On 8/2/20 5:27 PM, info@joomladev.eu wrote:

Hello,

I have setted httpd_unified boolean to on. And httpd files market as httpd_sys_content_t. But when i create files by php fpm - files is created as httpd_sys_rw_content_t. Why is not httpd_sys_content_t if I have this boolean enabled?

Hi,

This behavior is expected. When you allowed httpd_sys_unified boolean, you allowed to create files(with label httpd_sys_rw_content_t) in directory labeled as httpd_sys_content_t.

Here is the transition rule:

$ sesearch -T -s httpd_t -c file | grep httpd_sys_content type_transition httpd_t httpd_sys_content_t:file httpd_sys_rw_content_t; [ ( httpd_builtin_scripting && httpd_unified && httpd_enable_cgi ) ]:True

-T -> Looking for transition rules -s -> source context (in your case label of php fpm) -c -> class in this case file

Output says: When one of the booleans is in true state, any process labeled as httpd_t can create files with label httpd_sys_rw_content_t in any directory labeled as httpd_sys_content_t.

I hope this helped.

Thanks, Lukas.

It's on CentOS 8 box fully updated.

Thanks, Filip Bartmann _______________________________________________ selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.or...