[CentOS] SELinux policy vs. static web content
Nicolas Kovacs
info at microlinux.fr
Wed Jan 30 15:57:01 UTC 2019
Le 30/01/2019 à 16:22, Nicolas Kovacs a écrit :
> Some time ago I wrote an introductory article about SELinux on my blog.
> I'm currently updating it for my new blog, and I found a curious change
> in SELinux policy. Here goes.
>
> For demonstration purposes, I'm using some static webpages, more exactly
> the default pages found in /usr/share/httpd/noindex, which I simply
> copied over to /var/www/html.
>
> As a first practical example, I'm copying this stuff over to /tmp/backup
> and then move it back again. A vaguely similar example has been given by
> Thomas Cameron in his presentation "SELinux for mere mortals", and I'm
> reproducing it here with some minor modifications.
>
> $ cd /var/www/html/
> $ mkdir /tmp/backup
> $ cp -R * /tmp/backup/
> $ rm -rf *
> $ mv /tmp/backup/* .
> $ find . -type d -exec chmod 0755 {} \;
> $ find . -type f -exec chmod 0644 {} \;
>
> When I wrote the article back in november 2017, this resulted in a
> classic "Forbidden" error, since the SELinux context of these files is
> not httpd_sys_content_t as it should be, but user_tmp_t.
>
> But when I try to repeat the experiment now, Apache shows no error.
> Which seems strange.
>
> Any idea what's going on ?
The tl;dr version of my last post is : Apache is not supposed to show
static web pages with a user_tmp_t SELinux context. So why does it show
them anyway ?
Cheers,
Niki
--
Microlinux - Solutions informatiques durables
7, place de l'église - 30730 Montpezat
Site : https://www.microlinux.fr
Blog : https://blog.microlinux.fr
Mail : info at microlinux.fr
Tél. : 04 66 63 10 32
More information about the CentOS
mailing list