dbfdg 3 nma @sDddlZejdddZejZddlTddlmZGdddeZdS) Nzsetroubleshoot-pluginsT)Zfallback)*)Pluginc@sLeZdZedZedZedZedZedZddZ dd Z d d Z d S) pluginz^ SELinux policy is preventing an httpd script from writing to a public directory. z SELinux policy is preventing an httpd script from writing to a public directory. If httpd is not setup to write to public directories, this could signal an intrusion attempt. a  If httpd scripts should be allowed to write to public directories you need to turn on the $BOOLEAN boolean and change the file context of the public directory to public_content_rw_t. Read the httpd_selinux man page for further information: "setsebool -P $BOOLEAN=1; chcon -t public_content_rw_t " You must also change the default file context labeling files on the system in order to preserve public directory labeling even on a full relabel. "semanage fcontext -a -t public_content_rw_t " zNIf you want to allow $SOURCE_PATH to be able to write to shared public contentzyou need to change the label on $TARGET_PATH to public_content_rw_t, and potentially turn on the allow_httpd_sys_script_anon_write boolean.cCs d|}|S)Nzo# semanage fcontext -a -t public_content_rw_t $TARGET_PATH # restorecon -R -v $TARGET_PATH # setsebool -P %s %s)selfavcargsZdo_textrr5/usr/share/setroubleshoot/plugins/allow_anon_write.py get_do_text/szplugin.get_do_textcCstj|td|_dS)NZgreen)r__init____name__level)rrrr r 5s zplugin.__init__cCs|jdgr|j|jr|jdgr.|jdS|jdgrD|jdS|jdgrZ|jdS|jd grp|jdS|jd gr|jdS|jd gr|jdSdS)NZpublic_content_tZhttpd_tallow_httpd_anon_write1Zhttpd_sys_script_t!allow_httpd_sys_script_anon_writeZftpd_tallow_ftpd_anon_writeZnfsd_tallow_nfsd_anon_writeZrsync_tallow_rsync_anon_writeZsmbd_tallow_smbd_anon_write)rr)rr)rr)rr)rr)rr)Zmatches_target_typesZall_accesses_are_inZcreate_file_permsZmatches_source_typesZreport)rrrrr analyze9s              zplugin.analyzeN) r __module__ __qualname___ZsummaryZproblem_descriptionZfix_descriptionZif_textZ then_textr r rrrrr rsr)gettextZ translationrZsetroubleshoot.utilZsetroubleshoot.Pluginrrrrrr s