[CentOS] SELinux policy vs. static web content

Thu Jan 31 00:31:45 UTC 2019
Gordon Messmer <gordon.messmer at gmail.com>

On 1/30/19 7:57 AM, Nicolas Kovacs wrote:
> The tl;dr version of my last post is : Apache is not supposed to show
> static web pages with a user_tmp_t SELinux context. So why does it show
> them anyway ?


Policy allows that, currently:

# sesearch -A -s httpd_t -t user_tmp_t
Found 15 semantic av rules:
    allow daemon user_tmp_t : file { getattr append } ;
    allow httpd_t user_tmp_t : file { ioctl read write getattr lock 
append map } ;
    allow domain tmpfile : file { ioctl read getattr lock append open } ;
    allow httpd_t file_type : dir { getattr search open } ;
    allow httpd_t user_tmp_t : dir { ioctl read write getattr lock 
add_name remove_name search open } ;
    allow httpd_t file_type : filesystem getattr ;
    allow httpd_t user_home_type : file { ioctl read getattr lock open } ;
    allow httpd_t user_home_type : dir { getattr search open } ;
    allow httpd_t user_home_type : dir { ioctl read getattr lock search 
open } ;
    allow httpd_t user_home_type : dir { getattr search open } ;
    allow httpd_t user_home_type : dir { getattr search open } ;
    allow domain file_type : file map ;
    allow domain file_type : chr_file map ;
    allow domain file_type : blk_file map ;
    allow httpd_t user_home_type : lnk_file { read getattr } ;