Current File : //kunden/usr/share/selinux/devel/html/httpd.html

<!-- Creator     : groff version 1.22.4 -->
<!-- CreationDate: Thu Apr 10 20:00:00 2025 -->
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta name="generator" content="groff -Thtml, see www.gnu.org">
<meta http-equiv="Content-Type" content="text/html; charset=US-ASCII">
<meta name="Content-Style" content="text/css">
<style type="text/css">
       p       { margin-top: 0; margin-bottom: 0; vertical-align: top }
       pre     { margin-top: 0; margin-bottom: 0; vertical-align: top }
       table   { margin-top: 0; margin-bottom: 0; vertical-align: top }
       h1      { text-align: center }
</style>
<title>httpd_selinux</title>

</head>
<body>

<h1 align="center">httpd_selinux</h1>

<a href="#NAME">NAME</a><br>
<a href="#DESCRIPTION">DESCRIPTION</a><br>
<a href="#ENTRYPOINTS">ENTRYPOINTS</a><br>
<a href="#PROCESS TYPES">PROCESS TYPES</a><br>
<a href="#BOOLEANS">BOOLEANS</a><br>
<a href="#NSSWITCH DOMAIN">NSSWITCH DOMAIN</a><br>
<a href="#PORT TYPES">PORT TYPES</a><br>
<a href="#MANAGED FILES">MANAGED FILES</a><br>
<a href="#FILE CONTEXTS">FILE CONTEXTS</a><br>
<a href="#SHARING FILES">SHARING FILES</a><br>
<a href="#COMMANDS">COMMANDS</a><br>
<a href="#AUTHOR">AUTHOR</a><br>
<a href="#SEE ALSO">SEE ALSO</a><br>

<hr>


<h2>NAME
<a name="NAME"></a>
</h2>


<p style="margin-left:11%; margin-top: 1em">httpd_selinux
&minus; Security Enhanced Linux Policy for the httpd
processes</p>

<h2>DESCRIPTION
<a name="DESCRIPTION"></a>
</h2>



<p style="margin-left:11%; margin-top: 1em">Security-Enhanced
Linux secures the httpd processes via flexible mandatory
access control.</p>

<p style="margin-left:11%; margin-top: 1em">The httpd
processes execute with the httpd_t SELinux type. You can
check if you have these processes running by executing the
<b>ps</b> command with the <b>&minus;Z</b> qualifier.</p>

<p style="margin-left:11%; margin-top: 1em">For
example:</p>

<p style="margin-left:11%; margin-top: 1em"><b>ps -eZ |
grep httpd_t</b></p>

<h2>ENTRYPOINTS
<a name="ENTRYPOINTS"></a>
</h2>


<p style="margin-left:11%; margin-top: 1em">The httpd_t
SELinux type can be entered via the <b>httpd_exec_t</b> file
type.</p>

<p style="margin-left:11%; margin-top: 1em">The default
entrypoint paths for the httpd_t domain are the
following:</p>


<p style="margin-left:11%; margin-top: 1em">/usr/sbin/httpd(.worker)?,
/usr/sbin/apache(2)?, /usr/lib/apache-ssl/.+,
/usr/sbin/apache-ssl(2)?, /usr/sbin/nginx, /usr/sbin/thttpd,
/usr/sbin/php-fpm, /usr/sbin/cherokee, /usr/sbin/lighttpd,
/usr/sbin/apachectl, /usr/sbin/httpd.event,
/usr/bin/mongrel_rails, /usr/sbin/htcacheclean</p>

<h2>PROCESS TYPES
<a name="PROCESS TYPES"></a>
</h2>


<p style="margin-left:11%; margin-top: 1em">SELinux defines
process types (domains) for each process running on the
system</p>

<p style="margin-left:11%; margin-top: 1em">You can see the
context of a process using the <b>&minus;Z</b> option to
<b>ps</b></p>

<p style="margin-left:11%; margin-top: 1em">Policy governs
the access confined processes have to files. SELinux httpd
policy is very flexible allowing users to setup their httpd
processes in as secure a method as possible.</p>

<p style="margin-left:11%; margin-top: 1em">The following
process types are defined for httpd:</p>

<p style="margin-left:11%; margin-top: 1em"><b>httpd_t,
httpd_helper_t, httpd_php_t, httpd_rotatelogs_t,
httpd_suexec_t, httpd_sys_script_t, httpd_user_script_t,
httpd_passwd_t, httpd_unconfined_script_t</b></p>

<p style="margin-left:11%; margin-top: 1em">Note:
<b>semanage permissive -a httpd_t</b> can be used to make
the process type httpd_t permissive. SELinux does not deny
access to permissive process types, but the AVC (SELinux
denials) messages are still generated.</p>

<h2>BOOLEANS
<a name="BOOLEANS"></a>
</h2>


<p style="margin-left:11%; margin-top: 1em">SELinux policy
is customizable based on least access required. httpd policy
is extremely flexible and has several booleans that allow
you to manipulate the policy and run httpd with the tightest
access possible.</p>

<p style="margin-left:11%; margin-top: 1em">If you want to
allow httpd to use built in scripting (usually php), you
must turn on the httpd_builtin_scripting boolean. Enabled by
default.</p>

<p style="margin-left:11%; margin-top: 1em"><b>setsebool -P
httpd_builtin_scripting 1</b></p>

<p style="margin-left:11%; margin-top: 1em">If you want to
allow http daemon to check spam, you must turn on the
httpd_can_check_spam boolean. Disabled by default.</p>

<p style="margin-left:11%; margin-top: 1em"><b>setsebool -P
httpd_can_check_spam 1</b></p>

<p style="margin-left:11%; margin-top: 1em">If you want to
allow httpd to act as a FTP client connecting to the ftp
port and ephemeral ports, you must turn on the
httpd_can_connect_ftp boolean. Disabled by default.</p>

<p style="margin-left:11%; margin-top: 1em"><b>setsebool -P
httpd_can_connect_ftp 1</b></p>

<p style="margin-left:11%; margin-top: 1em">If you want to
allow httpd to connect to the ldap port, you must turn on
the httpd_can_connect_ldap boolean. Disabled by default.</p>

<p style="margin-left:11%; margin-top: 1em"><b>setsebool -P
httpd_can_connect_ldap 1</b></p>

<p style="margin-left:11%; margin-top: 1em">If you want to
allow http daemon to connect to mythtv, you must turn on the
httpd_can_connect_mythtv boolean. Disabled by default.</p>

<p style="margin-left:11%; margin-top: 1em"><b>setsebool -P
httpd_can_connect_mythtv 1</b></p>

<p style="margin-left:11%; margin-top: 1em">If you want to
allow http daemon to connect to zabbix, you must turn on the
httpd_can_connect_zabbix boolean. Disabled by default.</p>

<p style="margin-left:11%; margin-top: 1em"><b>setsebool -P
httpd_can_connect_zabbix 1</b></p>

<p style="margin-left:11%; margin-top: 1em">If you want to
allow HTTPD scripts and modules to connect to the network
using TCP, you must turn on the httpd_can_network_connect
boolean. Disabled by default.</p>

<p style="margin-left:11%; margin-top: 1em"><b>setsebool -P
httpd_can_network_connect 1</b></p>

<p style="margin-left:11%; margin-top: 1em">If you want to
allow HTTPD scripts and modules to connect to cobbler over
the network, you must turn on the
httpd_can_network_connect_cobbler boolean. Disabled by
default.</p>

<p style="margin-left:11%; margin-top: 1em"><b>setsebool -P
httpd_can_network_connect_cobbler 1</b></p>

