1httpd_selinux(8) SELinux Policy httpd httpd_selinux(8)
2
6 httpd_selinux - Security Enhanced Linux Policy for the httpd processes
7
9 Security-Enhanced Linux secures the httpd processes via flexible manda‐
10 tory access control.
11 The httpd processes execute with the httpd_t SELinux type. You can
13 check if you have these processes running by executing the ps command
14 with the -Z qualifier.
15 For example:
17 ps -eZ | grep httpd_t
19
23 The httpd_t SELinux type can be entered via the httpd_exec_t file type.
24 The default entrypoint paths for the httpd_t domain are the following:
26 /usr/sbin/httpd(.worker)?, /usr/sbin/apache(2)?, /usr/lib/apache-
28 ssl/.+, /usr/sbin/apache-ssl(2)?, /usr/sbin/nginx, /usr/sbin/thttpd,
29 /usr/sbin/php-fpm, /usr/sbin/cherokee, /usr/sbin/lighttpd,
30 /usr/sbin/apachectl, /usr/sbin/httpd.event, /usr/bin/mongrel_rails,
31 /usr/sbin/htcacheclean
32
34 SELinux defines process types (domains) for each process running on the
35 system
36 You can see the context of a process using the -Z option to ps
38 Policy governs the access confined processes have to files. SELinux
40 httpd policy is very flexible allowing users to setup their httpd pro‐
41 cesses in as secure a method as possible.
42 The following process types are defined for httpd:
44 httpd_t, httpd_helper_t, httpd_php_t, httpd_rotatelogs_t, httpd_suexec_t, httpd_sys_script_t, httpd_user_script_t, httpd_passwd_t, httpd_unconfined_script_t
46 Note: semanage permissive -a httpd_t can be used to make the process
48 type httpd_t permissive. SELinux does not deny access to permissive
49 process types, but the AVC (SELinux denials) messages are still gener‐
50 ated.
51
54 SELinux policy is customizable based on least access required. httpd
55 policy is extremely flexible and has several booleans that allow you to
56 manipulate the policy and run httpd with the tightest access possible.
57 If you want to allow httpd to use built in scripting (usually php), you
61 must turn on the httpd_builtin_scripting boolean. Enabled by default.
62 setsebool -P httpd_builtin_scripting 1
64 If you want to allow httpd to act as a FTP client connecting to the ftp
68 port and ephemeral ports, you must turn on the httpd_can_connect_ftp
69 boolean. Disabled by default.
70 setsebool -P httpd_can_connect_ftp 1
72 If you want to allow httpd to connect to the ldap port, you must turn
76 on the httpd_can_connect_ldap boolean. Disabled by default.
77 setsebool -P httpd_can_connect_ldap 1
79 If you want to allow http daemon to connect to mythtv, you must turn on
83 the httpd_can_connect_mythtv boolean. Disabled by default.
84 setsebool -P httpd_can_connect_mythtv 1
86 If you want to allow http daemon to connect to zabbix, you must turn on
90 the httpd_can_connect_zabbix boolean. Disabled by default.
91 setsebool -P httpd_can_connect_zabbix 1
93 If you want to allow HTTPD scripts and modules to connect to the net‐
97 work using TCP, you must turn on the httpd_can_network_connect boolean.
98 Disabled by default.
99 setsebool -P httpd_can_network_connect 1
101 If you want to allow HTTPD scripts and modules to connect to cobbler
105 over the network, you must turn on the httpd_can_network_connect_cob‐
106 bler boolean. Disabled by default.
107 setsebool -P httpd_can_network_connect_cobbler 1
109 If you want to allow HTTPD scripts and modules to connect to databases
113 over the network, you must turn on the httpd_can_network_connect_db
114 boolean. Disabled by default.
115 setsebool -P httpd_can_network_connect_db 1
117 If you want to allow httpd to connect to memcache server, you must turn
121 on the httpd_can_network_memcache boolean. Disabled by default.
122 setsebool -P httpd_can_network_memcache 1
124 If you want to allow httpd to act as a relay, you must turn on the
128 httpd_can_network_relay boolean. Disabled by default.
129 setsebool -P httpd_can_network_relay 1
131 If you want to allow http daemon to send mail, you must turn on the
135 httpd_can_sendmail boolean. Disabled by default.
136 setsebool -P httpd_can_sendmail 1
138 If you want to allow Apache to communicate with avahi service via dbus,
142 you must turn on the httpd_dbus_avahi boolean. Disabled by default.
143 setsebool -P httpd_dbus_avahi 1
145 If you want to allow Apache to communicate with sssd service via dbus,
149 you must turn on the httpd_dbus_sssd boolean. Disabled by default.
150 setsebool -P httpd_dbus_sssd 1
152 If you want to allow httpd cgi support, you must turn on the httpd_en‐
156 able_cgi boolean. Enabled by default.
