    /var/www/html/own‐
979            cloud/data(/.*)?,              /var/www/html/nextcloud/data(/.*)?,
980            /usr/share/wordpress-mu/wp-content(/.*)?, /usr/share/wordpress/wp-
981            content/upgrade(/.*)?,         /usr/share/wordpress/wp-content/up‐
982            loads(/.*)?, /var/www/html/configuration.php
983
984
985       httpd_sys_script_exec_t
986
987       - Set files with the httpd_sys_script_exec_t type, if you want to tran‐
988       sition an executable to the httpd_sys_script_t domain.
989
990
991       Paths:
992            /opt/.*.cgi,       /usr/.*.cgi,      /var/www/[^/]*/cgi-bin(/.*)?,
993            /var/www/perl(/.*)?,            /var/www/html/[^/]*/cgi-bin(/.*)?,
994            /usr/lib/cgi-bin(/.*)?,                    /var/www/cgi-bin(/.*)?,
995            /var/www/svn/hooks(/.*)?,  /usr/share/wordpress/.*.php,   /usr/lo‐
996            cal/nagios/sbin(/.*)?,    /usr/share/wordpress/wp-includes/.*.php,
997            /usr/share/wordpress-mu/wp-config.php
998
999
1000       httpd_tmp_t
1001
1002       - Set files with the httpd_tmp_t type, if you want to store httpd  tem‐
1003       porary files in the /tmp directories.
1004
1005
1006       Paths:
1007            /var/run/user/apache(/.*)?, /var/www/openshift/console/tmp(/.*)?
1008
1009
1010       httpd_tmpfs_t
1011
1012       -  Set  files  with  the httpd_tmpfs_t type, if you want to store httpd
1013       files on a tmpfs file system.
1014
1015
1016
1017       httpd_unconfined_script_exec_t
1018
1019       - Set files with the httpd_unconfined_script_exec_t type, if  you  want
1020       to transition an executable to the httpd_unconfined_script_t domain.
1021
1022
1023
1024       httpd_unit_file_t
1025
1026       -  Set  files with the httpd_unit_file_t type, if you want to treat the
1027       files as httpd unit content.
1028
1029
1030       Paths:
1031            /usr/lib/systemd/system/httpd.*,  /usr/lib/systemd/system/nginx.*,
1032            /usr/lib/systemd/system/thttpd.*,     /usr/lib/systemd/system/php-
1033            fpm.*
1034
1035
1036       httpd_user_content_t
1037
1038       - Set files with the httpd_user_content_t type, if you  want  to  treat
1039       the files as httpd user content.
1040
1041
1042
1043       httpd_user_htaccess_t
1044
1045       -  Set  files with the httpd_user_htaccess_t type, if you want to treat
1046       the file as a httpd user access file.
1047
1048
1049
1050       httpd_user_ra_content_t
1051
1052       - Set files with the httpd_user_ra_content_t type, if you want to treat
1053       the files as httpd user read/append content.
1054
1055
1056
1057       httpd_user_rw_content_t
1058
1059       - Set files with the httpd_user_rw_content_t type, if you want to treat
1060       the files as httpd user read/write content.
1061
1062
1063
1064       httpd_user_script_exec_t
1065
1066       - Set files with the httpd_user_script_exec_t  type,  if  you  want  to
1067       transition an executable to the httpd_user_script_t domain.
1068
1069
1070
1071       httpd_var_lib_t
1072
1073       -  Set  files  with  the httpd_var_lib_t type, if you want to store the
1074       httpd files under the /var/lib directory.
1075
1076
1077       Paths:
1078            /var/lib/rt(3|4)/data/RT-Shredder(/.*)?,       /var/lib/dav(/.*)?,
1079            /var/lib/php(/.*)?,   /var/lib/glpi(/.*)?,   /var/lib/httpd(/.*)?,
1080            /var/lib/nginx(/.*)?,     /var/lib/z-push(/.*)?,     /var/lib/gan‐
1081            glia(/.*)?,    /var/lib/ipsilon(/.*)?,    /var/lib/cherokee(/.*)?,
1082            /var/lib/lighttpd(/.*)?,              /var/lib/mod_security(/.*)?,
1083            /var/lib/roundcubemail(/.*)?,       /var/opt/rh/rh-nginx18/lib/ng‐
1084            inx(/.*)?
1085
1086
1087       httpd_var_run_t
1088
1089       - Set files with the httpd_var_run_t type, if you  want  to  store  the
1090       httpd files under the /run or /var/run directory.
1091
1092
1093       Paths:
1094            /var/run/wsgi.*,  /var/run/mod_.*,  /var/run/httpd.*, /var/run/ng‐
1095            inx.*, /var/run/apache.*,  /var/run/php-fpm(/.*)?,  /var/run/fcgi‐
1096            wrap(/.*)?,  /var/run/lighttpd(/.*)?,  /var/lib/php/session(/.*)?,
1097            /var/lib/php/wsdlcache(/.*)?,        /var/run/dirsrv/admin-serv.*,
1098            /var/opt/rh/rh-nginx18/run/nginx(/.*)?,    /var/www/openshift/bro‐
1099            ker/httpd/run(/.*)?,   /var/www/openshift/console/httpd/run(/.*)?,
1100            /opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)?,
1101            /var/run/thttpd.pid, /var/run/gcache_port, /var/run/cherokee.pid
1102
1103
1104       Note: File context can be temporarily modified with the chcon  command.
1105       If  you want to permanently change the file context you need to use the
1106       semanage fcontext command.  This will modify the SELinux labeling data‐
1107       base.  You will need to use restorecon to apply the labels.
1108
1109