<p style="margin-left:11%; margin-top: 1em">If you want to
allow HTTPD scripts and modules to connect to databases over
the network, you must turn on the
httpd_can_network_connect_db boolean. Disabled by
default.</p>

<p style="margin-left:11%; margin-top: 1em"><b>setsebool -P
httpd_can_network_connect_db 1</b></p>

<p style="margin-left:11%; margin-top: 1em">If you want to
allow httpd to connect to memcache server, you must turn on
the httpd_can_network_memcache boolean. Disabled by
default.</p>

<p style="margin-left:11%; margin-top: 1em"><b>setsebool -P
httpd_can_network_memcache 1</b></p>

<p style="margin-left:11%; margin-top: 1em">If you want to
allow httpd to act as a relay, you must turn on the
httpd_can_network_relay boolean. Disabled by default.</p>

<p style="margin-left:11%; margin-top: 1em"><b>setsebool -P
httpd_can_network_relay 1</b></p>

<p style="margin-left:11%; margin-top: 1em">If you want to
allow http daemon to send mail, you must turn on the
httpd_can_sendmail boolean. Disabled by default.</p>

<p style="margin-left:11%; margin-top: 1em"><b>setsebool -P
httpd_can_sendmail 1</b></p>

<p style="margin-left:11%; margin-top: 1em">If you want to
allow Apache to communicate with avahi service via dbus, you
must turn on the httpd_dbus_avahi boolean. Disabled by
default.</p>

<p style="margin-left:11%; margin-top: 1em"><b>setsebool -P
httpd_dbus_avahi 1</b></p>

<p style="margin-left:11%; margin-top: 1em">If you want to
allow Apache to communicate with sssd service via dbus, you
must turn on the httpd_dbus_sssd boolean. Disabled by
default.</p>

<p style="margin-left:11%; margin-top: 1em"><b>setsebool -P
httpd_dbus_sssd 1</b></p>

<p style="margin-left:11%; margin-top: 1em">If you want to
dontaudit Apache to search dirs, you must turn on the
httpd_dontaudit_search_dirs boolean. Disabled by
default.</p>

<p style="margin-left:11%; margin-top: 1em"><b>setsebool -P
httpd_dontaudit_search_dirs 1</b></p>

<p style="margin-left:11%; margin-top: 1em">If you want to
allow httpd cgi support, you must turn on the
httpd_enable_cgi boolean. Enabled by default.</p>

<p style="margin-left:11%; margin-top: 1em"><b>setsebool -P
httpd_enable_cgi 1</b></p>

<p style="margin-left:11%; margin-top: 1em">If you want to
allow httpd to act as a FTP server by listening on the ftp
port, you must turn on the httpd_enable_ftp_server boolean.
Disabled by default.</p>

<p style="margin-left:11%; margin-top: 1em"><b>setsebool -P
httpd_enable_ftp_server 1</b></p>

<p style="margin-left:11%; margin-top: 1em">If you want to
allow httpd to read home directories, you must turn on the
httpd_enable_homedirs boolean. Disabled by default.</p>

<p style="margin-left:11%; margin-top: 1em"><b>setsebool -P
httpd_enable_homedirs 1</b></p>

<p style="margin-left:11%; margin-top: 1em">If you want to
allow httpd scripts and modules execmem/execstack, you must
turn on the httpd_execmem boolean. Disabled by default.</p>

<p style="margin-left:11%; margin-top: 1em"><b>setsebool -P
httpd_execmem 1</b></p>

<p style="margin-left:11%; margin-top: 1em">If you want to
allow HTTPD to connect to port 80 for graceful shutdown, you
must turn on the httpd_graceful_shutdown boolean. Disabled
by default.</p>

<p style="margin-left:11%; margin-top: 1em"><b>setsebool -P
httpd_graceful_shutdown 1</b></p>

<p style="margin-left:11%; margin-top: 1em">If you want to
allow httpd processes to manage IPA content, you must turn
on the httpd_manage_ipa boolean. Disabled by default.</p>

<p style="margin-left:11%; margin-top: 1em"><b>setsebool -P
httpd_manage_ipa 1</b></p>

<p style="margin-left:11%; margin-top: 1em">If you want to
allow Apache to use mod_auth_ntlm_winbind, you must turn on
the httpd_mod_auth_ntlm_winbind boolean. Disabled by
default.</p>

<p style="margin-left:11%; margin-top: 1em"><b>setsebool -P
httpd_mod_auth_ntlm_winbind 1</b></p>

<p style="margin-left:11%; margin-top: 1em">If you want to
allow Apache to use mod_auth_pam, you must turn on the
httpd_mod_auth_pam boolean. Disabled by default.</p>

<p style="margin-left:11%; margin-top: 1em"><b>setsebool -P
httpd_mod_auth_pam 1</b></p>

<p style="margin-left:11%; margin-top: 1em">If you want to
allow httpd to read user content, you must turn on the
httpd_read_user_content boolean. Disabled by default.</p>

<p style="margin-left:11%; margin-top: 1em"><b>setsebool -P
httpd_read_user_content 1</b></p>

<p style="margin-left:11%; margin-top: 1em">If you want to
allow Apache to run preupgrade, you must turn on the
httpd_run_preupgrade boolean. Disabled by default.</p>

<p style="margin-left:11%; margin-top: 1em"><b>setsebool -P
httpd_run_preupgrade 1</b></p>

<p style="margin-left:11%; margin-top: 1em">If you want to
allow Apache to run in stickshift mode, not transition to
passenger, you must turn on the httpd_run_stickshift
boolean. Disabled by default.</p>

<p style="margin-left:11%; margin-top: 1em"><b>setsebool -P
httpd_run_stickshift 1</b></p>

<p style="margin-left:11%; margin-top: 1em">If you want to
allow HTTPD scripts and modules to server cobbler files, you
must turn on the httpd_serve_cobbler_files boolean. Disabled
by default.</p>

<p style="margin-left:11%; margin-top: 1em"><b>setsebool -P
httpd_serve_cobbler_files 1</b></p>

<p style="margin-left:11%; margin-top: 1em">If you want to
allow httpd daemon to change its resource limits, you must
turn on the httpd_setrlimit boolean. Disabled by
default.</p>

<p style="margin-left:11%; margin-top: 1em"><b>setsebool -P
httpd_setrlimit 1</b></p>

<p style="margin-left:11%; margin-top: 1em">If you want to
allow HTTPD to run SSI executables in the same domain as
system CGI scripts, you must turn on the httpd_ssi_exec
boolean. Disabled by default.</p>

<p style="margin-left:11%; margin-top: 1em"><b>setsebool -P
httpd_ssi_exec 1</b></p>

<p style="margin-left:11%; margin-top: 1em">If you want to
allow Apache to execute tmp content, you must turn on the
httpd_tmp_exec boolean. Disabled by default.</p>

<p style="margin-left:11%; margin-top: 1em"><b>setsebool -P
httpd_tmp_exec 1</b></p>

<p style="margin-left:11%; margin-top: 1em">If you want to
unify HTTPD to communicate with the terminal. Needed for
entering the passphrase for certificates at the terminal,
you must turn on the httpd_tty_comm boolean. Disabled by
default.</p>

<p style="margin-left:11%; margin-top: 1em"><b>setsebool -P
httpd_tty_comm 1</b></p>

<p style="margin-left:11%; margin-top: 1em">If you want to
unify HTTPD handling of all content files, you must turn on
the httpd_unified boolean. Disabled by default.</p>

<p style="margin-left:11%; margin-top: 1em"><b>setsebool -P
httpd_unified 1</b></p>