157 setsebool -P httpd_enable_cgi 1
159 If you want to allow httpd to act as a FTP server by listening on the
163 ftp port, you must turn on the httpd_enable_ftp_server boolean. Dis‐
164 abled by default.
165 setsebool -P httpd_enable_ftp_server 1
167 If you want to allow httpd to read home directories, you must turn on
171 the httpd_enable_homedirs boolean. Disabled by default.
172 setsebool -P httpd_enable_homedirs 1
174 If you want to allow httpd scripts and modules execmem/execstack, you
178 must turn on the httpd_execmem boolean. Disabled by default.
179 setsebool -P httpd_execmem 1
181 If you want to allow HTTPD to connect to port 80 for graceful shutdown,
185 you must turn on the httpd_graceful_shutdown boolean. Disabled by de‐
186 fault.
187 setsebool -P httpd_graceful_shutdown 1
189 If you want to allow httpd processes to manage IPA content, you must
193 turn on the httpd_manage_ipa boolean. Disabled by default.
194 setsebool -P httpd_manage_ipa 1
196 If you want to allow Apache to use mod_auth_ntlm_winbind, you must turn
200 on the httpd_mod_auth_ntlm_winbind boolean. Disabled by default.
201 setsebool -P httpd_mod_auth_ntlm_winbind 1
203 If you want to allow Apache to use mod_auth_pam, you must turn on the
207 httpd_mod_auth_pam boolean. Disabled by default.
208 setsebool -P httpd_mod_auth_pam 1
210 If you want to allow httpd to read user content, you must turn on the
214 httpd_read_user_content boolean. Disabled by default.
215 setsebool -P httpd_read_user_content 1
217 If you want to allow httpd processes to run IPA helper, you must turn
221 on the httpd_run_ipa boolean. Disabled by default.
222 setsebool -P httpd_run_ipa 1
224 If you want to allow Apache to run preupgrade, you must turn on the
228 httpd_run_preupgrade boolean. Disabled by default.
229 setsebool -P httpd_run_preupgrade 1
231 If you want to allow Apache to run in stickshift mode, not transition
235 to passenger, you must turn on the httpd_run_stickshift boolean. Dis‐
236 abled by default.
237 setsebool -P httpd_run_stickshift 1
239 If you want to allow HTTPD scripts and modules to server cobbler files,
243 you must turn on the httpd_serve_cobbler_files boolean. Disabled by de‐
244 fault.
245 setsebool -P httpd_serve_cobbler_files 1
247 If you want to allow httpd daemon to change its resource limits, you
251 must turn on the httpd_setrlimit boolean. Disabled by default.
252 setsebool -P httpd_setrlimit 1
254 If you want to allow HTTPD to run SSI executables in the same domain as
258 system CGI scripts, you must turn on the httpd_ssi_exec boolean. Dis‐
259 abled by default.
260 setsebool -P httpd_ssi_exec 1
262 If you want to unify HTTPD to communicate with the terminal. Needed for
266 entering the passphrase for certificates at the terminal, you must turn
267 on the httpd_tty_comm boolean. Disabled by default.
268 setsebool -P httpd_tty_comm 1
270 If you want to allow httpd to access cifs file systems, you must turn
274 on the httpd_use_cifs boolean. Disabled by default.
275 setsebool -P httpd_use_cifs 1
277 If you want to allow httpd to access FUSE file systems, you must turn
281 on the httpd_use_fusefs boolean. Disabled by default.
282 setsebool -P httpd_use_fusefs 1
284 If you want to allow httpd to access nfs file systems, you must turn on
288 the httpd_use_nfs boolean. Disabled by default.
289 setsebool -P httpd_use_nfs 1
291 If you want to allow httpd to use opencryptoki, you must turn on the
295 httpd_use_opencryptoki boolean. Disabled by default.
296 setsebool -P httpd_use_opencryptoki 1
298 If you want to allow httpd to access openstack ports, you must turn on
302 the httpd_use_openstack boolean. Disabled by default.
303 setsebool -P httpd_use_openstack 1
305 If you want to allow httpd to connect to sasl, you must turn on the
309 httpd_use_sasl boolean. Disabled by default.
310 setsebool -P httpd_use_sasl 1
312 If you want to allow Apache to query NS records, you must turn on the
316 httpd_verify_dns boolean. Disabled by default.
317 setsebool -P httpd_verify_dns 1
319 If you want to deny any process from ptracing or debugging any other
323 processes, you must turn on the deny_ptrace boolean. Enabled by de‐
324 fault.
325 setsebool -P deny_ptrace 1
327 If you want to allow all domains to execute in fips_mode, you must turn
331 on the fips_mode boolean. Enabled by default.
