- Posted In
- Red Hat Enterprise Linux
On RHEL7 with SELinux, you needed directories and files to have the httpd_sys_content_t context type assigned or httpd could not access and serve files.
However, on RHEL 8 I just noticed that I was able to access files before I changed the context type to httpd_sys_content_t on a directory and files under opt. Is this a RHEL 8 policy change (which would be disappointing) or a bug?
Is there an easy way to see what SELinux restrictions remain on httpd for file access if any? Here is the directory and file which to my surprise httpd will serve; I am just about certain this would not work on RHEL 7.
ls -ldZ /opt
drwxr-xr-x. 6 root root system_u:object_r:usr_t:s0 60 Jul 21 12:45 /opt
ls -dlZ /opt/w
drwxr-xr-x. 2 root root unconfined_u:object_r:usr_t:s0 20 Jul 21 12:45 /opt/w
ls -ldZ /opt/w/x.html
-rw-r--r--. 1 root root unconfined_u:object_r:usr_t:s0 6 Jul 21 12:45 /opt/w/x.html
Although irrelevant to the question, the standard /var/www/html directory still has the httpd_sys_content_t assignment. However, based on the above no longer appears to be requirement.
ls -ldZ /var/www/html
drwxr-xr-x. 2 root root system_u:object_r:httpd_sys_content_t:s0 6 Jan 27 06:24 /var/www/html
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33