On Tue, Nov 19, 2024 at 6:10 PM justina colmena ~biz <justina@xxxxxxxxxxx> wrote: > > On 11/19/24 13:09, Jeffrey Walton via selinux wrote: > > > So systemd needs write access to /var/ftc-data. > > > > Would someone help me understand what SELinux context should be for > > /var/ftc-data, please? > > > > Thanks in advance. > > So what context is systemd running as when it needs to write those files? > > And what audit messages are generated on the failed attempts to write? Ok, so I zero'd in on one of them in the log file. In the entry below, I am trying to fetch one of the data files using the url <https://www.example.com/ftc-data/2024-11-19.csv.xz>. <SNIP> # cat /var/log/audit/audit.log | audit2why ... type=AVC msg=audit(1732061270.500:145): avc: denied { read } for pid=1109 comm="nginx" name="2024-11-19.csv.xz" dev="dm-0" ino=8827640 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. </SNIP> But I don't think the answer is an allow rule. I _think_ /var/ftc-data needs to use httpd_sys_content_t, not var_t. > And then you need an selinux policy to set those contexts for the files > and/or parent directories or else everything just gets clobbered all > over again on updates or file system relabels. Got it. > Other than that I am not an expert and that is about all I can say on > the subject. If anyone else cares to elaborate. Planning to move from > CentOS to Fedora with, of course, selinux enforcing, so I will be > dealing with similar issues very soon. Good luck when you migrate. Jeff -- _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
