Re: SELinux Context for web server data files in another part of filesystem?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

IDK looks sort of like the NSA SELinux cops are going out on disability from that government employees union with their top secret drop ceiling tiles, fluorescent lights, sound-deadening cubicle partitions, computer screen locks for authorized bathroom breaks, office worker performance metrics from the IT department, potted plants on the windowsills, commercial carpet, and by the way has the guy with the handtruck come to replace the five-gallon jug on the water cooler yet? Total zone-out in the whole office, or is that a bong in the other cubicle? Is there random drug testing at the SELinux workplace like they have at OpenBSD? 

On 11/19/24 13:09, Jeffrey Walton via selinux wrote:

Hi Everyone,

I need a little help in determining the proper SELinux context for
data files served by Nginx. SELinux is in enforcing mode. The web
server static pages are at /var/www/html (for historic reasons). The
data files are in the filesystem in /var, but at /var/ftc-data.
There's also a soft symlink at /var/www/html/ftc-data that points to
/var/ftc-data.

/var/www/html is working as expected, but I am getting a 403 on the
data files and the data file directory. I.e., I get a 403 on
http://www.example.com/ftc-data, even though the directory is ugo+x.

The filesystem topology of interest is:

             +------+
             | /var |
             +------+
            /        \
           /          \
          /            \
        www          ftc-data
        /             |+ file1.dat
       /              |+ file2.dat
      /               |+ file3.dat
    html
     |+ index.html
     |+ symlink to ftc-data

/var/www and /var/www/html have
system_u:object_r:httpd_sys_content_t:s0. The web server is serving
the static html files Ok.

/var/ftc-data has unconfined_u:object_r:var_t:s0. I am not thrilled
about unconfined_u, and I am pretty sure var_t should be
httpd_sys_content_t.

The last wrinkle is, the data files get updated once a day using a
systemd timer. So systemd needs write access to /var/ftc-data.

Would someone help me understand what SELinux context should be for
/var/ftc-data, please?

Thanks in advance.

--
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux