1httpd_selinux(8) SELinux Policy httpd httpd_selinux(8)
2
6 httpd_selinux - Security Enhanced Linux Policy for the httpd processes
7
9 Security-Enhanced Linux secures the httpd processes via flexible manda‐
10 tory access control.
11 The httpd processes execute with the httpd_t SELinux type. You can
13 check if you have these processes running by executing the ps command
14 with the -Z qualifier.
15 For example:
17 ps -eZ | grep httpd_t
19
23 The httpd_t SELinux type can be entered via the httpd_exec_t file type.
24 The default entrypoint paths for the httpd_t domain are the following:
26 /usr/sbin/httpd(.worker)?, /usr/sbin/apache(2)?, /usr/lib/apache-
28 ssl/.+, /usr/sbin/apache-ssl(2)?, /usr/sbin/nginx, /usr/sbin/thttpd,
29 /usr/sbin/php-fpm, /usr/sbin/cherokee, /usr/sbin/lighttpd,
30 /usr/sbin/apachectl, /usr/sbin/httpd.event, /usr/bin/mongrel_rails,
31 /usr/sbin/htcacheclean
32
34 SELinux defines process types (domains) for each process running on the
35 system
36 You can see the context of a process using the -Z option to ps
38 Policy governs the access confined processes have to files. SELinux
40 httpd policy is very flexible allowing users to setup their httpd pro‐
41 cesses in as secure a method as possible.
42 The following process types are defined for httpd:
44 httpd_t, httpd_helper_t, httpd_php_t, httpd_rotatelogs_t, httpd_suexec_t, httpd_sys_script_t, httpd_user_script_t, httpd_passwd_t, httpd_unconfined_script_t
46 Note: semanage permissive -a httpd_t can be used to make the process
48 type httpd_t permissive. SELinux does not deny access to permissive
49 process types, but the AVC (SELinux denials) messages are still gener‐
50 ated.
51
54 SELinux policy is customizable based on least access required. httpd
55 policy is extremely flexible and has several booleans that allow you to
56 manipulate the policy and run httpd with the tightest access possible.
57 If you want to allow httpd to use built in scripting (usually php), you
61 must turn on the httpd_builtin_scripting boolean. Enabled by default.
62 setsebool -P httpd_builtin_scripting 1
64 If you want to allow http daemon to check spam, you must turn on the
68 httpd_can_check_spam boolean. Disabled by default.
69 setsebool -P httpd_can_check_spam 1
71 If you want to allow httpd to act as a FTP client connecting to the ftp
75 port and ephemeral ports, you must turn on the httpd_can_connect_ftp
76 boolean. Disabled by default.
77 setsebool -P httpd_can_connect_ftp 1
79 If you want to allow httpd to connect to the ldap port, you must turn
83 on the httpd_can_connect_ldap boolean. Disabled by default.
84 setsebool -P httpd_can_connect_ldap 1
86 If you want to allow http daemon to connect to mythtv, you must turn on
90 the httpd_can_connect_mythtv boolean. Disabled by default.
91 setsebool -P httpd_can_connect_mythtv 1
93 If you want to allow http daemon to connect to zabbix, you must turn on
97 the httpd_can_connect_zabbix boolean. Disabled by default.
98 setsebool -P httpd_can_connect_zabbix 1
100 If you want to allow HTTPD scripts and modules to connect to the net‐
104 work using TCP, you must turn on the httpd_can_network_connect boolean.
105 Disabled by default.
106 setsebool -P httpd_can_network_connect 1
108 If you want to allow HTTPD scripts and modules to connect to cobbler
112 over the network, you must turn on the httpd_can_network_connect_cob‐
113 bler boolean. Disabled by default.
114 setsebool -P httpd_can_network_connect_cobbler 1
116 If you want to allow HTTPD scripts and modules to connect to databases
120 over the network, you must turn on the httpd_can_network_connect_db
121 boolean. Disabled by default.
122 setsebool -P httpd_can_network_connect_db 1
124 If you want to allow httpd to connect to memcache server, you must turn
128 on the httpd_can_network_memcache boolean. Disabled by default.
129 setsebool -P httpd_can_network_memcache 1
131 If you want to allow httpd to connect to redis, you must turn on the
135 httpd_can_network_redis boolean. Disabled by default.
136 setsebool -P httpd_can_network_redis 1
138 If you want to allow httpd to act as a relay, you must turn on the
142 httpd_can_network_relay boolean. Disabled by default.
143 setsebool -P httpd_can_network_relay 1
145 If you want to allow http daemon to send mail, you must turn on the
149 httpd_can_sendmail boolean. Disabled by default.
150 setsebool -P httpd_can_sendmail 1
152 If you want to allow Apache to communicate with avahi service via dbus,
156 you must turn on the httpd_dbus_avahi boolean. Disabled by default.
157 setsebool -P httpd_dbus_avahi 1
159 If you want to allow Apache to communicate with sssd service via dbus,
163 you must turn on the httpd_dbus_sssd boolean. Disabled by default.
164 setsebool -P httpd_dbus_sssd 1
166 If you want to dontaudit Apache to search dirs, you must turn on the
170 httpd_dontaudit_search_dirs boolean. Disabled by default.
171 setsebool -P httpd_dontaudit_search_dirs 1
173 If you want to allow httpd cgi support, you must turn on the httpd_en‐
177 able_cgi boolean. Enabled by default.
178 setsebool -P httpd_enable_cgi 1
180 If you want to allow httpd to act as a FTP server by listening on the
184 ftp port, you must turn on the httpd_enable_ftp_server boolean. Dis‐
185 abled by default.
186 setsebool -P httpd_enable_ftp_server 1
188 If you want to allow httpd to read home directories, you must turn on
192 the httpd_enable_homedirs boolean. Disabled by default.
193 setsebool -P httpd_enable_homedirs 1
195 If you want to allow httpd scripts and modules execmem/execstack, you
199 must turn on the httpd_execmem boolean. Disabled by default.
200 setsebool -P httpd_execmem 1
202 If you want to allow HTTPD to connect to port 80 for graceful shutdown,
206 you must turn on the httpd_graceful_shutdown boolean. Disabled by de‐
207 fault.
208 setsebool -P httpd_graceful_shutdown 1
210 If you want to allow httpd processes to manage IPA content, you must
214 turn on the httpd_manage_ipa boolean. Disabled by default.
215 setsebool -P httpd_manage_ipa 1
217 If you want to allow Apache to use mod_auth_ntlm_winbind, you must turn
221 on the httpd_mod_auth_ntlm_winbind boolean. Disabled by default.
222 setsebool -P httpd_mod_auth_ntlm_winbind 1
224 If you want to allow Apache to use mod_auth_pam, you must turn on the
228 httpd_mod_auth_pam boolean. Disabled by default.
229 setsebool -P httpd_mod_auth_pam 1
231 If you want to allow httpd to read user content, you must turn on the
235 httpd_read_user_content boolean. Disabled by default.
236 setsebool -P httpd_read_user_content 1
238 If you want to allow Apache to run preupgrade, you must turn on the
242 httpd_run_preupgrade boolean. Disabled by default.
243 setsebool -P httpd_run_preupgrade 1
245 If you want to allow Apache to run in stickshift mode, not transition
249 to passenger, you must turn on the httpd_run_stickshift boolean. Dis‐
250 abled by default.
251 setsebool -P httpd_run_stickshift 1
253 If you want to allow HTTPD scripts and modules to server cobbler files,
257 you must turn on the httpd_serve_cobbler_files boolean. Disabled by de‐
258 fault.
259 setsebool -P httpd_serve_cobbler_files 1
261 If you want to allow httpd daemon to change its resource limits, you
265 must turn on the httpd_setrlimit boolean. Disabled by default.
266 setsebool -P httpd_setrlimit 1
268 If you want to allow HTTPD to run SSI executables in the same domain as
272 system CGI scripts, you must turn on the httpd_ssi_exec boolean. Dis‐
273 abled by default.
274 setsebool -P httpd_ssi_exec 1
276 If you want to allow Apache to execute tmp content, you must turn on
280 the httpd_tmp_exec boolean. Disabled by default.
281 setsebool -P httpd_tmp_exec 1
283 If you want to unify HTTPD to communicate with the terminal. Needed for
287 entering the passphrase for certificates at the terminal, you must turn
288 on the httpd_tty_comm boolean. Disabled by default.
289 setsebool -P httpd_tty_comm 1
291 If you want to unify HTTPD handling of all content files, you must turn
295 on the httpd_unified boolean. Disabled by default.
296 setsebool -P httpd_unified 1
298 If you want to allow httpd to access cifs file systems, you must turn
302 on the httpd_use_cifs boolean. Disabled by default.
303 setsebool -P httpd_use_cifs 1
305 If you want to allow httpd to access FUSE file systems, you must turn
309 on the httpd_use_fusefs boolean. Disabled by default.
310 setsebool -P httpd_use_fusefs 1
312 If you want to allow httpd to run gpg, you must turn on the
316 httpd_use_gpg boolean. Disabled by default.
317 setsebool -P httpd_use_gpg 1
319 If you want to allow httpd to access nfs file systems, you must turn on
323 the httpd_use_nfs boolean. Disabled by default.
324 setsebool -P httpd_use_nfs 1
326 If you want to allow httpd to use opencryptoki, you must turn on the
330 httpd_use_opencryptoki boolean. Disabled by default.
331 setsebool -P httpd_use_opencryptoki 1
333 If you want to allow httpd to access openstack ports, you must turn on
337 the httpd_use_openstack boolean. Disabled by default.
338 setsebool -P httpd_use_openstack 1
340 If you want to allow httpd to connect to sasl, you must turn on the
344 httpd_use_sasl boolean. Disabled by default.
345 setsebool -P httpd_use_sasl 1
347 If you want to allow Apache to query NS records, you must turn on the
351 httpd_verify_dns boolean. Disabled by default.
352 setsebool -P httpd_verify_dns 1
354 If you want to dontaudit all daemons scheduling requests (setsched,
358 sys_nice), you must turn on the daemons_dontaudit_scheduling boolean.
