Score:0

How to set SELINUX HTTPD User Content RW?

th flag

I'm quite new to SELINUX, I've simple question, I know there are httpd_sys_rw_content_t for /var/www/html, and read only httpd_user_content_t, but if I want to allow some folder to be RW for that user only, is there any httpd_user_rw_content_t ? Or I should use httpd_sys_rw_content_t context for that particular user? Thanks.

Score:0
jo flag

The types in SELinux do not relate to the management of users in the manner I think you believe they do.

The SELinux type for httpd_user_content_rw_t bears no relation to having it work against a specific user. This type is really meant for conditions whereby a user has a web document root of some kind.

Say for example in apache if you use mod_userdir you can have http://website.com/~myuser as a valid link.

In this case, the httpd_user_rw_content_t type refers to data that would exist in the path for that user dir.

Rather than consider which particular user has access, think about where the data is kept. In your case /var/www/html is considered the system path for the document root and in that position should be labelled httpd_sys_content_rw_t.

If you wanted to make a folder rw for a specific user only (in the traditional unix u/g/o sense) then just chown/chgrp/chmod as necessary to get the access controls you're looking to apply.

Benyamin Limanto avatar
th flag
Uhm, I think you got my question wrong, take example my file permission is okay, just I want to give only that particular folder to fpm/any web based process that labelled httpd context to able to touch that folder. Can I assume that I can use `httpd_sys_rw_content_t` or I should use other context? as we know that `httpd_user_rw_content_t` doesn't exist in general. I assume selinux used to prevent some nasty thing happen, so I need it to be double protected, with selinux and normal/acl permission.
Matthew Ife avatar
jo flag
If you want this file to be writable by some external CGI process that processes SELinux type will need read/write access to the target type. You can run `sesearch -s source_type -t target_type -A` to identify that. But in general the system paths should still be typed as sys_content_rw_t.
Benyamin Limanto avatar
th flag
Oh, any general system path that allowed to be written by cgi use `httpd_sys_content_rw_t` then? Hmmm. Alright. Thanks.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.