Hi Everyone,
I need a little help in determining the proper SELinux context for
data files served by Nginx. SELinux is in enforcing mode. The web
server static pages are at /var/www/html (for historic reasons). The
data files are in the filesystem in /var, but at /var/ftc-data.
There's also a soft symlink at /var/www/html/ftc-data that points to
/var/ftc-data.
/var/www/html is working as expected, but I am getting a 403 on the
data files and the data file directory. I.e., I get a 403 on
http://www.example.com/ftc-data, even though the directory is ugo+x.
The filesystem topology of interest is:
+------+
| /var |
+------+
/ \
/ \
/ \
www ftc-data
/ |+ file1.dat
/ |+ file2.dat
/ |+ file3.dat
html
|+ index.html
|+ symlink to ftc-data
/var/www and /var/www/html have
system_u:object_r:httpd_sys_content_t:s0. The web server is serving
the static html files Ok.
/var/ftc-data has unconfined_u:object_r:var_t:s0. I am not thrilled
about unconfined_u, and I am pretty sure var_t should be
httpd_sys_content_t.
The last wrinkle is, the data files get updated once a day using a
systemd timer. So systemd needs write access to /var/ftc-data.
Would someone help me understand what SELinux context should be for
/var/ftc-data, please?
Thanks in advance.