Set file context for symlinks in /etc/httpd to etc_t

For compatibility across different systems, apache httpd has symbolic links in /etc/httpd to different filesystem directories (state directory, runtime files, library modules, logs, etc.) The symlinks in /etc/httpd, like other files without a different private type, have the default httpd_config_t type. This setting can prevent domains without the permission to read httpd_config_t from working, while all domains have access to symlinks with the etc_t type. Resolves: rhbz#1890024
fedora-selinux · Nov 20, 2020 · 43318bf · 43318bf
1 parent 0cfef67
commit 43318bf
Showing 1 changed file with 1 addition and 2 deletions.
diff --git a/apache.fc b/apache.fc
@@ -14,9 +14,8 @@ HOME_DIR/((www)|(web)|(public_html))(/.*)?/logs(/.*)?	gen_context(system_u:objec
 /etc/rt(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 /etc/htdig(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
 /etc/httpd(/.*)?			gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/httpd/.*			-l	gen_context(system_u:object_r:etc_t,s0)
 /etc/httpd/conf/keytab		--	gen_context(system_u:object_r:httpd_keytab_t,s0)
-/etc/httpd/logs				gen_context(system_u:object_r:httpd_log_t,s0)
-/etc/httpd/modules			gen_context(system_u:object_r:httpd_modules_t,s0)
 /etc/init\.d/cherokee	--	gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
 /etc/lighttpd(/.*)?			gen_context(system_u:object_r:httpd_config_t,s0)
 /etc/mock/koji(/.*)? 			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)