On Tue, Nov 21, 2017 at 09:40:27AM -0800, david wrote: > Jonathan > Thanks for the advice. If you recommend NOT to use /tmp for cgi > temporaries, where would you put them and how to name them? And about > SELINUX, I'll consider that, but I'd like to get this working without > SELINUX first. > > And where should I put "globally readable" files? These files need to be > readable by all users (including Apache), but writeable only by one user. > In the past, I've placed them in a Ram disk since I don't want them to > survive a power--off, and mounted that "device" directory in /tmp/ramdisk. > It was working perfectly in Centos 5, 6 and 7, with Centos 7 failing within > the past week or so. I do "yum update" every night. Does it need to be writable by CGI scripts run by httpd? Then put it in one of the directories that is automatically labeled httpd_sys_rw_content_t by selinux. (man httpd_selinux shows those, you can also run 'semanage fcontext -l | grep httpd_sys_rw_content_t') Hopefully, it isn't both writable *and* executable by httpd, because that's just a bad idea, and selinux tries its hardest to prevent it. Otherwise, if httpd just needs to read the file, choose one of the directories with one of the read-only labels. The reason why this started happening in the latest C7 release is because the unit file (as well as many others) was updated to have a PrivateTmp, which is an additional security measure, since one of the most common ways of attacking a system is to try to hit shared files in locations like /tmp. -- Jonathan Billings