我在Debian挤压系统上设置了SE Linux,该系统运行Joomla网站. Joomla PHP代码希望对某些缓存目录具有写访问权. @H_404_1@/ var / log / messages文件包含以下条目：

Dec 31 10:26:16 s0022 kernel: [ 2116.423199] type=1400 audit(1356945976.634:14831): 
  avc:  denied  { write } for  pid=1886 comm="apache2" name="_system" dev=xvda3 
  ino=790893 scontext=system_u:system_r:httpd_t:s0
  tcontext=unconfined_u:object_r:httpd_t:s0 tclass=dir
Dec 31 10:26:16 s0022 kernel: [ 2116.447613] type=1400 audit(1356945976.658:14837): 
  avc:  denied  { write } for  pid=1886 comm="apache2" name="mod_mainmenu" dev=xvda3
  ino=791346 scontext=system_u:system_r:httpd_t:s0
  tcontext=unconfined_u:object_r:httpd_t:s0 tclass=dir

@H_404_1@与inode值对应的目录可由apache2写入(作为wwwrun运行).缓存文件是在SELinux关闭时创建的,但在激活时不会创建.然而,这些目录的路径与Debian Squeeze的默认DocumentRoot不同.

# ls -ldZ cache cache/_system cache/mod_mainmenu
drwxrwxr-x. 5 wwwrun www unconfined_u:object_r:httpd_t:s0 4096 Dec 29 23:13 cache
drwxrwxr-x. 2 wwwrun www unconfined_u:object_r:httpd_t:s0 4096 Dec 30 19:31 cache/mod_mainmenu
drwxrwxr-x. 2 wwwrun www unconfined_u:object_r:httpd_t:s0 4096 Dec 30 19:31 cache/_system

@H_404_1@我也试过启用写相关的布尔标志,但这也没有帮助：

# getsebool -a | grep httpd
allow_httpd_anon_write --> on
allow_httpd_mod_auth_pam --> off
allow_httpd_sys_script_anon_write --> on
allow_httpd_user_script_anon_write --> on
httpd_builtin_scripting --> off
httpd_can_network_connect --> off
httpd_can_network_connect_db --> on
httpd_can_network_relay --> off
httpd_can_sendmail --> off
httpd_dbus_avahi --> off
httpd_enable_cgi --> off
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> on
httpd_ssi_exec --> off
httpd_tty_comm --> off
httpd_unified --> off
httpd_use_cifs --> off
httpd_use_gpg --> off
httpd_use_nfs --> off

@H_404_1@我已经使用audit2allow来创建可加载模块以启用其他守护进程的写访问(例如对于rotatelog),但我不认为这是在这种情况下的方法. httpd的模块已经存在,如果可以避免,我不想以任何方式触摸它.

@H_404_1@我只是想找到一种方法让apache2 / PHP / Joomla在我特定的DocumentRoot中的特定目录中写入,而不授予对其他任何内容的写入权限.请指教.

chcon -R -t public_content_rw_t /path/to/wwwroot/cache