332 setsebool -P fips_mode 1
334 If you want to determine whether Git system daemon can access cifs file
338 systems, you must turn on the git_system_use_cifs boolean. Disabled by
339 default.
340 setsebool -P git_system_use_cifs 1
342 If you want to determine whether Git system daemon can access nfs file
346 systems, you must turn on the git_system_use_nfs boolean. Disabled by
347 default.
348 setsebool -P git_system_use_nfs 1
350 If you want to allow confined applications to run with kerberos, you
354 must turn on the kerberos_enabled boolean. Enabled by default.
355 setsebool -P kerberos_enabled 1
357
361 If you want to allow users to resolve user passwd entries directly from
362 ldap rather then using a sssd server for the httpd_t, you must turn on
363 the authlogin_nsswitch_use_ldap boolean.
364 setsebool -P authlogin_nsswitch_use_ldap 1
366 If you want to allow confined applications to run with kerberos for the
369 httpd_t, you must turn on the kerberos_enabled boolean.
370 setsebool -P kerberos_enabled 1
372
375 SELinux defines port types to represent TCP and UDP ports.
376 You can see the types associated with a port by using the following
378 command:
379 semanage port -l
381 Policy governs the access confined processes have to these ports.
384 SELinux httpd policy is very flexible allowing users to setup their
385 httpd processes in as secure a method as possible.
386 The following port types are defined for httpd:
388 http_cache_port_t
391 Default Defined Ports:
395 tcp 8080,8118,8123,10001-10010
396 udp 3130
397 http_port_t
400 Default Defined Ports:
404 tcp 80,81,443,488,8008,8009,8443,9000
405
407 The SELinux process type httpd_t can manage files labeled with the fol‐
408 lowing file types. The paths listed are the default paths for these
409 file types. Note the processes UID still need to have DAC permissions.
410 abrt_retrace_spool_t
412 /var/spool/faf(/.*)?
414 /var/spool/abrt-retrace(/.*)?
415 /var/spool/retrace-server(/.*)?
416 cifs_t
418 cluster_conf_t
421 /etc/cluster(/.*)?
423 cluster_var_lib_t
425 /var/lib/pcsd(/.*)?
427 /var/lib/cluster(/.*)?
428 /var/lib/openais(/.*)?
429 /var/lib/pengine(/.*)?
430 /var/lib/corosync(/.*)?
431 /usr/lib/heartbeat(/.*)?
432 /var/lib/heartbeat(/.*)?
433 /var/lib/pacemaker(/.*)?
434 cluster_var_run_t
436 /var/run/crm(/.*)?
438 /var/run/cman_.*
439 /var/run/rsctmp(/.*)?
440 /var/run/aisexec.*
441 /var/run/heartbeat(/.*)?
442 /var/run/pcsd-ruby.socket
443 /var/run/corosync-qnetd(/.*)?
444 /var/run/corosync-qdevice(/.*)?
445 /var/run/corosync.pid
446 /var/run/cpglockd.pid
447 /var/run/rgmanager.pid
448 /var/run/cluster/rgmanager.sk
449 cobbler_var_lib_t
451 /var/lib/cobbler(/.*)?
453 /var/www/cobbler(/.*)?
454 /var/cache/cobbler(/.*)?
455 /var/lib/tftpboot/etc(/.*)?
456 /var/lib/tftpboot/ppc(/.*)?
457 /var/lib/tftpboot/boot(/.*)?
458 /var/lib/tftpboot/grub(/.*)?
459 /var/lib/tftpboot/s390x(/.*)?
460 /var/lib/tftpboot/images(/.*)?
461 /var/lib/tftpboot/aarch64(/.*)?
462 /var/lib/tftpboot/images2(/.*)?
463 /var/lib/tftpboot/pxelinux.cfg(/.*)?
464 /var/lib/tftpboot/yaboot
465 /var/lib/tftpboot/memdisk
466 /var/lib/tftpboot/menu.c32
467 /var/lib/tftpboot/pxelinux.0
468 dirsrv_config_t
470 /etc/dirsrv(/.*)?
472 dirsrv_var_log_t
474 /var/log/dirsrv(/.*)?
476 dirsrv_var_run_t
478 /var/run/slapd.*
480 /var/run/dirsrv(/.*)?
481 dirsrvadmin_config_t
483 /etc/dirsrv/dsgw(/.*)?
485 /etc/dirsrv/admin-serv(/.*)?
486 dirsrvadmin_tmp_t
488 fusefs_t
491 /var/run/user/[0-9]+/gvfs
493 httpd_cache_t
495 /var/cache/rt(3|4)(/.*)?
497 /var/cache/ssl.*.sem
498 /var/cache/mod_.*
499 /var/cache/php-.*
500 /var/cache/httpd(/.*)?
501 /var/cache/mason(/.*)?
502 /var/cache/nginx(/.*)?
