I have 2 sites/apps on a server; a proprietary app, and Nextcloud. Nextcloud will be using the files_external storage plugin which allows for local mounts, but I do NOT want it to be able to browse and view the source of the proprietary app... thus mod_selinux and sedomain children.
I'm using mod_selinux to create domain children, and I'm assigning a child id to each of the sites and labelling their respective app and data directories accordingly in their vhost definitions...
httpd.conf
selinuxServerDomain *:s0-s0:c0.c100
proprietary.vhost.conf
selinuxDomainVal *:s0:c10
nextcloud.vhost.conf
selinuxDomainVal *:s0:c20
The app directory, where the code is located has the following permissions and contexts applied...
drwxr-x---. 4 apache apache unconfined_u:object_r:httpd_sys_content_t:s0:c10 4096 Jan 17 17:02 proprietary_app_dir
drwxr-x---. 15 apache apache unconfined_u:object_r:httpd_sys_content_t:s0:c20 4096 Jan 20 08:09 nextcloud
The problem...
Everything is running, but the problem is, I can still browse the proprietary app folder using nextcloud even though the proprietary app's directory has a domain context limited to s0:c10, and as far as the vhost is defined, Nextcloud should be running as s0:c20.
I know that SELinux is doing it's job because I can't view folders like /etc even though other users have read permissions on it, I can only view folders with contexts of httpd_sys_(rw_)content_t as it should be.
I would have expected that a child process of c20 should not be able to read a folder asking for c10. So the only thing I can think of is that the spawned children of httpd_t (via mod_selinux) are not using the selinuxDomainVal contexts that I've defined in the vhost files.
I'm not sure what I've done wrong, have I misconfigured this somehow, or have I forgotten a step? Would appreciate any help you can offer.
Extra info...
- CentOS8
- Apache 2.4.37
- PHP 7.3 (via remi)
- PHP-FPM
- mod_selinux (repackaged RPM from fedora 31)
