CMS Install Scripts and SELinux

asked 2018-11-05 01:45:22 -0600

HXH gravatar image

Hi Folks.

# semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/some-directory(/.*)?"
# restorecon -R -v /var/www/some-directory

I have done lots ((but have not exhausted) reading on the subject and can't seem to do much better, at this point, than guess if this is the method I should be using to allow CMS install scripts to write to the required config (php) files upon installing.

According to Red Hat's SELinux User's and Administrator's Guide:

httpd_sys_rw_content_t

Files labelled with this type can be written to by scripts labelled with the httpd_sys_script_exec_t type, but cannot be modified by scripts labelled with any other type. You must use the httpd_sys_rw_content_t type to label files that will be read from and written to by scripts labelled with the httpd_sys_script_exec_t type.

... and then there is the httpd_sys_ra_content_t type where files can be 'modified' - not entirely sure what the difference is here as both suggest content being written to a document where httpd_sys_rw_content_t doesn't mention creating documents, just writing to them. At any rate, I have not tried using any type other than 'rw'.

What is the officially preferred way of handling documents of said type for a web server that would exist 'in the wild'?

With the CMS ExpressionEngine, I am able to get away with labelling it's 'cache' directory, upload directory, and config files with the httpd_sys_rw_content_t type to achieve installation and successful operation. Need I worry about the level of targeting files or is it safe to label the entire contents of the public_html folder as such?

Thanks in advance for you thoughts on the subject!

edit retag flag offensive close merge delete