503 /var/cache/mod_ssl(/.*)?
504 /var/cache/lighttpd(/.*)?
505 /var/cache/mediawiki(/.*)?
506 /var/cache/mod_proxy(/.*)?
507 /var/cache/mod_gnutls(/.*)?
508 /var/cache/php-mmcache(/.*)?
509 /var/cache/php-eaccelerator(/.*)?
510 httpd_lock_t
512 httpd_squirrelmail_t
515 /var/lib/squirrelmail/prefs(/.*)?
517 httpd_tmp_t
519 /var/run/user/apache(/.*)?
521 /var/www/openshift/console/tmp(/.*)?
522 httpd_tmpfs_t
524 httpd_user_rw_content_t
527 httpd_var_lib_t
530 /var/lib/rt(3|4)/data/RT-Shredder(/.*)?
532 /var/lib/dav(/.*)?
533 /var/lib/php(/.*)?
534 /var/lib/glpi(/.*)?
535 /var/lib/httpd(/.*)?
536 /var/lib/nginx(/.*)?
537 /var/lib/z-push(/.*)?
538 /var/lib/ganglia(/.*)?
539 /var/lib/ipsilon(/.*)?
540 /var/lib/cherokee(/.*)?
541 /var/lib/lighttpd(/.*)?
542 /var/lib/mod_security(/.*)?
543 /var/lib/roundcubemail(/.*)?
544 /var/opt/rh/rh-nginx18/lib/nginx(/.*)?
545 httpd_var_run_t
547 /var/run/wsgi.*
549 /var/run/mod_.*
550 /var/run/httpd.*
551 /var/run/nginx.*
552 /var/run/apache.*
553 /var/run/php-fpm(/.*)?
554 /var/run/fcgiwrap(/.*)?
555 /var/run/lighttpd(/.*)?
556 /var/lib/php/session(/.*)?
557 /var/lib/php/wsdlcache(/.*)?
558 /var/run/dirsrv/admin-serv.*
559 /var/opt/rh/rh-nginx18/run/nginx(/.*)?
560 /var/www/openshift/broker/httpd/run(/.*)?
561 /var/www/openshift/console/httpd/run(/.*)?
562 /opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)?
563 /var/run/thttpd.pid
564 /var/run/gcache_port
565 /var/run/cherokee.pid
566 httpdcontent
568 hugetlbfs_t
571 /dev/hugepages
573 /usr/lib/udev/devices/hugepages
574 ipa_cert_t
576 /etc/httpd/alias/ipasession.key
578 ipa_var_run_t
580 /var/run/ipa(/.*)?
582 jetty_cache_t
584 /var/cache/jetty(/.*)?
586 jetty_log_t
588 /var/log/jetty(/.*)?
590 jetty_tmp_t
592 jetty_unit_file_t
595 /usr/lib/systemd/system/jetty.service
597 jetty_var_lib_t
599 /var/lib/jetty(/.*)?
601 jetty_var_run_t
603 /var/run/jetty(/.*)?
605 krb5_host_rcache_t
607 /var/tmp/krb5_0.rcache2
609 /var/cache/krb5rcache(/.*)?
610 /var/tmp/nfs_0
611 /var/tmp/DNS_25
612 /var/tmp/host_0
613 /var/tmp/imap_0
614 /var/tmp/HTTP_23
615 /var/tmp/HTTP_48
616 /var/tmp/ldap_55
617 /var/tmp/ldap_487
618 /var/tmp/ldapmap1_0
619 memcached_var_run_t
621 /var/run/memcached(/.*)?
623 /var/run/ipa_memcached(/.*)?
624 mirrormanager_var_run_t
626 /var/run/mirrormanager(/.*)?
628 named_cache_t
630 /var/named/data(/.*)?
632 /var/lib/softhsm(/.*)?
633 /var/lib/unbound(/.*)?
634 /var/named/slaves(/.*)?
635 /var/named/dynamic(/.*)?
636 /var/named/chroot/var/tmp(/.*)?
637 /var/named/chroot/var/named/data(/.*)?
638 /var/named/chroot/var/named/slaves(/.*)?
639 /var/named/chroot/var/named/dynamic(/.*)?
640 nfs_t
642 passenger_tmp_t
645 passenger_var_lib_t
648 /var/lib/passenger(/.*)?
650 passenger_var_run_t
652 /var/run/passenger(/.*)?
654 pkcs_slotd_lock_t
656 /var/lock/opencryptoki(/.*)?
658 pkcs_slotd_var_lib_t
660 /var/lib/opencryptoki(/.*)?
662 pki_apache_config
664 pki_apache_var_lib
667 pki_apache_var_log
670 postfix_spool_t
673 /var/spool/postfix.*
675 /var/spool/postfix/defer(/.*)?
