Code: Select all
ls -Z
drwxrwxrwx. root root unconfined_u:object_r:httpd_sys_content_t:s0 cache
semanage fcontext -a -t httpd_sys_rw_content_t "/path/to/cache(/.*)?"
restorecon -Rv "/path/to/cache"
ls -Z
drwxrwxrwx. root root unconfined_u:object_r:httpd_sys_rw_content_t:s0 cache
And cache folder is writable for apache. I think that's also correct way to do it. I wonder if I have to do that again when I move folder/files to different path...
/var/log/audit/audit.log contains that:
Code: Select all
type=AVC msg=audit(1544520502.752:18918): avc: denied { write } for pid=18191 comm="httpd" name="cache" dev="md1" ino=52956207 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir permissive=1
Code: Select all
grep httpd_t /var/log/audit/audit.log | audit2allow -m test1 > test1.te
test1.te contains that:
Code: Select all
module test1 1.0;
require {
type httpd_t;
type httpd_sys_content_t;
class file { create rename setattr write };
class dir { add_name create remove_name setattr write };
}
#============= httpd_t ==============
#!!!! This avc can be allowed using the boolean 'httpd_unified'
allow httpd_t httpd_sys_content_t:dir { add_name create remove_name setattr write };
#!!!! This avc can be allowed using the boolean 'httpd_unified'
allow httpd_t httpd_sys_content_t:file { create rename setattr write };
I can't see any defined path (for example "cache" folder)... how it knows that it should give those required permissions to apache for this "cache" folder? Or is it giving those required permissions to apache for all folders/files that is labeled as "httpd_sys_content_t"?