On 11/08/2018 10:51 AM, Mahmood Naderan wrote:
Sorry Thomas, I made a mistake while pasting the path. The correct
path is
[root@sn html]# find . -name
./ow_userfiles/plugins/base/attachments/temp_5be3f85348052_5be3f85347985.docx
[root@sn html]#
Don't understand what you want to say.
./ow_userfiles/plugins/base/attachments/temp_5be3f85348052_5be3f85347985.docx
is a relative path. not an absolute path.
Do you still say that it is better to remove my-httpd?
yes. but based on your
absolute path to the directory where your httpd
needs write access selinux fcontext --add requires an adjusted regex.
Thing that I want to know is that, why selinux prevents that creation?
Selinux suggests some commands to fix that. While the suggestion has
no effect, it doesn't say about the root of the problem.
because selinux is
about preventing things that are not allowed. Httpd
is normally exposed to the network and a good target for hackers. So the
default policy gives the httpd the least privileges that are possible.
audit2allow only works for easy problems. Your problem is that someone
moved files form $HOME to /var/www . Move also moves SELinux filesystem
labels. Now you've got files with wrong labels in /var/www. This is no
easy problem to solve for a computer tool.
The list of attributes regarding httpd are
|# semanage boolean -l | grep httpd|
booleans are not filesystems labels/types. What do you wanted to show
with the list?
On Thursday, November 8, 2018, 1:10:02 PM GMT+3:30, Thomas Mueller
<thomas(a)chaschperli.ch> wrote:
I suspect someone copied moved files from $HOME to /var/www/html/*
because user_home_t is no label for /var/www/html
I would propose you to:
# remove your custom module
semodule -u my-httpd
# add a local fcontext to the directory that httpd needs read-write access
semanage fcontext \
--add \
--type httpd_sys_rw_content_t
'/var/www/html/ow_plugins/ow_userfiles/plugins/base/attachment(/.*)?'
# reset all labels to default
restorecon -rv /var/www
- Thomas