676 /var/spool/postfix/flush(/.*)?
677 /var/spool/postfix/deferred(/.*)?
678 /var/spool/postfix/maildrop(/.*)?
679 preupgrade_data_t
681 /var/lib/preupgrade(/.*)?
683 /var/log/preupgrade(/.*)?
684 root_t
686 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
688 /
689 /initrd
690 security_t
692 /selinux
694 squirrelmail_spool_t
696 /var/spool/squirrelmail(/.*)?
698 systemd_passwd_var_run_t
700 /var/run/systemd/ask-password(/.*)?
702 /var/run/systemd/ask-password-block(/.*)?
703 zarafa_var_lib_t
705 /var/lib/zarafa(/.*)?
707 /var/lib/zarafa-webapp(/.*)?
708 /var/lib/zarafa-webaccess(/.*)?
709 zoneminder_var_lib_t
711 /var/lib/zoneminder(/.*)?
713
716 SELinux requires files to have an extended attribute to define the file
717 type.
718 You can see the context of a file using the -Z option to ls
720 Policy governs the access confined processes have to these files.
722 SELinux httpd policy is very flexible allowing users to setup their
723 httpd processes in as secure a method as possible.
724 EQUIVALENCE DIRECTORIES
726 httpd policy stores data with multiple different file context types un‐
729 der the /var/lib/php directory. If you would like to store the data in
730 a different directory you can use the semanage command to create an
731 equivalence mapping. If you wanted to store this data under the /srv
732 directory you would execute the following command:
733 semanage fcontext -a -e /var/lib/php /srv/php
735 restorecon -R -v /srv/php
736 httpd policy stores data with multiple different file context types un‐
738 der the /var/www directory. If you would like to store the data in a
739 different directory you can use the semanage command to create an
740 equivalence mapping. If you wanted to store this data under the /srv
741 directory you would execute the following command:
742 semanage fcontext -a -e /var/www /srv/www
744 restorecon -R -v /srv/www
745 STANDARD FILE CONTEXT
747 SELinux defines the file context types for the httpd, if you wanted to
749 store files with these types in a diffent paths, you need to execute
750 the semanage command to specify alternate labeling and then use re‐
751 storecon to put the labels on disk.
752 semanage fcontext -a -t httpd_var_run_t '/srv/myhttpd_content(/.*)?'
754 restorecon -R -v /srv/myhttpd_content
755 Note: SELinux often uses regular expressions to specify labels that
757 match multiple files.
758 The following file types are defined for httpd:
760 httpd_cache_t
764 - Set files with the httpd_cache_t type, if you want to store the files
766 under the /var/cache directory.
767 Paths:
770 /var/cache/rt(3|4)(/.*)?, /var/cache/ssl.*.sem, /var/cache/mod_.*,
771 /var/cache/php-.*, /var/cache/httpd(/.*)?, /var/cache/mason(/.*)?,
772 /var/cache/nginx(/.*)?, /var/cache/mod_ssl(/.*)?,
773 /var/cache/lighttpd(/.*)?, /var/cache/mediawiki(/.*)?,
774 /var/cache/mod_proxy(/.*)?, /var/cache/mod_gnutls(/.*)?,
775 /var/cache/php-mmcache(/.*)?, /var/cache/php-eaccelerator(/.*)?
776 httpd_config_t
779 - Set files with the httpd_config_t type, if you want to treat the
781 files as httpd configuration data, usually stored under the /etc direc‐
782 tory.
783 Paths:
786 /etc/httpd(/.*)?, /etc/nginx(/.*)?, /etc/apache(2)?(/.*)?,
787 /etc/cherokee(/.*)?, /etc/lighttpd(/.*)?, /etc/apache-
788 ssl(2)?(/.*)?, /var/lib/openshift/.httpd.d(/.*)?, /etc/opt/rh/rh-
789 nginx18/nginx(/.*)?, /var/lib/stickshift/.httpd.d(/.*)?,
790 /etc/vhosts, /etc/thttpd.conf
791 httpd_exec_t
794 - Set files with the httpd_exec_t type, if you want to transition an
796 executable to the httpd_t domain.
797 Paths:
800 /usr/sbin/httpd(.worker)?, /usr/sbin/apache(2)?, /usr/lib/apache-
801 ssl/.+, /usr/sbin/apache-ssl(2)?, /usr/sbin/nginx,
802 /usr/sbin/thttpd, /usr/sbin/php-fpm, /usr/sbin/cherokee,
803 /usr/sbin/lighttpd, /usr/sbin/apachectl, /usr/sbin/httpd.event,
804 /usr/bin/mongrel_rails, /usr/sbin/htcacheclean
805 httpd_helper_exec_t
808 - Set files with the httpd_helper_exec_t type, if you want to transi‐
810 tion an executable to the httpd_helper_t domain.
811 httpd_initrc_exec_t
815 - Set files with the httpd_initrc_exec_t type, if you want to transi‐
817 tion an executable to the httpd_initrc_t domain.
818 Paths:
821 /etc/init.d/cherokee, /etc/rc.d/init.d/httpd,
822 /etc/rc.d/init.d/lighttpd
823 httpd_keytab_t
826 - Set files with the httpd_keytab_t type, if you want to treat the
828 files as kerberos keytab files.
829 httpd_lock_t
833 - Set files with the httpd_lock_t type, if you want to treat the files
835 as httpd lock data, stored under the /var/lock directory
836 httpd_log_t
840 - Set files with the httpd_log_t type, if you want to treat the data as
842 httpd log data, usually stored under the /var/log directory.
843 Paths:
846 /srv/([^/]*/)?www/logs(/.*)?, /var/www(/.*)?/logs(/.*)?,
847 /var/log/glpi(/.*)?, /var/log/cacti(/.*)?, /var/log/httpd(/.*)?,
848 /var/log/nginx(/.*)?, /var/log/apache(2)?(/.*)?, /var/log/hori‐
849 zon(/.*)?, /var/log/php-fpm(/.*)?, /var/log/cherokee(/.*)?,
850 /var/log/lighttpd(/.*)?, /var/log/suphp.log.*,
851 /var/log/thttpd.log.*, /var/log/apache-ssl(2)?(/.*)?,
852 /var/log/cgiwrap.log.*, /var/www/stickshift/[^/]*/log(/.*)?,
853 /var/log/graphite-web(/.*)?, /var/www/miq/vmdb/log(/.*)?,
854 /var/log/roundcubemail(/.*)?, /var/log/php_errors.log.*,
855 /var/log/dirsrv/admin-serv(/.*)?, /var/opt/rh/rh-ng‐
856 inx18/log(/.*)?, /var/lib/openshift/.log/httpd(/.*)?,
857 /var/www/openshift/console/log(/.*)?, /var/www/openshift/bro‐
858 ker/httpd/logs(/.*)?, /var/www/openshift/console/httpd/logs(/.*)?
859 httpd_modules_t
862 - Set files with the httpd_modules_t type, if you want to treat the
864 files as httpd modules.
865 Paths:
868 /usr/lib/httpd(/.*)?, /usr/lib/apache(/.*)?, /usr/lib/chero‐
869 kee(/.*)?, /usr/lib/lighttpd(/.*)?, /usr/lib/apache2/modules(/.*)?
870 httpd_passwd_exec_t
873 - Set files with the httpd_passwd_exec_t type, if you want to transi‐
875 tion an executable to the httpd_passwd_t domain.
876 httpd_php_exec_t
880 - Set files with the httpd_php_exec_t type, if you want to transition
882 an executable to the httpd_php_t domain.
883 httpd_php_tmp_t
887 - Set files with the httpd_php_tmp_t type, if you want to store httpd
889 php temporary files in the /tmp directories.
890 httpd_rotatelogs_exec_t
894 - Set files with the httpd_rotatelogs_exec_t type, if you want to tran‐
896 sition an executable to the httpd_rotatelogs_t domain.
897 httpd_squirrelmail_t
901 - Set files with the httpd_squirrelmail_t type, if you want to treat
903 the files as httpd squirrelmail data.
904 httpd_suexec_exec_t
908 - Set files with the httpd_suexec_exec_t type, if you want to transi‐
910 tion an executable to the httpd_suexec_t domain.
911 Paths:
914 /usr/lib/apache(2)?/suexec(2)?, /usr/lib/cgi-bin/(nph-)?cgi‐
915 wrap(d)?, /usr/sbin/suexec
916 httpd_suexec_tmp_t
919 - Set files with the httpd_suexec_tmp_t type, if you want to store
921 httpd suexec temporary files in the /tmp directories.
922 httpd_sys_content_t
926 - Set files with the httpd_sys_content_t type, if you want to treat the
928 files as httpd sys content.
929 Paths:
932 /srv/([^/]*/)?www(/.*)?, /var/www(/.*)?, /etc/htdig(/.*)?,
933 /srv/gallery2(/.*)?, /var/lib/trac(/.*)?, /var/lib/htdig(/.*)?,
934 /var/www/icons(/.*)?, /usr/share/glpi(/.*)?, /usr/share/ht‐
935 dig(/.*)?, /usr/share/drupal.*, /usr/share/z-push(/.*)?,
936 /var/www/svn/conf(/.*)?, /usr/share/icecast(/.*)?,
937 /var/lib/cacti/rra(/.*)?, /usr/share/ntop/html(/.*)?,
938 /usr/share/nginx/html(/.*)?, /usr/share/doc/ghc/html(/.*)?,
939 /usr/share/openca/htdocs(/.*)?, /usr/share/selinux-pol‐
940 icy[^/]*/html(/.*)?