359 Enabled by default.
360 setsebool -P daemons_dontaudit_scheduling 1
362 If you want to deny any process from ptracing or debugging any other
366 processes, you must turn on the deny_ptrace boolean. Disabled by de‐
367 fault.
368 setsebool -P deny_ptrace 1
370 If you want to allow all domains to execute in fips_mode, you must turn
374 on the fips_mode boolean. Enabled by default.
375 setsebool -P fips_mode 1
377 If you want to determine whether Git system daemon can access cifs file
381 systems, you must turn on the git_system_use_cifs boolean. Disabled by
382 default.
383 setsebool -P git_system_use_cifs 1
385 If you want to determine whether Git system daemon can access nfs file
389 systems, you must turn on the git_system_use_nfs boolean. Disabled by
390 default.
391 setsebool -P git_system_use_nfs 1
393 If you want to allow confined applications to run with kerberos, you
397 must turn on the kerberos_enabled boolean. Enabled by default.
398 setsebool -P kerberos_enabled 1
400 If you want to allow system to run with NIS, you must turn on the
404 nis_enabled boolean. Disabled by default.
405 setsebool -P nis_enabled 1
407 If you want to support NFS home directories, you must turn on the
411 use_nfs_home_dirs boolean. Disabled by default.
412 setsebool -P use_nfs_home_dirs 1
414 If you want to support SAMBA home directories, you must turn on the
418 use_samba_home_dirs boolean. Disabled by default.
419 setsebool -P use_samba_home_dirs 1
421
425 If you want to allow users to resolve user passwd entries directly from
426 ldap rather then using a sssd server for the httpd_t, you must turn on
427 the authlogin_nsswitch_use_ldap boolean.
428 setsebool -P authlogin_nsswitch_use_ldap 1
430 If you want to allow confined applications to run with kerberos for the
433 httpd_t, you must turn on the kerberos_enabled boolean.
434 setsebool -P kerberos_enabled 1
436
439 SELinux defines port types to represent TCP and UDP ports.
440 You can see the types associated with a port by using the following
442 command:
443 semanage port -l
445 Policy governs the access confined processes have to these ports.
448 SELinux httpd policy is very flexible allowing users to setup their
449 httpd processes in as secure a method as possible.
450 The following port types are defined for httpd:
452 http_cache_port_t
455 Default Defined Ports:
459 tcp 8080,8118,8123,10001-10010
460 udp 3130
461 http_port_t
464 Default Defined Ports:
468 tcp 80,81,443,488,8008,8009,8443,9000
469
471 The SELinux process type httpd_t can manage files labeled with the fol‐
472 lowing file types. The paths listed are the default paths for these
473 file types. Note the processes UID still need to have DAC permissions.
474 abrt_retrace_spool_t
476 /var/spool/faf(/.*)?
478 /var/spool/abrt-retrace(/.*)?
479 /var/spool/retrace-server(/.*)?
480 cifs_t
482 cluster_conf_t
485 /etc/cluster(/.*)?
487 cluster_var_lib_t
489 /var/lib/pcsd(/.*)?
491 /var/lib/cluster(/.*)?
492 /var/lib/openais(/.*)?
493 /var/lib/pengine(/.*)?
494 /var/lib/corosync(/.*)?
495 /usr/lib/heartbeat(/.*)?
496 /var/lib/heartbeat(/.*)?
497 /var/lib/pacemaker(/.*)?
498 cluster_var_run_t
500 /var/run/crm(/.*)?
502 /var/run/cman_.*
503 /var/run/rsctmp(/.*)?
504 /var/run/aisexec.*
505 /var/run/heartbeat(/.*)?
506 /var/run/pcsd-ruby.socket
507 /var/run/corosync-qnetd(/.*)?
508 /var/run/corosync-qdevice(/.*)?
509 /var/run/corosync.pid
510 /var/run/cpglockd.pid
511 /var/run/rgmanager.pid
512 /var/run/cluster/rgmanager.sk
513 cobbler_var_lib_t
515 /var/lib/cobbler(/.*)?
517 /var/www/cobbler(/.*)?
518 /var/cache/cobbler(/.*)?
519 /var/lib/tftpboot/etc(/.*)?
520 /var/lib/tftpboot/ppc(/.*)?
521 /var/lib/tftpboot/boot(/.*)?
522 /var/lib/tftpboot/grub(/.*)?
523 /var/lib/tftpboot/s390x(/.*)?
524 /var/lib/tftpboot/images(/.*)?
525 /var/lib/tftpboot/aarch64(/.*)?
526 /var/lib/tftpboot/images2(/.*)?
527 /var/lib/tftpboot/pxelinux.cfg(/.*)?
528 /var/lib/tftpboot/yaboot
529 /var/lib/tftpboot/memdisk
530 /var/lib/tftpboot/menu.c32
531 /var/lib/tftpboot/pxelinux.0
532 dirsrv_config_t
534 /etc/dirsrv(/.*)?
536 dirsrv_var_log_t
538 /var/log/dirsrv(/.*)?
