RHEL 8 - httpd (apache) have directory/file selinux type context restraints changed?

Latest response

On RHEL7 with SELinux, you needed directories and files to have the httpd_sys_content_t context type assigned or httpd could not access and serve files.

However, on RHEL 8 I just noticed that I was able to access files before I changed the context type to httpd_sys_content_t on a directory and files under opt. Is this a RHEL 8 policy change (which would be disappointing) or a bug?

Is there an easy way to see what SELinux restrictions remain on httpd for file access if any? Here is the directory and file which to my surprise httpd will serve; I am just about certain this would not work on RHEL 7.

ls -ldZ /opt

drwxr-xr-x. 6 root root system_u:object_r:usr_t:s0 60 Jul 21 12:45 /opt

ls -dlZ /opt/w

drwxr-xr-x. 2 root root unconfined_u:object_r:usr_t:s0 20 Jul 21 12:45 /opt/w

ls -ldZ /opt/w/x.html

-rw-r--r--. 1 root root unconfined_u:object_r:usr_t:s0 6 Jul 21 12:45 /opt/w/x.html

Although irrelevant to the question, the standard /var/www/html directory still has the httpd_sys_content_t assignment. However, based on the above no longer appears to be requirement.

ls -ldZ /var/www/html

drwxr-xr-x. 2 root root system_u:object_r:httpd_sys_content_t:s0 6 Jan 27 06:24 /var/www/html

sestatus

SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33

Responses

I'm also seeing this. Looks like massive relaxation of security.

I think the issue is that source type 'httpd_t' is now allowed to read files of target type 'usr_t'. If you change 'usr_t' to something like 'var_t', it should stop working.

You can run this command as root, to see what's happening

sesearch --allow --source httpd_t --target usr_t --class file

The "new" way can be useful if you want to serve html docs from /usr/share/doc, without having to mess with contexts on RH supplied files.