0

I have a Zend web application running on a CentOS server with SELinux running in permissive mode (i.e. access-control decisions are recorded in /var/log/audit/audit.log but not enforced). The application allows people to upload files, which are saved in a directory structure outside htdocs (e.g. /var/acme/myapp/files). The application needs to write and delete files in that directory, as well as create, modify, and delete directories under that directory.

FWIW, httpd starts as root, then spawns processes as a separate user named apache.

I'd like to put SELinux into enforcing mode, but still narrowly allow the Zend application to perform the IO operations described above. I also want these SELinux settings to persist after restarts. How do I do this?

Improve this question

1 Answer 1

Reset to default
1

You need to relabel the folder to be writable by httpd.

If http is the only thing (and say ftp or ssh) that will be writing to it then this should work.

semanage fcontext -a -t httpd_sys_rw_content_t '/var/acme/myapp/files(/.*)?' fixfiles restore /var/acme/myapp/files

Try writing into the folder then, it should work.

Improve this answer
2
  • I tried the command you specified, but the targeted policy on my CenoOS host didn't have the httpd_sys_rw_content_t label, so I used the following commands instead: /usr/sbin/semanage fcontext -a -t httpd_sys_script_rw_t '/var/acme/myapp/files(/.*)?' and /sbin/fixfiles restore /var/acme/myapp/files. So far, it appears to work. Commented Jan 18, 2012 at 22:25
  • I verified that it had the desired effect. Thanks for the focused and correct answer. I suspect different distros and versions come with different labels available. Commented Jan 18, 2012 at 23:00

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.