[CentOS] File access in Apache 2.4 (clarification)

Tue Nov 21 19:03:25 UTC 2017
Jonathan Billings <billings at negate.org>

On Tue, Nov 21, 2017 at 09:40:27AM -0800, david wrote:
> Jonathan
> Thanks for the advice.  If you recommend NOT to use /tmp for cgi
> temporaries, where would you put them and how to name them?  And about
> SELINUX, I'll consider that, but I'd like to get this working without
> SELINUX first.
> 
> And where should I put "globally readable" files?  These files need to be
> readable by all users (including Apache), but writeable only by one user.
> In the past, I've placed them in a Ram disk since I don't want them to
> survive a power--off, and mounted that "device" directory in /tmp/ramdisk.
> It was working perfectly in Centos 5, 6 and 7, with Centos 7 failing within
> the past week or so.  I do "yum update" every night.

Does it need to be writable by CGI scripts run by httpd?  Then put it
in one of the directories that is automatically labeled
httpd_sys_rw_content_t by selinux.  (man httpd_selinux shows those,
you can also run 'semanage fcontext -l | grep httpd_sys_rw_content_t')

Hopefully, it isn't both writable *and* executable by httpd, because
that's just a bad idea, and selinux tries its hardest to prevent it.

Otherwise, if httpd just needs to read the file, choose one of the
directories with one of the read-only labels.

The reason why this started happening in the latest C7 release is
because the unit file (as well as many others) was updated to have a
PrivateTmp, which is an additional security measure, since one of the
most common ways of attacking a system is to try to hit shared files
in locations like /tmp.

-- 
Jonathan Billings