540 dirsrv_var_run_t
542 /var/run/slapd.*
544 /var/run/dirsrv(/.*)?
545 dirsrvadmin_config_t
547 /etc/dirsrv/dsgw(/.*)?
549 /etc/dirsrv/admin-serv(/.*)?
550 dirsrvadmin_tmp_t
552 fusefs_t
555 /var/run/user/[0-9]+/gvfs
557 httpd_cache_t
559 /var/cache/rt(3|4)(/.*)?
561 /var/cache/ssl.*.sem
562 /var/cache/mod_.*
563 /var/cache/php-.*
564 /var/cache/httpd(/.*)?
565 /var/cache/mason(/.*)?
566 /var/cache/nginx(/.*)?
567 /var/cache/mod_ssl(/.*)?
568 /var/cache/lighttpd(/.*)?
569 /var/cache/mediawiki(/.*)?
570 /var/cache/mod_proxy(/.*)?
571 /var/cache/mod_gnutls(/.*)?
572 /var/cache/php-mmcache(/.*)?
573 /var/cache/php-eaccelerator(/.*)?
574 httpd_lock_t
576 httpd_squirrelmail_t
579 /var/lib/squirrelmail/prefs(/.*)?
581 httpd_tmp_t
583 /var/run/user/apache(/.*)?
585 /var/www/openshift/console/tmp(/.*)?
586 httpd_tmpfs_t
588 httpd_user_rw_content_t
591 httpd_var_lib_t
594 /var/lib/rt(3|4)/data/RT-Shredder(/.*)?
596 /var/lib/dav(/.*)?
597 /var/lib/php(/.*)?
598 /var/lib/glpi(/.*)?
599 /var/lib/httpd(/.*)?
600 /var/lib/nginx(/.*)?
601 /var/lib/z-push(/.*)?
602 /var/lib/ganglia(/.*)?
603 /var/lib/ipsilon(/.*)?
604 /var/lib/cherokee(/.*)?
605 /var/lib/lighttpd(/.*)?
606 /var/lib/mod_security(/.*)?
607 /var/lib/roundcubemail(/.*)?
608 /var/opt/rh/rh-nginx18/lib/nginx(/.*)?
609 httpd_var_run_t
611 /var/run/mod_.*
613 /var/run/wsgi.*
614 /var/run/httpd.*
615 /var/run/nginx.*
616 /var/run/apache.*
617 /var/run/php-fpm(/.*)?
618 /var/run/fcgiwrap(/.*)?
619 /var/run/lighttpd(/.*)?
620 /var/lib/php/session(/.*)?
621 /var/lib/php/wsdlcache(/.*)?
622 /var/run/dirsrv/admin-serv.*
623 /var/opt/rh/rh-nginx18/run/nginx(/.*)?
624 /var/www/openshift/broker/httpd/run(/.*)?
625 /var/www/openshift/console/httpd/run(/.*)?
626 /opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)?
627 /var/run/thttpd.pid
628 /var/run/gcache_port
629 /var/run/cherokee.pid
630 httpdcontent
632 hugetlbfs_t
635 /dev/hugepages
637 /usr/lib/udev/devices/hugepages
638 insights_client_tmp_t
640 /var/tmp/insights-client(/.*)?
642 /tmp/insights-client.ppid
643 /var/tmp/insights-client.ppid
644 jetty_cache_t
646 /var/cache/jetty(/.*)?
648 jetty_log_t
650 /var/log/jetty(/.*)?
652 jetty_tmp_t
654 jetty_unit_file_t
657 /usr/lib/systemd/system/jetty.service
659 jetty_var_lib_t
661 /var/lib/jetty(/.*)?
663 jetty_var_run_t
665 /var/run/jetty(/.*)?
667 krb5_host_rcache_t
669 /var/tmp/krb5_0.rcache2
671 /var/cache/krb5rcache(/.*)?
672 /var/tmp/nfs_0
673 /var/tmp/DNS_25
674 /var/tmp/host_0
675 /var/tmp/imap_0
676 /var/tmp/HTTP_23
677 /var/tmp/HTTP_48
678 /var/tmp/ldap_55
679 /var/tmp/ldap_487
680 /var/tmp/ldapmap1_0
681 memcached_var_run_t
683 /var/run/memcached(/.*)?
685 /var/run/ipa_memcached(/.*)?
686 mirrormanager_var_run_t
688 /var/run/mirrormanager(/.*)?
690 named_cache_t
692 /var/named/data(/.*)?
694 /var/lib/softhsm(/.*)?
695 /var/lib/unbound(/.*)?
696 /var/named/slaves(/.*)?
697 /var/named/dynamic(/.*)?
698 /var/named/chroot/var/tmp(/.*)?
699 /var/named/chroot/var/named/data(/.*)?
700 /var/named/chroot/var/named/slaves(/.*)?
701 /var/named/chroot/var/named/dynamic(/.*)?
702 nfs_t
704 passenger_tmp_t
707 passenger_var_lib_t
710 /var/lib/passenger(/.*)?
