[CentOS] more selinux problems ...

Sat Sep 23 12:37:34 UTC 2017
hw <hw at gc-24.de>

Hi,

how do I allow lighttpd access to a directory like this:

dr-xrwxr-x. lighttpd example unconfined_u:object_r:samba_share_t:s0 files_articles

I tried to create and install a selinux module, and it didn´t work.
The non-working module can not be removed, either:

semodule -r lighttpd-files_articles.pp
libsemanage.semanage_direct_remove_key: Unable to remove module lighttpd-files_articles.pp at priority 400. (No such file or directory).
semodule:  Failed!


Currently, only read access is required.  Write access may be
required later.


type=AVC msg=audit(1506168999.456:2350): avc:  denied  { getattr } for  pid=28956 comm="lighttpd" path="/srv/data/files_articles/C3E3FC7C-6ABE-11E6-9BF7-9CD580EF3FB5" dev="sde" ino=22694488368 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file
type=SYSCALL msg=audit(1506168999.456:2350): arch=c000003e syscall=4 success=yes exit=0 a0=55eea817ec80 a1=7ffe668ef300 a2=7ffe668ef300 a3=7ffe668ef270 items=0 ppid=1 pid=28956 auid=4294967295 uid=996 gid=994 euid=996 suid=996 fsuid=996 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm="lighttpd" exe="/usr/sbin/lighttpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1506168999.456:2351): avc:  denied  { open } for  pid=28956 comm="lighttpd" path="/srv/data/files_articles/C3E3FC7C-6ABE-11E6-9BF7-9CD580EF3FB5" dev="sde" ino=22694488368 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file
type=SYSCALL msg=audit(1506168999.456:2351): arch=c000003e syscall=2 success=yes exit=9 a0=55eea817ec80 a1=0 a2=3e a3=7ffe668ef270 items=0 ppid=1 pid=28956 auid=4294967295 uid=996 gid=994 euid=996 suid=996 fsuid=996 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm="lighttpd" exe="/usr/sbin/lighttpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1506168723.591:2342): avc:  denied  { read } for  pid=28956 comm="lighttpd" name="C3E3FC7C-6ABE-11E6-9BF7-9CD580EF3FB5" dev="sde" ino=22694488368 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file
type=SYSCALL msg=audit(1506168723.591:2342): arch=c000003e syscall=2 success=no exit=-13 a0=55eea817ec80 a1=0 a2=3e a3=7ffe668ef2a0 items=0 ppid=1 pid=28956 auid=4294967295 uid=996 gid=994 euid=996 suid=996 fsuid=996 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm="lighttpd" exe="/usr/sbin/lighttpd" subj=system_u:system_r:httpd_t:s0 key=(null)


Why isn´t there a simple way to allow access to files as needed?
Being like this, selinux is entirely unmanagable.  Does it even do
any more good than it keeps getting in the way?