<p style="margin-left:11%; margin-top: 1em">If you want to
allow httpd to access cifs file systems, you must turn on
the httpd_use_cifs boolean. Disabled by default.</p>

<p style="margin-left:11%; margin-top: 1em"><b>setsebool -P
httpd_use_cifs 1</b></p>

<p style="margin-left:11%; margin-top: 1em">If you want to
allow httpd to access FUSE file systems, you must turn on
the httpd_use_fusefs boolean. Disabled by default.</p>

<p style="margin-left:11%; margin-top: 1em"><b>setsebool -P
httpd_use_fusefs 1</b></p>

<p style="margin-left:11%; margin-top: 1em">If you want to
allow httpd to run gpg, you must turn on the httpd_use_gpg
boolean. Disabled by default.</p>

<p style="margin-left:11%; margin-top: 1em"><b>setsebool -P
httpd_use_gpg 1</b></p>

<p style="margin-left:11%; margin-top: 1em">If you want to
allow httpd to access nfs file systems, you must turn on the
httpd_use_nfs boolean. Disabled by default.</p>

<p style="margin-left:11%; margin-top: 1em"><b>setsebool -P
httpd_use_nfs 1</b></p>

<p style="margin-left:11%; margin-top: 1em">If you want to
allow httpd to use opencryptoki, you must turn on the
httpd_use_opencryptoki boolean. Disabled by default.</p>

<p style="margin-left:11%; margin-top: 1em"><b>setsebool -P
httpd_use_opencryptoki 1</b></p>

<p style="margin-left:11%; margin-top: 1em">If you want to
allow httpd to access openstack ports, you must turn on the
httpd_use_openstack boolean. Disabled by default.</p>

<p style="margin-left:11%; margin-top: 1em"><b>setsebool -P
httpd_use_openstack 1</b></p>

<p style="margin-left:11%; margin-top: 1em">If you want to
allow httpd to connect to sasl, you must turn on the
httpd_use_sasl boolean. Disabled by default.</p>

<p style="margin-left:11%; margin-top: 1em"><b>setsebool -P
httpd_use_sasl 1</b></p>

<p style="margin-left:11%; margin-top: 1em">If you want to
allow Apache to query NS records, you must turn on the
httpd_verify_dns boolean. Disabled by default.</p>

<p style="margin-left:11%; margin-top: 1em"><b>setsebool -P
httpd_verify_dns 1</b></p>

<p style="margin-left:11%; margin-top: 1em">If you want to
dontaudit all daemons scheduling requests (setsched,
sys_nice), you must turn on the daemons_dontaudit_scheduling
boolean. Enabled by default.</p>

<p style="margin-left:11%; margin-top: 1em"><b>setsebool -P
daemons_dontaudit_scheduling 1</b></p>

<p style="margin-left:11%; margin-top: 1em">If you want to
deny any process from ptracing or debugging any other
processes, you must turn on the deny_ptrace boolean.
Disabled by default.</p>

<p style="margin-left:11%; margin-top: 1em"><b>setsebool -P
deny_ptrace 1</b></p>

<p style="margin-left:11%; margin-top: 1em">If you want to
allow all domains to execute in fips_mode, you must turn on
the fips_mode boolean. Enabled by default.</p>

<p style="margin-left:11%; margin-top: 1em"><b>setsebool -P
fips_mode 1</b></p>

<p style="margin-left:11%; margin-top: 1em">If you want to
determine whether Git system daemon can access cifs file
systems, you must turn on the git_system_use_cifs boolean.
Disabled by default.</p>

<p style="margin-left:11%; margin-top: 1em"><b>setsebool -P
git_system_use_cifs 1</b></p>

<p style="margin-left:11%; margin-top: 1em">If you want to
determine whether Git system daemon can access nfs file
systems, you must turn on the git_system_use_nfs boolean.
Disabled by default.</p>

<p style="margin-left:11%; margin-top: 1em"><b>setsebool -P
git_system_use_nfs 1</b></p>

<p style="margin-left:11%; margin-top: 1em">If you want to
allow confined applications to run with kerberos, you must
turn on the kerberos_enabled boolean. Enabled by
default.</p>

<p style="margin-left:11%; margin-top: 1em"><b>setsebool -P
kerberos_enabled 1</b></p>

<p style="margin-left:11%; margin-top: 1em">If you want to
allow system to run with NIS, you must turn on the
nis_enabled boolean. Disabled by default.</p>

<p style="margin-left:11%; margin-top: 1em"><b>setsebool -P
nis_enabled 1</b></p>

<p style="margin-left:11%; margin-top: 1em">If you want to
support NFS home directories, you must turn on the
use_nfs_home_dirs boolean. Disabled by default.</p>

<p style="margin-left:11%; margin-top: 1em"><b>setsebool -P
use_nfs_home_dirs 1</b></p>

<p style="margin-left:11%; margin-top: 1em">If you want to
support SAMBA home directories, you must turn on the
use_samba_home_dirs boolean. Disabled by default.</p>

<p style="margin-left:11%; margin-top: 1em"><b>setsebool -P
use_samba_home_dirs 1</b></p>

<h2>NSSWITCH DOMAIN
<a name="NSSWITCH DOMAIN"></a>
</h2>


<p style="margin-left:11%; margin-top: 1em">If you want to
allow users to resolve user passwd entries directly from
ldap rather then using a sssd server for the httpd_t, you
must turn on the authlogin_nsswitch_use_ldap boolean.</p>

<p style="margin-left:11%; margin-top: 1em"><b>setsebool -P
authlogin_nsswitch_use_ldap 1</b></p>

<p style="margin-left:11%; margin-top: 1em">If you want to
allow confined applications to run with kerberos for the
httpd_t, you must turn on the kerberos_enabled boolean.</p>

<p style="margin-left:11%; margin-top: 1em"><b>setsebool -P
kerberos_enabled 1</b></p>

<h2>PORT TYPES
<a name="PORT TYPES"></a>
</h2>


<p style="margin-left:11%; margin-top: 1em">SELinux defines
port types to represent TCP and UDP ports.</p>

<p style="margin-left:11%; margin-top: 1em">You can see the
types associated with a port by using the following
command:</p>

<p style="margin-left:11%; margin-top: 1em"><b>semanage
port -l</b></p>

<p style="margin-left:11%; margin-top: 1em">Policy governs
the access confined processes have to these ports. SELinux
httpd policy is very flexible allowing users to setup their
httpd processes in as secure a method as possible.</p>

<p style="margin-left:11%; margin-top: 1em">The following
port types are defined for httpd: <b><br>
http_cache_port_t</b></p>

<p style="margin-left:11%; margin-top: 1em">Default Defined
Ports:</p>

<p style="margin-left:26%;">tcp 8080,8118,8123,10001-10010
<br>
udp 3130</p>

<p style="margin-left:11%;"><b>http_port_t</b></p>

<p style="margin-left:11%; margin-top: 1em">Default Defined
Ports:</p>

<p style="margin-left:26%;">tcp
80,81,443,488,8008,8009,8443,9000</p>

<h2>MANAGED FILES
<a name="MANAGED FILES"></a>
</h2>


<p style="margin-left:11%; margin-top: 1em">The SELinux
process type httpd_t can manage files labeled with the
following file types. The paths listed are the default paths
for these file types. Note the processes UID still need to
have DAC permissions.</p>


<p style="margin-left:11%; margin-top: 1em"><b>abrt_retrace_spool_t</b></p>


<p style="margin-left:11%; margin-top: 1em">/var/spool/faf(/.*)?
<br>
/var/spool/abrt-retrace(/.*)? <br>
/var/spool/retrace-server(/.*)?</p>