941 httpd_sys_htaccess_t
944 - Set files with the httpd_sys_htaccess_t type, if you want to treat
946 the file as a httpd sys access file.
947 httpd_sys_ra_content_t
951 - Set files with the httpd_sys_ra_content_t type, if you want to treat
953 the files as httpd sys read/append content.
954 httpd_sys_rw_content_t
958 - Set files with the httpd_sys_rw_content_t type, if you want to treat
960 the files as httpd sys read/write content.
961 Paths:
964 /etc/rt(/.*)?, /etc/glpi(/.*)?, /etc/horde(/.*)?, /etc/drupal.*,
965 /etc/z-push(/.*)?, /var/lib/svn(/.*)?, /var/www/svn(/.*)?,
966 /etc/owncloud(/.*)?, /var/www/html(/.*)?/uploads(/.*)?,
967 /var/www/html(/.*)?/wp-content(/.*)?, /var/www/html(/.*)?/wp_back‐
968 ups(/.*)?, /var/www/html(/.*)?/sites/default/files(/.*)?,
969 /var/www/html(/.*)?/sites/default/settings.php,
970 /etc/mock/koji(/.*)?, /etc/nextcloud(/.*)?, /var/lib/drupal.*,
971 /etc/zabbix/web(/.*)?, /var/lib/moodle(/.*)?, /var/log/z-
972 push(/.*)?, /var/spool/gosa(/.*)?, /etc/WebCalendar(/.*)?,
973 /usr/share/joomla(/.*)?, /var/lib/dokuwiki(/.*)?, /var/lib/own‐
974 cloud(/.*)?, /var/spool/viewvc(/.*)?, /var/lib/nextcloud(/.*)?,
975 /var/lib/pootle/po(/.*)?, /var/lib/phpMyAdmin(/.*)?, /var/www/moo‐
976 dledata(/.*)?, /srv/gallery2/smarty(/.*)?, /var/www/moo‐
977 dle/data(/.*)?, /var/lib/graphite-web(/.*)?, /var/log/shibboleth-
978 www(/.*)?, /var/www/gallery/albums(/.*)?, /var/www/html/own‐
979 cloud/data(/.*)?, /var/www/html/nextcloud/data(/.*)?,
980 /usr/share/wordpress-mu/wp-content(/.*)?, /usr/share/wordpress/wp-
981 content/upgrade(/.*)?, /usr/share/wordpress/wp-content/up‐
982 loads(/.*)?, /var/www/html/configuration.php
983 httpd_sys_script_exec_t
986 - Set files with the httpd_sys_script_exec_t type, if you want to tran‐
988 sition an executable to the httpd_sys_script_t domain.
989 Paths:
992 /opt/.*.cgi, /usr/.*.cgi, /var/www/[^/]*/cgi-bin(/.*)?,
993 /var/www/perl(/.*)?, /var/www/html/[^/]*/cgi-bin(/.*)?,
994 /usr/lib/cgi-bin(/.*)?, /var/www/cgi-bin(/.*)?,
995 /var/www/svn/hooks(/.*)?, /usr/share/wordpress/.*.php, /usr/lo‐
996 cal/nagios/sbin(/.*)?, /usr/share/wordpress/wp-includes/.*.php,
997 /usr/share/wordpress-mu/wp-config.php
998 httpd_tmp_t
1001 - Set files with the httpd_tmp_t type, if you want to store httpd tem‐
1003 porary files in the /tmp directories.
1004 Paths:
1007 /var/run/user/apache(/.*)?, /var/www/openshift/console/tmp(/.*)?
1008 httpd_tmpfs_t
1011 - Set files with the httpd_tmpfs_t type, if you want to store httpd
1013 files on a tmpfs file system.
1014 httpd_unconfined_script_exec_t
1018 - Set files with the httpd_unconfined_script_exec_t type, if you want
1020 to transition an executable to the httpd_unconfined_script_t domain.
1021 httpd_unit_file_t
1025 - Set files with the httpd_unit_file_t type, if you want to treat the
1027 files as httpd unit content.
1028 Paths:
1031 /usr/lib/systemd/system/httpd.*, /usr/lib/systemd/system/nginx.*,
1032 /usr/lib/systemd/system/thttpd.*, /usr/lib/systemd/system/php-
1033 fpm.*
1034 httpd_user_content_t
1037 - Set files with the httpd_user_content_t type, if you want to treat
1039 the files as httpd user content.
1040 httpd_user_htaccess_t
1044 - Set files with the httpd_user_htaccess_t type, if you want to treat
1046 the file as a httpd user access file.
1047 httpd_user_ra_content_t
1051 - Set files with the httpd_user_ra_content_t type, if you want to treat
1053 the files as httpd user read/append content.
