a Z` @sDddlZejdddZejZddlTddlmZGdddeZdS) Nzsetroubleshoot-pluginsT)Zfallback)*)Pluginc@sLeZdZedZedZedZedZedZddZ dd Z d d Z d S) pluginz^ SELinux policy is preventing an httpd script from writing to a public directory. z SELinux policy is preventing an httpd script from writing to a public directory. If httpd is not setup to write to public directories, this could signal an intrusion attempt. a  If httpd scripts should be allowed to write to public directories you need to turn on the $BOOLEAN boolean and change the file context of the public directory to public_content_rw_t. Read the httpd_selinux man page for further information: "setsebool -P $BOOLEAN=1; chcon -t public_content_rw_t " You must also change the default file context labeling files on the system in order to preserve public directory labeling even on a full relabel. "semanage fcontext -a -t public_content_rw_t " zNIf you want to allow $SOURCE_PATH to be able to write to shared public contentzyou need to change the label on $TARGET_PATH to public_content_rw_t, and potentially turn on the allow_httpd_sys_script_anon_write boolean.cCs d|}|S)Nzo# semanage fcontext -a -t public_content_rw_t $TARGET_PATH # restorecon -R -v $TARGET_PATH # setsebool -P %s %s)selfavcargsZdo_textrr5/usr/share/setroubleshoot/plugins/allow_anon_write.py get_do_text/szplugin.get_do_textcCst|td|_dS)NZgreen)r__init____name__level)rrrr r 5s zplugin.__init__cCs|dgr||jr|dgr.|dS|dgrD|dS|dgrZ|dS|dgrp|d S|d gr|d S|d gr|d SdS)NZpublic_content_tZhttpd_t)Zallow_httpd_anon_write1Zhttpd_sys_script_t)Z!allow_httpd_sys_script_anon_writerZftpd_t)Zallow_ftpd_anon_writerZnfsd_t)Zallow_nfsd_anon_writerZrsync_t)Zallow_rsync_anon_writerZsmbd_t)Zallow_smbd_anon_writer)Zmatches_target_typesZall_accesses_are_inZcreate_file_permsZmatches_source_typesZreport)rrrrr analyze9s               zplugin.analyzeN) r __module__ __qualname___ZsummaryZproblem_descriptionZfix_descriptionZif_textZ then_textr r rrrrr rsr)gettextZ translationrZsetroubleshoot.utilZsetroubleshoot.Pluginrrrrrr s