<p style="margin-left:11%; margin-top: 1em"><b>cifs_t</b></p>


<p style="margin-left:11%; margin-top: 1em"><b>cluster_conf_t</b></p>


<p style="margin-left:11%; margin-top: 1em">/etc/cluster(/.*)?</p>


<p style="margin-left:11%; margin-top: 1em"><b>cluster_var_lib_t</b></p>


<p style="margin-left:11%; margin-top: 1em">/var/lib/pcsd(/.*)?
<br>
/var/lib/cluster(/.*)? <br>
/var/lib/openais(/.*)? <br>
/var/lib/pengine(/.*)? <br>
/var/lib/corosync(/.*)? <br>
/usr/lib/heartbeat(/.*)? <br>
/var/lib/heartbeat(/.*)? <br>
/var/lib/pacemaker(/.*)?</p>


<p style="margin-left:11%; margin-top: 1em"><b>cluster_var_run_t</b></p>


<p style="margin-left:11%; margin-top: 1em">/var/run/crm(/.*)?
<br>
/var/run/cman_.* <br>
/var/run/rsctmp(/.*)? <br>
/var/run/aisexec.* <br>
/var/run/heartbeat(/.*)? <br>
/var/run/pcsd-ruby.socket <br>
/var/run/corosync-qnetd(/.*)? <br>
/var/run/corosync-qdevice(/.*)? <br>
/var/run/pcsd.socket <br>
/var/run/corosync.pid <br>
/var/run/cpglockd.pid <br>
/var/run/rgmanager.pid <br>
/var/run/cluster/rgmanager.sk</p>


<p style="margin-left:11%; margin-top: 1em"><b>cobbler_var_lib_t</b></p>


<p style="margin-left:11%; margin-top: 1em">/var/lib/cobbler(/.*)?
<br>
/var/www/cobbler(/.*)? <br>
/var/cache/cobbler(/.*)? <br>
/var/lib/tftpboot/etc(/.*)? <br>
/var/lib/tftpboot/ppc(/.*)? <br>
/var/lib/tftpboot/boot(/.*)? <br>
/var/lib/tftpboot/grub(/.*)? <br>
/var/lib/tftpboot/s390x(/.*)? <br>
/var/lib/tftpboot/images(/.*)? <br>
/var/lib/tftpboot/aarch64(/.*)? <br>
/var/lib/tftpboot/images2(/.*)? <br>
/var/lib/tftpboot/pxelinux.cfg(/.*)? <br>
/var/lib/tftpboot/yaboot <br>
/var/lib/tftpboot/memdisk <br>
/var/lib/tftpboot/menu.c32 <br>
/var/lib/tftpboot/pxelinux.0</p>


<p style="margin-left:11%; margin-top: 1em"><b>dirsrv_config_t</b></p>


<p style="margin-left:11%; margin-top: 1em">/etc/dirsrv(/.*)?</p>


<p style="margin-left:11%; margin-top: 1em"><b>dirsrv_var_log_t</b></p>


<p style="margin-left:11%; margin-top: 1em">/var/log/dirsrv(/.*)?</p>


<p style="margin-left:11%; margin-top: 1em"><b>dirsrv_var_run_t</b></p>


<p style="margin-left:11%; margin-top: 1em">/var/run/slapd.*
<br>
/var/run/dirsrv(/.*)?</p>


<p style="margin-left:11%; margin-top: 1em"><b>dirsrvadmin_config_t</b></p>


<p style="margin-left:11%; margin-top: 1em">/etc/dirsrv/dsgw(/.*)?
<br>
/etc/dirsrv/admin-serv(/.*)?</p>


<p style="margin-left:11%; margin-top: 1em"><b>dirsrvadmin_tmp_t</b></p>


<p style="margin-left:11%; margin-top: 1em"><b>fusefs_t</b></p>


<p style="margin-left:11%; margin-top: 1em">/var/run/user/[0-9]+/gvfs</p>


<p style="margin-left:11%; margin-top: 1em"><b>httpd_cache_t</b></p>


<p style="margin-left:11%; margin-top: 1em">/var/cache/rt(3|4)(/.*)?
<br>
/var/cache/ssl.*.sem <br>
/var/cache/mod_.* <br>
/var/cache/php-.* <br>
/var/cache/httpd(/.*)? <br>
/var/cache/mason(/.*)? <br>
/var/cache/nginx(/.*)? <br>
/var/cache/mod_ssl(/.*)? <br>
/var/cache/lighttpd(/.*)? <br>
/var/cache/mediawiki(/.*)? <br>
/var/cache/mod_proxy(/.*)? <br>
/var/cache/mod_gnutls(/.*)? <br>
/var/cache/php-mmcache(/.*)? <br>
/var/cache/php-eaccelerator(/.*)?</p>


<p style="margin-left:11%; margin-top: 1em"><b>httpd_lock_t</b></p>


<p style="margin-left:11%; margin-top: 1em"><b>httpd_squirrelmail_t</b></p>


<p style="margin-left:11%; margin-top: 1em">/var/lib/squirrelmail/prefs(/.*)?</p>


<p style="margin-left:11%; margin-top: 1em"><b>httpd_tmp_t</b></p>


<p style="margin-left:11%; margin-top: 1em">/var/run/user/apache(/.*)?
<br>
/var/www/openshift/console/tmp(/.*)?</p>


<p style="margin-left:11%; margin-top: 1em"><b>httpd_tmpfs_t</b></p>


<p style="margin-left:11%; margin-top: 1em"><b>httpd_user_rw_content_t</b></p>


<p style="margin-left:11%; margin-top: 1em"><b>httpd_var_lib_t</b></p>


<p style="margin-left:11%; margin-top: 1em">/var/lib/rt(3|4)/data/RT-Shredder(/.*)?
<br>
/var/lib/dav(/.*)? <br>
/var/lib/php(/.*)? <br>
/var/lib/glpi(/.*)? <br>
/var/lib/httpd(/.*)? <br>
/var/lib/nginx(/.*)? <br>
/var/lib/z-push(/.*)? <br>
/var/lib/ganglia(/.*)? <br>
/var/lib/ipsilon(/.*)? <br>
/var/lib/cherokee(/.*)? <br>
/var/lib/lighttpd(/.*)? <br>
/var/lib/mod_security(/.*)? <br>
/var/lib/roundcubemail(/.*)? <br>
/var/opt/rh/rh-nginx18/lib/nginx(/.*)?</p>


<p style="margin-left:11%; margin-top: 1em"><b>httpd_var_run_t</b></p>


<p style="margin-left:11%; margin-top: 1em">/var/run/mod_.*
<br>
/var/run/wsgi.* <br>
/var/run/httpd.* <br>
/var/run/nginx.* <br>
/var/run/apache.* <br>
/var/run/php-fpm(/.*)? <br>
/var/run/fcgiwrap(/.*)? <br>
/var/run/lighttpd(/.*)? <br>
/var/lib/php/session(/.*)? <br>
/var/lib/php/wsdlcache(/.*)? <br>
/var/run/dirsrv/admin-serv.* <br>
/var/opt/rh/rh-nginx18/run/nginx(/.*)? <br>
/var/www/openshift/broker/httpd/run(/.*)? <br>
/var/www/openshift/console/httpd/run(/.*)? <br>
/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? <br>
/var/run/thttpd.pid <br>
/var/run/gcache_port <br>
/var/run/cherokee.pid</p>


<p style="margin-left:11%; margin-top: 1em"><b>httpdcontent</b></p>


<p style="margin-left:11%; margin-top: 1em"><b>hugetlbfs_t</b></p>

<p style="margin-left:11%; margin-top: 1em">/dev/hugepages
<br>
/usr/lib/udev/devices/hugepages</p>


<p style="margin-left:11%; margin-top: 1em"><b>insights_client_tmp_t</b></p>


<p style="margin-left:11%; margin-top: 1em">/var/tmp/insights-client(/.*)?
<br>
/tmp/insights-client.ppid <br>
/var/tmp/insights-client.ppid</p>


<p style="margin-left:11%; margin-top: 1em"><b>jetty_cache_t</b></p>


<p style="margin-left:11%; margin-top: 1em">/var/cache/jetty(/.*)?</p>


<p style="margin-left:11%; margin-top: 1em"><b>jetty_log_t</b></p>


<p style="margin-left:11%; margin-top: 1em">/var/log/jetty(/.*)?</p>


<p style="margin-left:11%; margin-top: 1em"><b>jetty_tmp_t</b></p>


<p style="margin-left:11%; margin-top: 1em"><b>jetty_unit_file_t</b></p>


<p style="margin-left:11%; margin-top: 1em">/usr/lib/systemd/system/jetty.service</p>


<p style="margin-left:11%; margin-top: 1em"><b>jetty_var_lib_t</b></p>


<p style="margin-left:11%; margin-top: 1em">/var/lib/jetty(/.*)?</p>


<p style="margin-left:11%; margin-top: 1em"><b>jetty_var_run_t</b></p>


<p style="margin-left:11%; margin-top: 1em">/var/run/jetty(/.*)?</p>


<p style="margin-left:11%; margin-top: 1em"><b>krb5_host_rcache_t</b></p>


<p style="margin-left:11%; margin-top: 1em">/var/tmp/krb5_0.rcache2
<br>
/var/cache/krb5rcache(/.*)? <br>
/var/tmp/nfs_0 <br>
/var/tmp/DNS_25 <br>
/var/tmp/host_0 <br>
/var/tmp/imap_0 <br>
/var/tmp/HTTP_23 <br>
/var/tmp/HTTP_48 <br>
/var/tmp/ldap_55 <br>
/var/tmp/ldap_487 <br>
/var/tmp/ldapmap1_0</p>


<p style="margin-left:11%; margin-top: 1em"><b>memcached_var_run_t</b></p>


<p style="margin-left:11%; margin-top: 1em">/var/run/memcached(/.*)?
<br>
/var/run/ipa_memcached(/.*)?</p>


<p style="margin-left:11%; margin-top: 1em"><b>mirrormanager_var_run_t</b></p>


<p style="margin-left:11%; margin-top: 1em">/var/run/mirrormanager(/.*)?</p>


<p style="margin-left:11%; margin-top: 1em"><b>named_cache_t</b></p>


<p style="margin-left:11%; margin-top: 1em">/var/named/data(/.*)?
<br>
/var/lib/softhsm(/.*)? <br>
/var/lib/unbound(/.*)? <br>
/var/named/slaves(/.*)? <br>
/var/named/dynamic(/.*)? <br>
/var/named/chroot/var/tmp(/.*)? <br>
/var/named/chroot/var/named/data(/.*)? <br>
/var/named/chroot/var/named/slaves(/.*)? <br>
/var/named/chroot/var/named/dynamic(/.*)?</p>


<p style="margin-left:11%; margin-top: 1em"><b>nfs_t</b></p>


<p style="margin-left:11%; margin-top: 1em"><b>passenger_tmp_t</b></p>


<p style="margin-left:11%; margin-top: 1em"><b>passenger_var_lib_t</b></p>


<p style="margin-left:11%; margin-top: 1em">/var/lib/passenger(/.*)?</p>


<p style="margin-left:11%; margin-top: 1em"><b>passenger_var_run_t</b></p>


<p style="margin-left:11%; margin-top: 1em">/var/run/passenger(/.*)?</p>


<p style="margin-left:11%; margin-top: 1em"><b>pkcs_slotd_lock_t</b></p>


<p style="margin-left:11%; margin-top: 1em">/var/lock/opencryptoki(/.*)?</p>


<p style="margin-left:11%; margin-top: 1em"><b>pkcs_slotd_tmpfs_t</b></p>


<p style="margin-left:11%; margin-top: 1em">/dev/shm/var.lib.opencryptoki.*</p>


<p style="margin-left:11%; margin-top: 1em"><b>pkcs_slotd_var_lib_t</b></p>


<p style="margin-left:11%; margin-top: 1em">/var/lib/opencryptoki(/.*)?</p>


<p style="margin-left:11%; margin-top: 1em"><b>pki_apache_config</b></p>


<p style="margin-left:11%; margin-top: 1em"><b>pki_apache_var_lib</b></p>


<p style="margin-left:11%; margin-top: 1em"><b>pki_apache_var_log</b></p>


<p style="margin-left:11%; margin-top: 1em"><b>postfix_spool_t</b></p>


<p style="margin-left:11%; margin-top: 1em">/var/spool/postfix.*
<br>
/var/spool/postfix/defer(/.*)? <br>
/var/spool/postfix/flush(/.*)? <br>
/var/spool/postfix/deferred(/.*)? <br>
/var/spool/postfix/maildrop(/.*)?</p>


<p style="margin-left:11%; margin-top: 1em"><b>preupgrade_data_t</b></p>


<p style="margin-left:11%; margin-top: 1em">/var/lib/preupgrade(/.*)?
<br>
/var/log/preupgrade(/.*)?</p>


<p style="margin-left:11%; margin-top: 1em"><b>root_t</b></p>


<p style="margin-left:11%; margin-top: 1em">/sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
<br>
/ <br>
/initrd</p>


<p style="margin-left:11%; margin-top: 1em"><b>security_t</b></p>

<p style="margin-left:11%; margin-top: 1em">/selinux</p>


<p style="margin-left:11%; margin-top: 1em"><b>squirrelmail_spool_t</b></p>


<p style="margin-left:11%; margin-top: 1em">/var/spool/squirrelmail(/.*)?</p>


<p style="margin-left:11%; margin-top: 1em"><b>systemd_passwd_var_run_t</b></p>


<p style="margin-left:11%; margin-top: 1em">/var/run/systemd/ask-password(/.*)?
<br>
/var/run/systemd/ask-password-block(/.*)?</p>


<p style="margin-left:11%; margin-top: 1em"><b>zarafa_var_lib_t</b></p>


<p style="margin-left:11%; margin-top: 1em">/var/lib/zarafa(/.*)?
<br>
/var/lib/zarafa-webapp(/.*)? <br>
/var/lib/zarafa-webaccess(/.*)?</p>


<p style="margin-left:11%; margin-top: 1em"><b>zoneminder_var_lib_t</b></p>


<p style="margin-left:11%; margin-top: 1em">/var/lib/zoneminder(/.*)?</p>

<h2>FILE CONTEXTS
<a name="FILE CONTEXTS"></a>
</h2>


<p style="margin-left:11%; margin-top: 1em">SELinux
requires files to have an extended attribute to define the
file type.</p>

<p style="margin-left:11%; margin-top: 1em">You can see the
context of a file using the <b>&minus;Z</b> option to
<b>ls</b></p>

<p style="margin-left:11%; margin-top: 1em">Policy governs
the access confined processes have to these files. SELinux
httpd policy is very flexible allowing users to setup their
httpd processes in as secure a method as possible.</p>

<p style="margin-left:11%; margin-top: 1em"><b>EQUIVALENCE
DIRECTORIES</b></p>

<p style="margin-left:11%; margin-top: 1em">httpd policy
stores data with multiple different file context types under
the /var/lib/php directory. If you would like to store the
data in a different directory you can use the semanage
command to create an equivalence mapping. If you wanted to
store this data under the /srv directory you would execute
the following command:</p>

