Update: I just read how to Manually Customizing Policy Modules at this link here: https://wiki.centos.org/HowTos/SELinux. I did not know I could use the .te file and modify it, this is great news. I kept encountering new issues as I would install new web applications and I was not able to see the older issues anymore when using audit2allow against the logs. I understand now how to modify my local policies as I go, phew. That said, here is my new policy that combines the previous two from my frist message. I am running an NGINX web root and MariaDB data dir from a separate SSD mount point '/www'. I am using PHP-FPM for my application code and Redis for session caching. Here is the policy I would like to roll-with. It seems good to me but just wanted a second set of eyes to tell me what I may be missing. module phpfpmlocal 1.1; require { type redis_port_t; type httpd_t; type httpd_sys_content_t; class tcp_socket name_connect; class file { rename write create unlink setattr append }; class dir { write rmdir setattr remove_name create add_name }; } #============= httpd_t ============== #!!!! This avc can be allowed using the boolean 'httpd_unified' allow httpd_t httpd_sys_content_t:dir { write rmdir setattr remove_name create add_name }; #!!!! This avc can be allowed using the boolean 'httpd_unified' allow httpd_t httpd_sys_content_t:file { rename write create unlink append setattr }; #!!!! This avc can be allowed using the boolean 'httpd_can_network_connect' allow httpd_t redis_port_t:tcp_socket name_connect; -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx
