I'm using this on my prod system:
/usr/share/nginx/html/wordpress/.*\.php all files system_u:object_r:httpd_sys_script_exec_t:s0 /usr/share/nginx/html/wordpress/wp-content all files system_u:object_r:httpd_sys_rw_content_t:s0 /usr/share/nginx/html/wordpress/wp-content/plugins(/.*)? all files system_u:object_r:httpd_sys_rw_content_t:s0 /usr/share/nginx/html/wordpress/wp-content/themes(/.*)? all files system_u:object_r:httpd_sys_rw_content_t:s0 /usr/share/nginx/html/wordpress/wp-content/upgrade(/.*)? all files system_u:object_r:httpd_sys_rw_content_t:s0 /usr/share/nginx/html/wordpress/wp-content/uploads(/.*)? all files system_u:object_r:httpd_sys_rw_content_t:s0 /usr/share/nginx/html/wordpress/wp-content/wflogs(/.*)? all files system_u:object_r:httpd_sys_rw_content_t:s0 /usr/share/nginx/html/wordpress/wp-includes/.*\.php all files system_u:object_r:httpd_sys_script_exec_t:s0
adapt your paths and add your definitions as follow:
semanage fcontext -a -t httpd_sys_script_exec_t '/usr/share/nginx/html/wordpress/.*\.php' semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/nginx/html/wordpress/wp-content/plugins(/.*)?' ...
yada yada
than apply your changes by doing
restorecon -RFv '/usr/share/nginx/html/'
check if your context is set probably
ls -laZ /usr/share/nginx/html/wordpress
On 8/31/20 7:01 AM, Roland Müller
wrote:
Yes, I think so. The most important piece in SELinux setup is the type which is 'httpd_sys_rw_content_t' which stears the context transitions.
Am So., 30. Aug. 2020 um 18:35 Uhr schrieb Jason Long <hack3rcon@xxxxxxxxx>:
Hello,Is my WordPress directory protecting by SELinux?$ ls -lZ /var/www/wordpress/
total 484drwxrwxr-x. 2 apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s06 Oct 30 2019 cgi-bin
-rwxrwxr-x. 1 apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s053 Oct 21 2019 googlee4e6cdb3b56c49dd.html
-rwxrwxr-x. 1 apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0405 Apr 3 22:42 index.php
Thank you._______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
_______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
_______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