<p style="margin-left:11%; margin-top: 1em"><b>semanage
fcontext -a -e /var/lib/php /srv/php <br>
restorecon -R -v /srv/php</b></p>

<p style="margin-left:11%; margin-top: 1em">httpd policy
stores data with multiple different file context types under
the /var/www directory. If you would like to store the data
in a different directory you can use the semanage command to
create an equivalence mapping. If you wanted to store this
data under the /srv directory you would execute the
following command:</p>

<p style="margin-left:11%; margin-top: 1em"><b>semanage
fcontext -a -e /var/www /srv/www <br>
restorecon -R -v /srv/www</b></p>

<p style="margin-left:11%; margin-top: 1em"><b>STANDARD
FILE CONTEXT</b></p>

<p style="margin-left:11%; margin-top: 1em">SELinux defines
the file context types for the httpd, if you wanted to store
files with these types in a different paths, you need to
execute the semanage command to specify alternate labeling
and then use restorecon to put the labels on disk.</p>

<p style="margin-left:11%; margin-top: 1em"><b>semanage
fcontext -a -t httpd_var_run_t
&rsquo;/srv/myhttpd_content(/.*)?&rsquo; <br>
restorecon -R -v /srv/myhttpd_content</b></p>

<p style="margin-left:11%; margin-top: 1em">Note: SELinux
often uses regular expressions to specify labels that match
multiple files.</p>

<p style="margin-left:11%; margin-top: 1em"><i>The
following file types are defined for httpd:</i></p>


<p style="margin-left:11%; margin-top: 1em"><b>httpd_cache_t</b></p>

<p style="margin-left:11%; margin-top: 1em">- Set files
with the httpd_cache_t type, if you want to store the files
under the /var/cache directory. <br>
Paths:</p>

<p style="margin-left:18%;">/var/cache/rt(3|4)(/.*)?,
/var/cache/ssl.*.sem, /var/cache/mod_.*, /var/cache/php-.*,
/var/cache/httpd(/.*)?, /var/cache/mason(/.*)?,
/var/cache/nginx(/.*)?, /var/cache/mod_ssl(/.*)?,
/var/cache/lighttpd(/.*)?, /var/cache/mediawiki(/.*)?,
/var/cache/mod_proxy(/.*)?, /var/cache/mod_gnutls(/.*)?,
/var/cache/php-mmcache(/.*)?,
/var/cache/php-eaccelerator(/.*)?</p>


<p style="margin-left:11%; margin-top: 1em"><b>httpd_config_t</b></p>

<p style="margin-left:11%; margin-top: 1em">- Set files
with the httpd_config_t type, if you want to treat the files
as httpd configuration data, usually stored under the /etc
directory. <br>
Paths:</p>

<p style="margin-left:18%;">/etc/httpd(/.*)?,
/etc/nginx(/.*)?, /etc/apache(2)?(/.*)?,
/etc/cherokee(/.*)?, /etc/lighttpd(/.*)?,
/etc/apache-ssl(2)?(/.*)?,
/var/lib/openshift/.httpd.d(/.*)?,
/etc/opt/rh/rh-nginx18/nginx(/.*)?,
/var/lib/stickshift/.httpd.d(/.*)?, /etc/vhosts,
/etc/thttpd.conf</p>


<p style="margin-left:11%; margin-top: 1em"><b>httpd_exec_t</b></p>

<p style="margin-left:11%; margin-top: 1em">- Set files
with the httpd_exec_t type, if you want to transition an
executable to the httpd_t domain. <br>
Paths:</p>

<p style="margin-left:18%;">/usr/sbin/httpd(.worker)?,
/usr/sbin/apache(2)?, /usr/lib/apache-ssl/.+,
/usr/sbin/apache-ssl(2)?, /usr/sbin/nginx, /usr/sbin/thttpd,
/usr/sbin/php-fpm, /usr/sbin/cherokee, /usr/sbin/lighttpd,
/usr/sbin/apachectl, /usr/sbin/httpd.event,
/usr/bin/mongrel_rails, /usr/sbin/htcacheclean</p>


<p style="margin-left:11%; margin-top: 1em"><b>httpd_helper_exec_t</b></p>

<p style="margin-left:11%; margin-top: 1em">- Set files
with the httpd_helper_exec_t type, if you want to transition
an executable to the httpd_helper_t domain.</p>


<p style="margin-left:11%; margin-top: 1em"><b>httpd_initrc_exec_t</b></p>

<p style="margin-left:11%; margin-top: 1em">- Set files
with the httpd_initrc_exec_t type, if you want to transition
an executable to the httpd_initrc_t domain. <br>
Paths:</p>

<p style="margin-left:18%;">/etc/init.d/cherokee,
/etc/rc.d/init.d/httpd, /etc/rc.d/init.d/lighttpd</p>


<p style="margin-left:11%; margin-top: 1em"><b>httpd_keytab_t</b></p>

<p style="margin-left:11%; margin-top: 1em">- Set files
with the httpd_keytab_t type, if you want to treat the files
as kerberos keytab files.</p>


<p style="margin-left:11%; margin-top: 1em"><b>httpd_lock_t</b></p>

<p style="margin-left:11%; margin-top: 1em">- Set files
with the httpd_lock_t type, if you want to treat the files
as httpd lock data, stored under the /var/lock directory</p>


<p style="margin-left:11%; margin-top: 1em"><b>httpd_log_t</b></p>

<p style="margin-left:11%; margin-top: 1em">- Set files
with the httpd_log_t type, if you want to treat the data as
httpd log data, usually stored under the /var/log directory.
<br>
Paths:</p>

<p style="margin-left:18%;">/srv/([^/]*/)?www/logs(/.*)?,
/var/www(/.*)?/logs(/.*)?, /var/log/glpi(/.*)?,
/var/log/cacti(/.*)?, /var/log/httpd(/.*)?,
/var/log/nginx(/.*)?, /var/log/apache(2)?(/.*)?,
/var/log/horizon(/.*)?, /var/log/php-fpm(/.*)?,
/var/log/cherokee(/.*)?, /var/log/lighttpd(/.*)?,
/var/log/suphp.log.*, /var/log/thttpd.log.*,
/var/log/apache-ssl(2)?(/.*)?, /var/log/cgiwrap.log.*,
/var/www/stickshift/[^/]*/log(/.*)?,
/var/log/graphite-web(/.*)?, /var/www/miq/vmdb/log(/.*)?,
/var/log/roundcubemail(/.*)?, /var/log/php_errors.log.*,
/var/log/dirsrv/admin-serv(/.*)?,
/var/opt/rh/rh-nginx18/log(/.*)?,
/var/lib/openshift/.log/httpd(/.*)?,
/var/www/openshift/console/log(/.*)?,
/var/www/openshift/broker/httpd/logs(/.*)?,
/var/www/openshift/console/httpd/logs(/.*)?</p>


<p style="margin-left:11%; margin-top: 1em"><b>httpd_modules_t</b></p>

<p style="margin-left:11%; margin-top: 1em">- Set files
with the httpd_modules_t type, if you want to treat the
files as httpd modules. <br>
Paths:</p>

<p style="margin-left:18%;">/usr/lib/httpd(/.*)?,
/usr/lib/apache(/.*)?, /usr/lib/cherokee(/.*)?,
/usr/lib/lighttpd(/.*)?, /usr/lib/apache2/modules(/.*)?</p>


