On Tue, Nov 21, 2017 at 09:40:27AM -0800, david wrote:
Jonathan Thanks for the advice. If you recommend NOT to use /tmp for cgi temporaries, where would you put them and how to name them? And about SELINUX, I'll consider that, but I'd like to get this working without SELINUX first.
And where should I put "globally readable" files? These files need to be readable by all users (including Apache), but writeable only by one user. In the past, I've placed them in a Ram disk since I don't want them to survive a power--off, and mounted that "device" directory in /tmp/ramdisk. It was working perfectly in Centos 5, 6 and 7, with Centos 7 failing within the past week or so. I do "yum update" every night.
Does it need to be writable by CGI scripts run by httpd? Then put it in one of the directories that is automatically labeled httpd_sys_rw_content_t by selinux. (man httpd_selinux shows those, you can also run 'semanage fcontext -l | grep httpd_sys_rw_content_t')
Hopefully, it isn't both writable *and* executable by httpd, because that's just a bad idea, and selinux tries its hardest to prevent it.
Otherwise, if httpd just needs to read the file, choose one of the directories with one of the read-only labels.
The reason why this started happening in the latest C7 release is because the unit file (as well as many others) was updated to have a PrivateTmp, which is an additional security measure, since one of the most common ways of attacking a system is to try to hit shared files in locations like /tmp.