Configure CentOS to allow executables to create and write files in dedicated directory

Question

I have a web app that receives, stores, and processes files using AI algorithms implemented in Python. The web app is developed in server-side scripting language, but when invoking the Python programs on uploaded files, SELinux denies permissions to access those files.

Suppose I have a site distribution package in the following directory format:

/bin    # Python binaries
/doc    # explains some important things
/web    # document root.

and a file pool directory in the environmnet variable $FILE_POOL

How do I correctly and safely configure SELinux to allow such access?

Answer 1

One of the many popular search results suggests using public_rw_content_t for the file pool directory, but that's not correct under this scenario as it only applies to making Samba-shared files available for access to website executable scripts.

The correct way is to configure the directories for scripts (/bin) as httpd_sys_script_exec_t and then the file pool ($FILE_POOL) to httpd_sys_rw_content_t. These are the dedicated filesystem context types for executable scripts and "file pools".

Reference: httpd_selinux man page at man.freebsd.org , linux.die.net , and redhat.com