<p style="margin-left:11%; margin-top: 1em"><b>httpd_passwd_exec_t</b></p>

<p style="margin-left:11%; margin-top: 1em">- Set files
with the httpd_passwd_exec_t type, if you want to transition
an executable to the httpd_passwd_t domain.</p>


<p style="margin-left:11%; margin-top: 1em"><b>httpd_php_exec_t</b></p>

<p style="margin-left:11%; margin-top: 1em">- Set files
with the httpd_php_exec_t type, if you want to transition an
executable to the httpd_php_t domain.</p>


<p style="margin-left:11%; margin-top: 1em"><b>httpd_php_tmp_t</b></p>

<p style="margin-left:11%; margin-top: 1em">- Set files
with the httpd_php_tmp_t type, if you want to store httpd
php temporary files in the /tmp directories.</p>


<p style="margin-left:11%; margin-top: 1em"><b>httpd_rotatelogs_exec_t</b></p>

<p style="margin-left:11%; margin-top: 1em">- Set files
with the httpd_rotatelogs_exec_t type, if you want to
transition an executable to the httpd_rotatelogs_t
domain.</p>


<p style="margin-left:11%; margin-top: 1em"><b>httpd_squirrelmail_t</b></p>

<p style="margin-left:11%; margin-top: 1em">- Set files
with the httpd_squirrelmail_t type, if you want to treat the
files as httpd squirrelmail data.</p>


<p style="margin-left:11%; margin-top: 1em"><b>httpd_suexec_exec_t</b></p>

<p style="margin-left:11%; margin-top: 1em">- Set files
with the httpd_suexec_exec_t type, if you want to transition
an executable to the httpd_suexec_t domain. <br>
Paths:</p>


<p style="margin-left:18%;">/usr/lib/apache(2)?/suexec(2)?,
/usr/lib/cgi-bin/(nph-)?cgiwrap(d)?, /usr/sbin/suexec</p>


<p style="margin-left:11%; margin-top: 1em"><b>httpd_suexec_tmp_t</b></p>

<p style="margin-left:11%; margin-top: 1em">- Set files
with the httpd_suexec_tmp_t type, if you want to store httpd
suexec temporary files in the /tmp directories.</p>


<p style="margin-left:11%; margin-top: 1em"><b>httpd_sys_content_t</b></p>

<p style="margin-left:11%; margin-top: 1em">- Set files
with the httpd_sys_content_t type, if you want to treat the
files as httpd sys content. <br>
Paths:</p>

<p style="margin-left:18%;">/srv/([^/]*/)?www(/.*)?,
/var/www(/.*)?, /etc/htdig(/.*)?, /srv/gallery2(/.*)?,
/var/lib/trac(/.*)?, /var/lib/htdig(/.*)?,
/var/www/icons(/.*)?, /usr/share/glpi(/.*)?,
/usr/share/htdig(/.*)?, /usr/share/drupal.*,
/usr/share/z-push(/.*)?, /var/www/svn/conf(/.*)?,
/usr/share/icecast(/.*)?, /var/lib/cacti/rra(/.*)?,
/usr/share/ntop/html(/.*)?, /usr/share/nginx/html(/.*)?,
/usr/share/doc/ghc/html(/.*)?,
/usr/share/openca/htdocs(/.*)?,
/usr/share/selinux-policy[^/]*/html(/.*)?</p>


<p style="margin-left:11%; margin-top: 1em"><b>httpd_sys_htaccess_t</b></p>

<p style="margin-left:11%; margin-top: 1em">- Set files
with the httpd_sys_htaccess_t type, if you want to treat the
file as a httpd sys access file.</p>


<p style="margin-left:11%; margin-top: 1em"><b>httpd_sys_ra_content_t</b></p>

<p style="margin-left:11%; margin-top: 1em">- Set files
with the httpd_sys_ra_content_t type, if you want to treat
the files as httpd sys read/append content.</p>


<p style="margin-left:11%; margin-top: 1em"><b>httpd_sys_rw_content_t</b></p>

<p style="margin-left:11%; margin-top: 1em">- Set files
with the httpd_sys_rw_content_t type, if you want to treat
the files as httpd sys read/write content. <br>
Paths:</p>

<p style="margin-left:18%;">/etc/rt(/.*)?, /etc/glpi(/.*)?,
/etc/horde(/.*)?, /etc/drupal.*, /etc/z-push(/.*)?,
/var/lib/svn(/.*)?, /var/www/svn(/.*)?, /etc/owncloud(/.*)?,
/var/www/html(/.*)?/uploads(/.*)?,
/var/www/html(/.*)?/wp-content(/.*)?,
/var/www/html(/.*)?/wp_backups(/.*)?,
/var/www/html(/.*)?/sites/default/files(/.*)?,
/var/www/html(/.*)?/sites/default/settings.php,
/etc/mock/koji(/.*)?, /etc/nextcloud(/.*)?,
/var/lib/drupal.*, /etc/zabbix/web(/.*)?,
/var/lib/moodle(/.*)?, /var/log/z-push(/.*)?,
/var/spool/gosa(/.*)?, /etc/WebCalendar(/.*)?,
/usr/share/joomla(/.*)?, /var/lib/dokuwiki(/.*)?,
/var/lib/owncloud(/.*)?, /var/spool/viewvc(/.*)?,
/var/lib/nextcloud(/.*)?, /var/lib/pootle/po(/.*)?,
/var/lib/phpMyAdmin(/.*)?, /var/www/moodledata(/.*)?,
/srv/gallery2/smarty(/.*)?, /var/www/moodle/data(/.*)?,
/var/lib/graphite-web(/.*)?, /var/log/shibboleth-www(/.*)?,
/var/www/gallery/albums(/.*)?,
/var/www/html/owncloud/data(/.*)?,
/var/www/html/nextcloud/data(/.*)?,
/usr/share/wordpress-mu/wp-content(/.*)?,
/usr/share/wordpress/wp-content/upgrade(/.*)?,
/usr/share/wordpress/wp-content/uploads(/.*)?,
/var/www/html/configuration.php</p>


<p style="margin-left:11%; margin-top: 1em"><b>httpd_sys_script_exec_t</b></p>

<p style="margin-left:11%; margin-top: 1em">- Set files
with the httpd_sys_script_exec_t type, if you want to
transition an executable to the httpd_sys_script_t domain.
<br>
Paths:</p>

<p style="margin-left:18%;">/opt/.*.cgi, /usr/.*.cgi,
/var/www/[^/]*/cgi-bin(/.*)?, /var/www/perl(/.*)?,
/var/www/html/[^/]*/cgi-bin(/.*)?, /usr/lib/cgi-bin(/.*)?,
/var/www/cgi-bin(/.*)?, /var/www/svn/hooks(/.*)?,
/usr/share/wordpress/.*.php, /usr/local/nagios/sbin(/.*)?,
/usr/share/wordpress/wp-includes/.*.php,
/usr/share/wordpress-mu/wp-config.php</p>


<p style="margin-left:11%; margin-top: 1em"><b>httpd_tmp_t</b></p>

<p style="margin-left:11%; margin-top: 1em">- Set files
with the httpd_tmp_t type, if you want to store httpd
temporary files in the /tmp directories. <br>
Paths:</p>

<p style="margin-left:18%;">/var/run/user/apache(/.*)?,
/var/www/openshift/console/tmp(/.*)?</p>


<p style="margin-left:11%; margin-top: 1em"><b>httpd_tmpfs_t</b></p>

<p style="margin-left:11%; margin-top: 1em">- Set files
with the httpd_tmpfs_t type, if you want to store httpd
files on a tmpfs file system.</p>


<p style="margin-left:11%; margin-top: 1em"><b>httpd_unconfined_script_exec_t</b></p>

