On Tue, Nov 19, 2024 at 8:53 PM justina colmena ~biz <justina@xxxxxxxxxxx> wrote: > > On 11/19/24 16:49, Jeffrey Walton wrote: > > > But I don't think the answer is an allow rule. I _think_ /var/ftc-data > > needs to use httpd_sys_content_t, not var_t. > The "httpd_sys_content_t" selinux context is usually defined in an > selinux policy module dependency when apache is installed in fedora. I'm > not sure anything specific has been developed for nginx per se. ymmv, > whatever selinux policies have been developed and packaged for common > server software. It's been a while, things are rather outdated now, but > I believe I've had better luck installing apache and just not using it > but leaving it installed while running nginx, because the selinux > policies that have been developed in the past for apache usually "just > work" with nginx, "httpd_sys_content_t"and everything, although I don't > know that piggybacking too much software is the "right" solution either. Yeah, I believe you're right about things just working with Nginx because of Apache. I did check things after the initial Nginx install, before any modifications happened. Here's what I found: * default conf file is /etc/nginx/nginx.conf * default document root is /usr/share/nginx/html And: # ls -Z /usr/share/nginx/html system_u:object_r:httpd_sys_content_t:s0 index.html system_u:object_r:httpd_sys_content_t:s0 nginx-logo.png ... I believe "system_u:object_r:httpd_sys_content_t:s0" is the same as Apache at /var/www/html (and friends). Indeed, when I created /var/www/html and restorecon'd: # ls -Z /var/ system_u:object_r:httpd_sys_content_t:s0 html ... # ls -Z /var/www/ system_u:object_r:httpd_sys_content_t:s0 html (There's probably a way to list the rules for /var/www(/.*)? (or whatever that RE syntax is), but I don't know them). Related, I recently added more topics to Fedora's docs on Nginx at <https://fedoraproject.org/wiki/Nginx>. It touches on SELinux under the section File Permissions. Please feel free to make corrections. Jeff -- _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
