On Tue, Nov 19, 2024 at 8:53 PM justina colmena ~biz justina@colmena.biz wrote:
On 11/19/24 16:49, Jeffrey Walton wrote:
But I don't think the answer is an allow rule. I _think_ /var/ftc-data needs to use httpd_sys_content_t, not var_t.
The "httpd_sys_content_t" selinux context is usually defined in an selinux policy module dependency when apache is installed in fedora. I'm not sure anything specific has been developed for nginx per se. ymmv, whatever selinux policies have been developed and packaged for common server software. It's been a while, things are rather outdated now, but I believe I've had better luck installing apache and just not using it but leaving it installed while running nginx, because the selinux policies that have been developed in the past for apache usually "just work" with nginx, "httpd_sys_content_t"and everything, although I don't know that piggybacking too much software is the "right" solution either.
Yeah, I believe you're right about things just working with Nginx because of Apache.
I did check things after the initial Nginx install, before any modifications happened. Here's what I found:
* default conf file is /etc/nginx/nginx.conf * default document root is /usr/share/nginx/html
And:
# ls -Z /usr/share/nginx/html system_u:object_r:httpd_sys_content_t:s0 index.html system_u:object_r:httpd_sys_content_t:s0 nginx-logo.png ...
I believe "system_u:object_r:httpd_sys_content_t:s0" is the same as Apache at /var/www/html (and friends). Indeed, when I created /var/www/html and restorecon'd:
# ls -Z /var/ system_u:object_r:httpd_sys_content_t:s0 html ... # ls -Z /var/www/ system_u:object_r:httpd_sys_content_t:s0 html
(There's probably a way to list the rules for /var/www(/.*)? (or whatever that RE syntax is), but I don't know them).
Related, I recently added more topics to Fedora's docs on Nginx at https://fedoraproject.org/wiki/Nginx. It touches on SELinux under the section File Permissions. Please feel free to make corrections.
Jeff