SHARING FILES

1111       If  you  want to share files with multiple domains (Apache, FTP, rsync,
1112       Samba), you can set a file context of public_content_t and  public_con‐
1113       tent_rw_t.   These  context  allow any of the above domains to read the
1114       content.  If you want a particular domain to write to  the  public_con‐
1115       tent_rw_t domain, you must set the appropriate boolean.
1116
1117       Allow httpd servers to read the /var/httpd directory by adding the pub‐
1118       lic_content_t file type to the directory  and  by  restoring  the  file
1119       type.
1120
1121       semanage fcontext -a -t public_content_t "/var/httpd(/.*)?"
1122       restorecon -F -R -v /var/httpd
1123
1124       Allow httpd servers to read and write /var/httpd/incoming by adding the
1125       public_content_rw_t type to the directory and  by  restoring  the  file
1126       type.  You also need to turn on the httpd_anon_write boolean.
1127
1128       semanage fcontext -a -t public_content_rw_t "/var/httpd/incoming(/.*)?"
1129       restorecon -F -R -v /var/httpd/incoming
1130       setsebool -P httpd_anon_write 1
1131
1132
1133       If you want to allow Apache to modify public files used for public file
1134       transfer  services.  Directories/Files  must  be  labeled   public_con‐
1135       tent_rw_t., you must turn on the httpd_anon_write boolean.
1136
1137       setsebool -P httpd_anon_write 1
1138
1139

COMMANDS

1141       semanage  fcontext  can also be used to manipulate default file context
1142       mappings.
1143
1144       semanage permissive can also be used to manipulate  whether  or  not  a
1145       process type is permissive.
1146
1147       semanage  module can also be used to enable/disable/install/remove pol‐
1148       icy modules.
1149
1150       semanage port can also be used to manipulate the port definitions
1151
1152       semanage boolean can also be used to manipulate the booleans
1153
1154
1155       system-config-selinux is a GUI tool available to customize SELinux pol‐
1156       icy settings.
1157
1158

AUTHOR

1160       This manual page was auto-generated using sepolicy manpage .
1161
1162

SEE ALSO

1164       selinux(8),  httpd(8),  semanage(8),  restorecon(8),  chcon(1),  sepol‐
1165       icy(8), setsebool(8), httpd_helper_selinux(8), httpd_passwd_selinux(8),
1166       httpd_php_selinux(8),                      httpd_rotatelogs_selinux(8),
1167       httpd_suexec_selinux(8),   httpd_sys_script_selinux(8),    httpd_uncon‐
1168       fined_script_selinux(8), httpd_user_script_selinux(8)
1169
1170
1171
1172httpd                              22-05-27                   httpd_selinux(8)
Impressum