712 passenger_var_run_t
714 /var/run/passenger(/.*)?
716 pkcs_slotd_lock_t
718 /var/lock/opencryptoki(/.*)?
720 pkcs_slotd_tmpfs_t
722 /dev/shm/var.lib.opencryptoki.*
724 pkcs_slotd_var_lib_t
726 /var/lib/opencryptoki(/.*)?
728 pki_apache_config
730 pki_apache_var_lib
733 pki_apache_var_log
736 postfix_spool_t
739 /var/spool/postfix.*
741 /var/spool/postfix/defer(/.*)?
742 /var/spool/postfix/flush(/.*)?
743 /var/spool/postfix/deferred(/.*)?
744 /var/spool/postfix/maildrop(/.*)?
745 preupgrade_data_t
747 /var/lib/preupgrade(/.*)?
749 /var/log/preupgrade(/.*)?
750 root_t
752 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
754 /
755 /initrd
756 security_t
758 /selinux
760 squirrelmail_spool_t
762 /var/spool/squirrelmail(/.*)?
764 systemd_passwd_var_run_t
766 /var/run/systemd/ask-password(/.*)?
768 /var/run/systemd/ask-password-block(/.*)?
769 zarafa_var_lib_t
771 /var/lib/zarafa(/.*)?
773 /var/lib/zarafa-webapp(/.*)?
774 /var/lib/zarafa-webaccess(/.*)?
775 zoneminder_var_lib_t
777 /var/lib/zoneminder(/.*)?
779
782 SELinux requires files to have an extended attribute to define the file
783 type.
784 You can see the context of a file using the -Z option to ls
786 Policy governs the access confined processes have to these files.
788 SELinux httpd policy is very flexible allowing users to setup their
789 httpd processes in as secure a method as possible.
790 EQUIVALENCE DIRECTORIES
792 httpd policy stores data with multiple different file context types un‐
795 der the /var/lib/httpd directory. If you would like to store the data
796 in a different directory you can use the semanage command to create an
797 equivalence mapping. If you wanted to store this data under the /srv
798 directory you would execute the following command:
799 semanage fcontext -a -e /var/lib/httpd /srv/httpd
801 restorecon -R -v /srv/httpd
802 httpd policy stores data with multiple different file context types un‐
804 der the /var/lib/php directory. If you would like to store the data in
805 a different directory you can use the semanage command to create an
806 equivalence mapping. If you wanted to store this data under the /srv
807 directory you would execute the following command:
808 semanage fcontext -a -e /var/lib/php /srv/php
810 restorecon -R -v /srv/php
811 httpd policy stores data with multiple different file context types un‐
813 der the /var/www directory. If you would like to store the data in a
814 different directory you can use the semanage command to create an
815 equivalence mapping. If you wanted to store this data under the /srv
816 directory you would execute the following command:
817 semanage fcontext -a -e /var/www /srv/www
819 restorecon -R -v /srv/www
820 STANDARD FILE CONTEXT
822 SELinux defines the file context types for the httpd, if you wanted to
824 store files with these types in a different paths, you need to execute
825 the semanage command to specify alternate labeling and then use re‐
826 storecon to put the labels on disk.
827 semanage fcontext -a -t httpd_exec_t '/srv/httpd/content(/.*)?'
829 restorecon -R -v /srv/myhttpd_content
830 Note: SELinux often uses regular expressions to specify labels that
832 match multiple files.
833 The following file types are defined for httpd:
835 httpd_cache_t
839 - Set files with the httpd_cache_t type, if you want to store the files
841 under the /var/cache directory.
842 Paths:
845 /var/cache/rt(3|4)(/.*)?, /var/cache/ssl.*.sem, /var/cache/mod_.*,
846 /var/cache/php-.*, /var/cache/httpd(/.*)?, /var/cache/mason(/.*)?,
847 /var/cache/nginx(/.*)?, /var/cache/mod_ssl(/.*)?,
848 /var/cache/lighttpd(/.*)?, /var/cache/mediawiki(/.*)?,
849 /var/cache/mod_proxy(/.*)?, /var/cache/mod_gnutls(/.*)?,
850 /var/cache/php-mmcache(/.*)?, /var/cache/php-eaccelerator(/.*)?
851 httpd_config_t
854 - Set files with the httpd_config_t type, if you want to treat the
856 files as httpd configuration data, usually stored under the /etc direc‐
857 tory.
858 Paths:
861 /etc/httpd(/.*)?, /etc/nginx(/.*)?, /etc/apache(2)?(/.*)?,
862 /etc/cherokee(/.*)?, /etc/lighttpd(/.*)?, /etc/apache-
863 ssl(2)?(/.*)?, /var/lib/openshift/.httpd.d(/.*)?, /etc/opt/rh/rh-
864 nginx18/nginx(/.*)?, /var/lib/stickshift/.httpd.d(/.*)?,
865 /etc/vhosts, /etc/thttpd.conf
866 httpd_exec_t
869 - Set files with the httpd_exec_t type, if you want to transition an
871 executable to the httpd_t domain.