1054 httpd_user_rw_content_t
1058 - Set files with the httpd_user_rw_content_t type, if you want to treat
1060 the files as httpd user read/write content.
1061 httpd_user_script_exec_t
1065 - Set files with the httpd_user_script_exec_t type, if you want to
1067 transition an executable to the httpd_user_script_t domain.
1068 httpd_var_lib_t
1072 - Set files with the httpd_var_lib_t type, if you want to store the
1074 httpd files under the /var/lib directory.
1075 Paths:
1078 /var/lib/rt(3|4)/data/RT-Shredder(/.*)?, /var/lib/dav(/.*)?,
1079 /var/lib/php(/.*)?, /var/lib/glpi(/.*)?, /var/lib/httpd(/.*)?,
1080 /var/lib/nginx(/.*)?, /var/lib/z-push(/.*)?, /var/lib/gan‐
1081 glia(/.*)?, /var/lib/ipsilon(/.*)?, /var/lib/cherokee(/.*)?,
1082 /var/lib/lighttpd(/.*)?, /var/lib/mod_security(/.*)?,
1083 /var/lib/roundcubemail(/.*)?, /var/opt/rh/rh-nginx18/lib/ng‐
1084 inx(/.*)?
1085 httpd_var_run_t
1088 - Set files with the httpd_var_run_t type, if you want to store the
1090 httpd files under the /run or /var/run directory.
1091 Paths:
1094 /var/run/wsgi.*, /var/run/mod_.*, /var/run/httpd.*, /var/run/ng‐
1095 inx.*, /var/run/apache.*, /var/run/php-fpm(/.*)?, /var/run/fcgi‐
1096 wrap(/.*)?, /var/run/lighttpd(/.*)?, /var/lib/php/session(/.*)?,
1097 /var/lib/php/wsdlcache(/.*)?, /var/run/dirsrv/admin-serv.*,
1098 /var/opt/rh/rh-nginx18/run/nginx(/.*)?, /var/www/openshift/bro‐
1099 ker/httpd/run(/.*)?, /var/www/openshift/console/httpd/run(/.*)?,
1100 /opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)?,
1101 /var/run/thttpd.pid, /var/run/gcache_port, /var/run/cherokee.pid
1102 Note: File context can be temporarily modified with the chcon command.
1105 If you want to permanently change the file context you need to use the
1106 semanage fcontext command. This will modify the SELinux labeling data‐
1107 base. You will need to use restorecon to apply the labels.
1108
1111 If you want to share files with multiple domains (Apache, FTP, rsync,
1112 Samba), you can set a file context of public_content_t and public_con‐
1113 tent_rw_t. These context allow any of the above domains to read the
1114 content. If you want a particular domain to write to the public_con‐
1115 tent_rw_t domain, you must set the appropriate boolean.
1116 Allow httpd servers to read the /var/httpd directory by adding the pub‐
1118 lic_content_t file type to the directory and by restoring the file
1119 type.
1120 semanage fcontext -a -t public_content_t "/var/httpd(/.*)?"
1122 restorecon -F -R -v /var/httpd
1123 Allow httpd servers to read and write /var/httpd/incoming by adding the
1125 public_content_rw_t type to the directory and by restoring the file
1126 type. You also need to turn on the httpd_anon_write boolean.
1127 semanage fcontext -a -t public_content_rw_t "/var/httpd/incoming(/.*)?"
1129 restorecon -F -R -v /var/httpd/incoming
1130 setsebool -P httpd_anon_write 1
1131 If you want to allow Apache to modify public files used for public file
1134 transfer services. Directories/Files must be labeled public_con‐
1135 tent_rw_t., you must turn on the httpd_anon_write boolean.
1136 setsebool -P httpd_anon_write 1
1138
1141 semanage fcontext can also be used to manipulate default file context
1142 mappings.
1143 semanage permissive can also be used to manipulate whether or not a
1145 process type is permissive.
1146 semanage module can also be used to enable/disable/install/remove pol‐
1148 icy modules.
1149 semanage port can also be used to manipulate the port definitions
1151 semanage boolean can also be used to manipulate the booleans
1153 system-config-selinux is a GUI tool available to customize SELinux pol‐
1156 icy settings.
1157
1160 This manual page was auto-generated using sepolicy manpage .
1161
1164 selinux(8), httpd(8), semanage(8), restorecon(8), chcon(1), sepol‐
1165 icy(8), setsebool(8), httpd_helper_selinux(8), httpd_passwd_selinux(8),
1166 httpd_php_selinux(8), httpd_rotatelogs_selinux(8),
1167 httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_uncon‐
1168 fined_script_selinux(8), httpd_user_script_selinux(8)
1169httpd 22-05-27 httpd_selinux(8)