On 11/08/2018 10:51 AM, Mahmood Naderan wrote:

Sorry Thomas, I made a mistake while pasting the path. The correct path is

[root@sn html]# find . -name

./ow_userfiles/plugins/base/attachments/temp_5be3f85348052_5be3f85347985.docx

[root@sn html]#

Don't understand what you want to say.

./ow_userfiles/plugins/base/attachments/temp_5be3f85348052_5be3f85347985.docx

is a relative path. not an absolute path.

Do you still say that it is better to remove my-httpd?

yes. but based on your absolute path to the directory where your httpd needs write access selinux fcontext --add requires an adjusted regex.

Thing that I want to know is that, why selinux prevents that creation? Selinux suggests some commands to fix that. While the suggestion has no effect, it doesn't say about the root of the problem.

because selinux is about preventing things that are not allowed. Httpd is normally exposed to the network and a good target for hackers. So the default policy gives the httpd the least privileges that are possible.

audit2allow only works for easy problems. Your problem is that someone moved files form $HOME to /var/www . Move also moves SELinux filesystem labels. Now you've got files with wrong labels in /var/www. This is no easy problem to solve for a computer tool.

The list of attributes regarding httpd are

# semanage boolean -l | grep httpd

booleans are not filesystems labels/types. What do you wanted to show with the list?

On Thursday, November 8, 2018, 1:10:02 PM GMT+3:30, Thomas Mueller <thomas@chaschperli.ch> wrote:

I suspect someone copied moved files from $HOME to /var/www/html/* because user_home_t is no label for /var/www/html

I would propose you to:

# remove your custom module
semodule -u my-httpd

# add a local fcontext to the directory that httpd needs read-write access
semanage fcontext \
--add \
--type httpd_sys_rw_content_t
'/var/www/html/ow_plugins/ow_userfiles/plugins/base/attachment(/.*)?'

# reset all labels to default
restorecon -rv /var/www

- Thomas