These files are labeled with the read-only label httpd_sys_content_t It should not be possible for files of that label type to be modified by the web server (nginx / php-fpm)
See https://access.redhat.com/documentation ... Types.html
I have other files that have been blocked and I've had to make special rules - e.g. the latest release of targeted policy prevents nginx writing to the php-fpm socket.
My system details
Code: Select all
sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 24
Policy from config file: targeted
semanage boolean -l | grep http
httpd_can_network_relay (off , off) Allow httpd to act as a relay
httpd_can_network_connect_db (off , off) Allow HTTPD scripts and modules to connect to databases over the network.
httpd_use_gpg (off , off) Allow httpd to run gpg in gpg-web domain
httpd_dbus_sssd (off , off) Allow Apache to communicate with sssd service via dbus
httpd_enable_cgi (on , on) Allow httpd cgi support
httpd_verify_dns (off , off) Allow Apache to query NS records
httpd_use_cifs (off , off) Allow httpd to access cifs file systems
allow_httpd_mod_auth_pam (off , off) Allow Apache to use mod_auth_pam
httpd_run_stickshift (off , off) Allow Apache to run in stickshift mode, not transition to passenger
httpd_enable_homedirs (off , off) Allow httpd to read home directories
allow_httpd_sys_script_anon_write (off , off) Allow apache scripts to write to public content. Directories/Files must be labeled public_rw_content_t.
httpd_dbus_avahi (on , on) Allow Apache to communicate with avahi service via dbus
httpd_unified (on , on) Unify HTTPD handling of all content files.
httpd_builtin_scripting (on , on) Allow httpd to use built in scripting (usually php)
httpd_use_fusefs (off , off) Allow httpd to access FUSE file systems
httpd_can_network_connect (on , on) Allow HTTPD scripts and modules to connect to the network using TCP.
httpd_tty_comm (on , on) Unify HTTPD to communicate with the terminal. Needed for entering the passphrase for certificates at the terminal.
allow_httpd_anon_write (on , on) Allow Apache to modify public files used for public file transfer services. Directories/Files must be labeled public_rw_content_t.
httpd_read_user_content (off , off) Allow httpd to read user content
httpd_use_nfs (off , off) Allow httpd to access nfs file systems
httpd_tmp_exec (off , off) Allow Apache to execute tmp content.
httpd_run_preupgrade (off , off) Allow Apache to run preupgrade
httpd_manage_ipa (off , off) Allow httpd processes to manage IPA content
httpd_can_sendmail (on , on) Allow http daemon to send mail
httpd_can_check_spam (off , off) Allow http daemon to check spam
named_bind_http_port (off , off) Allow BIND to bind apache port.
httpd_can_network_memcache (off , off) Allow httpd to connect to memcache server
httpd_can_network_connect_cobbler (off , off) Allow HTTPD scripts and modules to connect to cobbler over the network.
httpd_serve_cobbler_files (off , off) Allow HTTPD scripts and modules to server cobbler files.
awstats_purge_apache_log_files (off , off) Determine whether awstats can purge httpd log files.
httpd_execmem (off , off) Allow httpd scripts and modules execmem/execstack
httpd_ssi_exec (off , off) Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
httpd_use_openstack (off , off) Allow httpd to access openstack ports
httpd_enable_ftp_server (off , off) Allow httpd to act as a FTP server by listening on the ftp port.
allow_httpd_mod_auth_ntlm_winbind (off , off) Allow Apache to use mod_auth_ntlm_winbind
httpd_setrlimit (off , off) Allow httpd daemon to change system limits
# Alterable files :-
ls -lZ
-rw-r--r--. nginx nginx system_u:object_r:httpd_sys_content_t:s0 define_checkout_success.php
-rw-r--r--. nginx nginx system_u:object_r:httpd_sys_content_t:s0 define_conditions.php