<p style="margin-left:11%; margin-top: 1em">- Set files
with the httpd_unconfined_script_exec_t type, if you want to
transition an executable to the httpd_unconfined_script_t
domain.</p>


<p style="margin-left:11%; margin-top: 1em"><b>httpd_unit_file_t</b></p>

<p style="margin-left:11%; margin-top: 1em">- Set files
with the httpd_unit_file_t type, if you want to treat the
files as httpd unit content. <br>
Paths:</p>


<p style="margin-left:18%;">/usr/lib/systemd/system/httpd.*,
/usr/lib/systemd/system/nginx.*,
/usr/lib/systemd/system/thttpd.*,
/usr/lib/systemd/system/php-fpm.*</p>


<p style="margin-left:11%; margin-top: 1em"><b>httpd_user_content_t</b></p>

<p style="margin-left:11%; margin-top: 1em">- Set files
with the httpd_user_content_t type, if you want to treat the
files as httpd user content.</p>


<p style="margin-left:11%; margin-top: 1em"><b>httpd_user_htaccess_t</b></p>

<p style="margin-left:11%; margin-top: 1em">- Set files
with the httpd_user_htaccess_t type, if you want to treat
the file as a httpd user access file.</p>


<p style="margin-left:11%; margin-top: 1em"><b>httpd_user_ra_content_t</b></p>

<p style="margin-left:11%; margin-top: 1em">- Set files
with the httpd_user_ra_content_t type, if you want to treat
the files as httpd user read/append content.</p>


<p style="margin-left:11%; margin-top: 1em"><b>httpd_user_rw_content_t</b></p>

<p style="margin-left:11%; margin-top: 1em">- Set files
with the httpd_user_rw_content_t type, if you want to treat
the files as httpd user read/write content.</p>


<p style="margin-left:11%; margin-top: 1em"><b>httpd_user_script_exec_t</b></p>

<p style="margin-left:11%; margin-top: 1em">- Set files
with the httpd_user_script_exec_t type, if you want to
transition an executable to the httpd_user_script_t
domain.</p>


<p style="margin-left:11%; margin-top: 1em"><b>httpd_var_lib_t</b></p>

<p style="margin-left:11%; margin-top: 1em">- Set files
with the httpd_var_lib_t type, if you want to store the
httpd files under the /var/lib directory. <br>
Paths:</p>


<p style="margin-left:18%;">/var/lib/rt(3|4)/data/RT-Shredder(/.*)?,
/var/lib/dav(/.*)?, /var/lib/php(/.*)?, /var/lib/glpi(/.*)?,
/var/lib/httpd(/.*)?, /var/lib/nginx(/.*)?,
/var/lib/z-push(/.*)?, /var/lib/ganglia(/.*)?,
/var/lib/ipsilon(/.*)?, /var/lib/cherokee(/.*)?,
/var/lib/lighttpd(/.*)?, /var/lib/mod_security(/.*)?,
/var/lib/roundcubemail(/.*)?,
/var/opt/rh/rh-nginx18/lib/nginx(/.*)?</p>


<p style="margin-left:11%; margin-top: 1em"><b>httpd_var_run_t</b></p>

<p style="margin-left:11%; margin-top: 1em">- Set files
with the httpd_var_run_t type, if you want to store the
httpd files under the /run or /var/run directory. <br>
Paths:</p>

<p style="margin-left:18%;">/var/run/mod_.*,
/var/run/wsgi.*, /var/run/httpd.*, /var/run/nginx.*,
/var/run/apache.*, /var/run/php-fpm(/.*)?,
/var/run/fcgiwrap(/.*)?, /var/run/lighttpd(/.*)?,
/var/lib/php/session(/.*)?, /var/lib/php/wsdlcache(/.*)?,
/var/run/dirsrv/admin-serv.*,
/var/opt/rh/rh-nginx18/run/nginx(/.*)?,
/var/www/openshift/broker/httpd/run(/.*)?,
/var/www/openshift/console/httpd/run(/.*)?,
/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)?,
/var/run/thttpd.pid, /var/run/gcache_port,
/var/run/cherokee.pid</p>

<p style="margin-left:11%; margin-top: 1em">Note: File
context can be temporarily modified with the chcon command.
If you want to permanently change the file context you need
to use the <b>semanage fcontext</b> command. This will
modify the SELinux labeling database. You will need to use
<b>restorecon</b> to apply the labels.</p>

<h2>SHARING FILES
<a name="SHARING FILES"></a>
</h2>


<p style="margin-left:11%; margin-top: 1em">If you want to
share files with multiple domains (Apache, FTP, rsync,
Samba), you can set a file context of public_content_t and
public_content_rw_t. These context allow any of the above
domains to read the content. If you want a particular domain
to write to the public_content_rw_t domain, you must set the
appropriate boolean. <br>
Allow httpd servers to read the /var/httpd directory by
adding the <br>
public_content_t file type to the directory and by restoring
the file <br>
type.</p>

<p style="margin-left:11%; margin-top: 1em"><b>semanage
fcontext -a -t public_content_t &quot;/var/httpd(/.*)?&quot;
<br>
restorecon -F -R -v /var/httpd</b> <br>
Allow httpd servers to read and write /var/httpd/incoming by
adding the <br>
public_content_rw_t type to the directory and by restoring
the file <br>
type. You also need to turn on the httpd_anon_write
boolean.</p>

<p style="margin-left:11%; margin-top: 1em"><b>semanage
fcontext -a -t public_content_rw_t
&quot;/var/httpd/incoming(/.*)?&quot; <br>
restorecon -F -R -v /var/httpd/incoming <br>
setsebool -P httpd_anon_write 1</b></p>

<p style="margin-left:11%; margin-top: 1em">If you want to
allow Apache to modify public files used for public file
transfer services. Directories/Files must be labeled
public_content_rw_t., you must turn on the httpd_anon_write
boolean.</p>

<p style="margin-left:11%; margin-top: 1em"><b>setsebool -P
httpd_anon_write 1</b></p>

<h2>COMMANDS
<a name="COMMANDS"></a>
</h2>


<p style="margin-left:11%; margin-top: 1em"><b>semanage
fcontext</b> can also be used to manipulate default file
context mappings.</p>

<p style="margin-left:11%; margin-top: 1em"><b>semanage
permissive</b> can also be used to manipulate whether or not
a process type is permissive.</p>

<p style="margin-left:11%; margin-top: 1em"><b>semanage
module</b> can also be used to enable/disable/install/remove
policy modules.</p>

<p style="margin-left:11%; margin-top: 1em"><b>semanage
port</b> can also be used to manipulate the port
definitions</p>

<p style="margin-left:11%; margin-top: 1em"><b>semanage
boolean</b> can also be used to manipulate the booleans</p>


<p style="margin-left:11%; margin-top: 1em"><b>system-config-selinux</b>
is a GUI tool available to customize SELinux policy
settings.</p>

<h2>AUTHOR
<a name="AUTHOR"></a>
</h2>


<p style="margin-left:11%; margin-top: 1em">This manual
page was auto-generated using <b>sepolicy manpage .</b></p>

<h2>SEE ALSO
<a name="SEE ALSO"></a>
</h2>


<p style="margin-left:11%; margin-top: 1em">selinux(8),
httpd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8),
setsebool(8), httpd_helper_selinux(8),
httpd_passwd_selinux(8), httpd_php_selinux(8),
httpd_rotatelogs_selinux(8), httpd_suexec_selinux(8),
httpd_sys_script_selinux(8),
httpd_unconfined_script_selinux(8),
httpd_user_script_selinux(8)</p>
<hr>
</body>
</html>