872 Paths:
875 /usr/sbin/httpd(.worker)?, /usr/sbin/apache(2)?, /usr/lib/apache-
876 ssl/.+, /usr/sbin/apache-ssl(2)?, /usr/sbin/nginx,
877 /usr/sbin/thttpd, /usr/sbin/php-fpm, /usr/sbin/cherokee,
878 /usr/sbin/lighttpd, /usr/sbin/apachectl, /usr/sbin/httpd.event,
879 /usr/bin/mongrel_rails, /usr/sbin/htcacheclean
880 httpd_helper_exec_t
883 - Set files with the httpd_helper_exec_t type, if you want to transi‐
885 tion an executable to the httpd_helper_t domain.
886 httpd_initrc_exec_t
890 - Set files with the httpd_initrc_exec_t type, if you want to transi‐
892 tion an executable to the httpd_initrc_t domain.
893 Paths:
896 /etc/init.d/cherokee, /etc/rc.d/init.d/httpd,
897 /etc/rc.d/init.d/lighttpd
898 httpd_keytab_t
901 - Set files with the httpd_keytab_t type, if you want to treat the
903 files as kerberos keytab files.
904 httpd_lock_t
908 - Set files with the httpd_lock_t type, if you want to treat the files
910 as httpd lock data, stored under the /var/lock directory
911 httpd_log_t
915 - Set files with the httpd_log_t type, if you want to treat the data as
917 httpd log data, usually stored under the /var/log directory.
918 Paths:
921 /srv/([^/]*/)?www/logs(/.*)?, /var/www(/.*)?/logs(/.*)?,
922 /var/log/glpi(/.*)?, /var/log/cacti(/.*)?, /var/log/httpd(/.*)?,
923 /var/log/nginx(/.*)?, /var/log/apache(2)?(/.*)?, /var/log/hori‐
924 zon(/.*)?, /var/log/php-fpm(/.*)?, /var/log/cherokee(/.*)?,
925 /var/log/lighttpd(/.*)?, /var/log/suphp.log.*,
926 /var/log/thttpd.log.*, /var/log/apache-ssl(2)?(/.*)?,
927 /var/log/cgiwrap.log.*, /var/www/stickshift/[^/]*/log(/.*)?,
928 /var/log/graphite-web(/.*)?, /var/www/miq/vmdb/log(/.*)?,
929 /var/log/roundcubemail(/.*)?, /var/log/php_errors.log.*,
930 /var/log/dirsrv/admin-serv(/.*)?, /var/opt/rh/rh-ng‐
931 inx18/log(/.*)?, /var/lib/openshift/.log/httpd(/.*)?,
932 /var/www/openshift/console/log(/.*)?, /var/www/openshift/bro‐
933 ker/httpd/logs(/.*)?, /var/www/openshift/console/httpd/logs(/.*)?
934 httpd_modules_t
937 - Set files with the httpd_modules_t type, if you want to treat the
939 files as httpd modules.
940 Paths:
943 /usr/lib/httpd(/.*)?, /usr/lib/apache(/.*)?, /usr/lib/chero‐
944 kee(/.*)?, /usr/lib/lighttpd(/.*)?, /usr/lib/apache2/modules(/.*)?
945 httpd_passwd_exec_t
948 - Set files with the httpd_passwd_exec_t type, if you want to transi‐
950 tion an executable to the httpd_passwd_t domain.
951 httpd_php_exec_t
955 - Set files with the httpd_php_exec_t type, if you want to transition
957 an executable to the httpd_php_t domain.
958 httpd_php_tmp_t
962 - Set files with the httpd_php_tmp_t type, if you want to store httpd
964 php temporary files in the /tmp directories.
965 httpd_rotatelogs_exec_t
969 - Set files with the httpd_rotatelogs_exec_t type, if you want to tran‐
971 sition an executable to the httpd_rotatelogs_t domain.
972 httpd_squirrelmail_t
976 - Set files with the httpd_squirrelmail_t type, if you want to treat
978 the files as httpd squirrelmail data.
979 httpd_suexec_exec_t
983 - Set files with the httpd_suexec_exec_t type, if you want to transi‐
985 tion an executable to the httpd_suexec_t domain.
986 Paths:
989 /usr/lib/apache(2)?/suexec(2)?, /usr/lib/cgi-bin/(nph-)?cgi‐
990 wrap(d)?, /usr/sbin/suexec
991 httpd_suexec_tmp_t
994 - Set files with the httpd_suexec_tmp_t type, if you want to store
996 httpd suexec temporary files in the /tmp directories.
997 httpd_sys_content_t
1001 - Set files with the httpd_sys_content_t type, if you want to treat the
1003 files as httpd sys content.
1004 Paths:
1007 /srv/([^/]*/)?www(/.*)?, /var/www(/.*)?, /etc/htdig(/.*)?,
1008 /srv/gallery2(/.*)?, /var/lib/trac(/.*)?, /var/lib/htdig(/.*)?,
1009 /var/www/icons(/.*)?, /usr/share/glpi(/.*)?, /usr/share/ht‐
1010 dig(/.*)?, /usr/share/drupal.*, /usr/share/z-push(/.*)?,
1011 /var/www/svn/conf(/.*)?, /usr/share/icecast(/.*)?,
1012 /var/lib/cacti/rra(/.*)?, /usr/share/ntop/html(/.*)?,
1013 /usr/share/nginx/html(/.*)?, /usr/share/doc/ghc/html(/.*)?,
1014 /usr/share/openca/htdocs(/.*)?, /usr/share/selinux-pol‐
1015 icy[^/]*/html(/.*)?
1016 httpd_sys_htaccess_t
1019 - Set files with the httpd_sys_htaccess_t type, if you want to treat
1021 the file as a httpd sys access file.
1022 httpd_sys_ra_content_t
1026 - Set files with the httpd_sys_ra_content_t type, if you want to treat
1028 the files as httpd sys read/append content.
1029 httpd_sys_rw_content_t
1033 - Set files with the httpd_sys_rw_content_t type, if you want to treat
1035 the files as httpd sys read/write content.
1036 Paths:
1039 /etc/rt(/.*)?, /etc/glpi(/.*)?, /etc/horde(/.*)?, /etc/drupal.*,
1040 /etc/z-push(/.*)?, /var/lib/svn(/.*)?, /var/www/svn(/.*)?,
1041 /etc/owncloud(/.*)?, /var/www/html(/.*)?/uploads(/.*)?,
1042 /var/www/html(/.*)?/wp-content(/.*)?, /var/www/html(/.*)?/wp_back‐
1043 ups(/.*)?, /var/www/html(/.*)?/sites/default/files(/.*)?,
1044 /var/www/html(/.*)?/sites/default/settings.php,
1045 /etc/mock/koji(/.*)?, /etc/nextcloud(/.*)?, /var/lib/drupal.*,
1046 /etc/zabbix/web(/.*)?, /var/lib/moodle(/.*)?, /var/log/z-
1047 push(/.*)?, /var/spool/gosa(/.*)?, /etc/WebCalendar(/.*)?,
1048 /usr/share/joomla(/.*)?, /var/lib/dokuwiki(/.*)?,
1049 /var/lib/httpd/md(/.*)?, /var/lib/owncloud(/.*)?,
1050 /var/spool/viewvc(/.*)?, /var/lib/nextcloud(/.*)?, /var/lib/poo‐
1051 tle/po(/.*)?, /var/lib/phpMyAdmin(/.*)?, /var/www/moodle‐
1052 data(/.*)?, /srv/gallery2/smarty(/.*)?, /var/www/moo‐
1053 dle/data(/.*)?, /var/lib/graphite-web(/.*)?, /var/log/shibboleth-
1054 www(/.*)?, /var/www/gallery/albums(/.*)?, /var/www/html/own‐
1055 cloud/data(/.*)?, /var/www/html/nextcloud/data(/.*)?,
1056 /usr/share/wordpress-mu/wp-content(/.*)?, /usr/share/wordpress/wp-
1057 content/upgrade(/.*)?, /usr/share/wordpress/wp-content/up‐
1058 loads(/.*)?, /var/www/html/configuration.php
1059 httpd_sys_script_exec_t
1062 - Set files with the httpd_sys_script_exec_t type, if you want to tran‐
1064 sition an executable to the httpd_sys_script_t domain.
1065 Paths:
1068 /opt/.*.cgi, /usr/.*.cgi, /var/www/[^/]*/cgi-bin(/.*)?,
1069 /var/www/perl(/.*)?, /var/www/html/[^/]*/cgi-bin(/.*)?,
1070 /usr/lib/cgi-bin(/.*)?, /var/www/cgi-bin(/.*)?,
1071 /var/www/svn/hooks(/.*)?, /usr/share/wordpress/.*.php, /usr/lo‐
1072 cal/nagios/sbin(/.*)?, /usr/share/wordpress/wp-includes/.*.php,
1073 /usr/share/wordpress-mu/wp-config.php
1074 httpd_tmp_t
1077 - Set files with the httpd_tmp_t type, if you want to store httpd tem‐
1079 porary files in the /tmp directories.
1080 Paths:
1083 /var/run/user/apache(/.*)?, /var/www/openshift/console/tmp(/.*)?
1084 httpd_tmpfs_t
1087 - Set files with the httpd_tmpfs_t type, if you want to store httpd
1089 files on a tmpfs file system.
1090 httpd_unconfined_script_exec_t
1094 - Set files with the httpd_unconfined_script_exec_t type, if you want
1096 to transition an executable to the httpd_unconfined_script_t domain.
1097 httpd_unit_file_t
1101 - Set files with the httpd_unit_file_t type, if you want to treat the
1103 files as httpd unit content.
1104 Paths:
1107 /usr/lib/systemd/system/httpd.*, /usr/lib/systemd/system/nginx.*,
1108 /usr/lib/systemd/system/thttpd.*, /usr/lib/systemd/system/php-
1109 fpm.*
1110 httpd_user_content_t
1113 - Set files with the httpd_user_content_t type, if you want to treat
1115 the files as httpd user content.
