Re: SELinux is preventing httpd from create access

Thomas Mueller <thomas@xxxxxxxxxxxxxx> · Thu, 8 Nov 2018 11:06:01 +0100



    On 11/08/2018 10:51 AM, Mahmood Naderan
      wrote:

    
          Sorry Thomas, I made a mistake while pasting the path.
            The correct path is
          

          [root@sn html]# find . -name 

            
            ./ow_userfiles/plugins/base/attachments/temp_5be3f85348052_5be3f85347985.docx

            
          [root@sn html]# 
          

    Don't understand what you want to say.

    
    ./ow_userfiles/plugins/base/attachments/temp_5be3f85348052_5be3f85347985.docx

          
          is a relative path. not an absolute path.

        
          Do you still say that it is better to remove my-httpd?

          
    yes. but based on your absolute path to the directory where your
    httpd needs write access selinux fcontext --add requires an adjusted
    regex.

    
          Thing that I want to know is that, why selinux prevents
            that creation? Selinux suggests some commands to fix that.
            While the suggestion has no effect, it doesn't say about the
            root of the problem.
        
      
    because selinux is about preventing things that are not allowed.
    Httpd is normally exposed to the network and a good target for
    hackers. So the default policy gives the httpd the least privileges
    that are possible.

    
    audit2allow only works for easy problems. Your problem is that
    someone moved files form $HOME to /var/www . Move also moves SELinux
    filesystem labels. Now you've got files with wrong labels in
    /var/www. This is no easy problem to solve for a computer tool.

    
          The list of attributes regarding httpd are
        
      
        # semanage boolean -l | grep httpd
      
    
    booleans are not filesystems labels/types. What do you wanted to
    show with the list?

    
           On Thursday, November 8, 2018, 1:10:02 PM GMT+3:30,
            Thomas Mueller <thomas@xxxxxxxxxxxxxx> wrote: 
          

          I suspect someone copied moved files from $HOME to
            /var/www/html/* because user_home_t is no label for
            /var/www/html

          
                  I would propose you to:

                  
                  # remove your custom module

                  semodule -u my-httpd

                  
                  # add a local fcontext to the directory that httpd
                  needs read-write access

                  semanage fcontext \

                    --add \

                    --type httpd_sys_rw_content_t 

                    '/var/www/html/ow_plugins/ow_userfiles/plugins/base/attachment(/.*)?'

                
                # reset all labels to default

                restorecon -rv /var/www

                
                - Thomas
            
            
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx