On 8/2/20 5:27 PM, info@xxxxxxxxxxxx wrote: > Hello, > > I have setted httpd_unified boolean to on. And httpd files market as > httpd_sys_content_t. But when i create files by php fpm - files is > created as httpd_sys_rw_content_t. Why is not httpd_sys_content_t if I > have this boolean enabled? > Hi, This behavior is expected. When you allowed httpd_sys_unified boolean, you allowed to create files(with label httpd_sys_rw_content_t) in directory labeled as httpd_sys_content_t. Here is the transition rule: $ sesearch -T -s httpd_t -c file | grep httpd_sys_content type_transition httpd_t httpd_sys_content_t:file httpd_sys_rw_content_t; [ ( httpd_builtin_scripting && httpd_unified && httpd_enable_cgi ) ]:True -T -> Looking for transition rules -s -> source context (in your case label of php fpm) -c -> class in this case file Output says: When one of the booleans is in true state, any process labeled as httpd_t can create files with label httpd_sys_rw_content_t in any directory labeled as httpd_sys_content_t. I hope this helped. Thanks, Lukas. > It's on CentOS 8 box fully updated. > > Thanks, > Filip Bartmann > _______________________________________________ > selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx > -- Lukas Vrabec SELinux Evangelist, Senior Software Engineer, Security Technologies Red Hat, Inc.
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