1116 httpd_user_htaccess_t
1120 - Set files with the httpd_user_htaccess_t type, if you want to treat
1122 the file as a httpd user access file.
1123 httpd_user_ra_content_t
1127 - Set files with the httpd_user_ra_content_t type, if you want to treat
1129 the files as httpd user read/append content.
1130 httpd_user_rw_content_t
1134 - Set files with the httpd_user_rw_content_t type, if you want to treat
1136 the files as httpd user read/write content.
1137 httpd_user_script_exec_t
1141 - Set files with the httpd_user_script_exec_t type, if you want to
1143 transition an executable to the httpd_user_script_t domain.
1144 httpd_var_lib_t
1148 - Set files with the httpd_var_lib_t type, if you want to store the
1150 httpd files under the /var/lib directory.
1151 Paths:
1154 /var/lib/rt(3|4)/data/RT-Shredder(/.*)?, /var/lib/dav(/.*)?,
1155 /var/lib/php(/.*)?, /var/lib/glpi(/.*)?, /var/lib/httpd(/.*)?,
1156 /var/lib/nginx(/.*)?, /var/lib/z-push(/.*)?, /var/lib/gan‐
1157 glia(/.*)?, /var/lib/ipsilon(/.*)?, /var/lib/cherokee(/.*)?,
1158 /var/lib/lighttpd(/.*)?, /var/lib/mod_security(/.*)?,
1159 /var/lib/roundcubemail(/.*)?, /var/opt/rh/rh-nginx18/lib/ng‐
1160 inx(/.*)?
1161 httpd_var_run_t
1164 - Set files with the httpd_var_run_t type, if you want to store the
1166 httpd files under the /run or /var/run directory.
1167 Paths:
1170 /var/run/mod_.*, /var/run/wsgi.*, /var/run/httpd.*, /var/run/ng‐
1171 inx.*, /var/run/apache.*, /var/run/php-fpm(/.*)?, /var/run/fcgi‐
1172 wrap(/.*)?, /var/run/lighttpd(/.*)?, /var/lib/php/session(/.*)?,
1173 /var/lib/php/wsdlcache(/.*)?, /var/run/dirsrv/admin-serv.*,
1174 /var/opt/rh/rh-nginx18/run/nginx(/.*)?, /var/www/openshift/bro‐
1175 ker/httpd/run(/.*)?, /var/www/openshift/console/httpd/run(/.*)?,
1176 /opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)?,
1177 /var/run/thttpd.pid, /var/run/gcache_port, /var/run/cherokee.pid
1178 Note: File context can be temporarily modified with the chcon command.
1181 If you want to permanently change the file context you need to use the
1182 semanage fcontext command. This will modify the SELinux labeling data‐
1183 base. You will need to use restorecon to apply the labels.
1184
1187 If you want to share files with multiple domains (Apache, FTP, rsync,
1188 Samba), you can set a file context of public_content_t and public_con‐
1189 tent_rw_t. These context allow any of the above domains to read the
1190 content. If you want a particular domain to write to the public_con‐
1191 tent_rw_t domain, you must set the appropriate boolean.
1192 Allow httpd servers to read the /var/httpd directory by adding the pub‐
1194 lic_content_t file type to the directory and by restoring the file
1195 type.
1196 semanage fcontext -a -t public_content_t "/var/httpd(/.*)?"
1198 restorecon -F -R -v /var/httpd
1199 Allow httpd servers to read and write /var/httpd/incoming by adding the
1201 public_content_rw_t type to the directory and by restoring the file
1202 type. You also need to turn on the httpd_anon_write boolean.
1203 semanage fcontext -a -t public_content_rw_t "/var/httpd/incoming(/.*)?"
1205 restorecon -F -R -v /var/httpd/incoming
1206 setsebool -P httpd_anon_write 1
1207 If you want to allow Apache to modify public files used for public file
1210 transfer services. Directories/Files must be labeled public_con‐
1211 tent_rw_t., you must turn on the httpd_anon_write boolean.
1212 setsebool -P httpd_anon_write 1
1214
1217 semanage fcontext can also be used to manipulate default file context
1218 mappings.
1219 semanage permissive can also be used to manipulate whether or not a
1221 process type is permissive.
1222 semanage module can also be used to enable/disable/install/remove pol‐
1224 icy modules.
1225 semanage port can also be used to manipulate the port definitions
1227 semanage boolean can also be used to manipulate the booleans
1229 system-config-selinux is a GUI tool available to customize SELinux pol‐
1232 icy settings.
1233
1236 This manual page was auto-generated using sepolicy manpage .
1237
1240 selinux(8), httpd(8), semanage(8), restorecon(8), chcon(1), sepol‐
1241 icy(8), setsebool(8), httpd_helper_selinux(8), httpd_passwd_selinux(8),
1242 httpd_php_selinux(8), httpd_rotatelogs_selinux(8),
1243 httpd_suexec_selinux(8), httpd_sys_script_selinux(8), httpd_uncon‐
1244 fined_script_selinux(8), httpd_user_script_selinux(8)
1245httpd 23-10-20 httpd_selinux(8)