Re: httpd and httpd_sys_content_t

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 8/2/20 5:27 PM, info@xxxxxxxxxxxx wrote:
> Hello,
> 
> I have setted httpd_unified boolean to on. And httpd files market as
> httpd_sys_content_t. But when i create files by php fpm - files is
> created as httpd_sys_rw_content_t. Why is not httpd_sys_content_t if I
> have this boolean enabled?
> 

Hi,

This behavior is expected. When you allowed httpd_sys_unified boolean,
you allowed to create files(with label httpd_sys_rw_content_t) in
directory labeled as httpd_sys_content_t.

Here is the transition rule:

$ sesearch -T -s httpd_t -c file | grep httpd_sys_content
type_transition httpd_t httpd_sys_content_t:file httpd_sys_rw_content_t;
[ ( httpd_builtin_scripting && httpd_unified && httpd_enable_cgi ) ]:True

-T -> Looking for transition rules
-s -> source context (in your case label of php fpm)
-c -> class in this case file

Output says: When one of the booleans is in true state, any process
labeled as httpd_t can create files with label httpd_sys_rw_content_t in
any directory labeled as httpd_sys_content_t.

I hope this helped.

Thanks,
Lukas.


> It's on CentOS 8 box fully updated.
> 
> Thanks,
> Filip Bartmann
> _______________________________________________
> selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
> 


-- 
Lukas Vrabec
SELinux Evangelist,
Senior Software Engineer, Security Technologies
Red Hat, Inc.

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux