My scenario
I have set up 1 VM (centos7) with:
- Nginx
- php-fpm
- Nextcloud
For this task, I have followed this guide (of course, I had to change some settings to make it work in my environment)
My question
In some point of the guide, I had to execute all these lines
sudo semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/nextcloud/data(/.*)?'
sudo semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/nextcloud/config(/.*)?'
sudo semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/nextcloud/apps(/.*)?'
sudo semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/nextcloud/assets(/.*)?'
sudo semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/nextcloud/.htaccess'
sudo semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/nextcloud/.user.ini'
sudo restorecon -Rv '/var/www/nextcloud'
The only experience I've had with selinux was to alter the value of the boolean "httpd_can_network_connect_db". I had to do this because my database is located in another vm.
Just by reading a little bit the manpage of semanage, its options...etc, I guess that this is allowing the reading and writing if they access via nextcloud to my directories in the document root? (I'm just guessing since "httpd_sys_rw_content_t" seems to me like "read and write content")
By the way, my nextcloud installation is working properly, I'm just asking all of this because I want to understand what I did and why when I followed the installation guide
So what I want to learn and currently I can't understand is:
- What are these selinux rules doing over the directories of my document root? Is what I said previously about the semanage rules right?
- Are they allowing the access for reading and writing files into my directories because nextcloud is like a dropbox?
- What is restorecon doing after aplying all the semanage rules? Only If I execute that "restorecon" line, the rules will be applied?
