I've had my fair share of struggles with SELinux, but this is the first time that it's totally stumped me. I have two production CentOS 8 servers with functionally identical configurations hosting a web application. I have a custom type enforcement module, the relevant parts of which for this question are as follows:
module my_app 1.0;
type my_app_rw_content_t;
files_type(my_app_rw_content_t);
require {
type httpd_t;
class file { getattr read write execute execute_no_trans open create unlink ioctl link rename };
class dir { add_name remove_name read write create };
class lnk_file { getattr read open };
}
allow httpd_t my_app_rw_content_t:file { getattr open read write create unlink ioctl };
allow httpd_t my_app_rw_content_t:dir { add_name remove_name read write };
I want to assign the my_app_rw_content_t context to the directory my app uses for for temporary file uploads, which is /data/www/my_app_tmp/. The following policy customizations are active on both systems:
fcontext -a -f a -t httpd_sys_content_t -r 's0' '/data/www(/.*)?'
fcontext -a -f a -t my_app_rw_content_t -r 's0' '/data/www/my_app_tmp(/.*)?'
On server 1, it behaves as expected:
[me@server1 ~]$ matchpathcon /data/www/my_app_tmp
/data/www/my_app_tmp system_u:object_r:my_app_rw_content_t:s0
On server 2, it doesn't:
[me@server2 ~]$ matchpathcon /data/www/my_app_tmp
/data/www/my_app_tmp system_u:object_r:httpd_sys_content_t:s0
I can't for the life of me figure out why. It's a semi-moot point because I'll be migrating to new systems soon on a different distro, but I'd still like to know what's happening here.
