On 8/2/20 5:27 PM, info(a)joomladev.eu wrote:
I have setted httpd_unified boolean to on. And httpd files market as
httpd_sys_content_t. But when i create files by php fpm - files is
created as httpd_sys_rw_content_t. Why is not httpd_sys_content_t if I
have this boolean enabled?
This behavior is expected. When you allowed httpd_sys_unified boolean,
you allowed to create files(with label httpd_sys_rw_content_t) in
directory labeled as httpd_sys_content_t.
Here is the transition rule:
$ sesearch -T -s httpd_t -c file | grep httpd_sys_content
type_transition httpd_t httpd_sys_content_t:file httpd_sys_rw_content_t;
[ ( httpd_builtin_scripting && httpd_unified && httpd_enable_cgi ) ]:True
-T -> Looking for transition rules
-s -> source context (in your case label of php fpm)
-c -> class in this case file
Output says: When one of the booleans is in true state, any process
labeled as httpd_t can create files with label httpd_sys_rw_content_t in
any directory labeled as httpd_sys_content_t.
I hope this helped.
It's on CentOS 8 box fully updated.
selinux mailing list -- selinux(a)lists.fedoraproject.org
To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
Senior Software Engineer, Security Technologies
Red Hat, Inc.