cgi script needs to write to a cache location

Dominick Grift domg472 at
Tue Jun 30 20:53:56 UTC 2009

On Tue, 2009-06-30 at 16:48 -0400, Chuck Anderson wrote:
> I have a cgi script /usr/share/cricket/cgi-bin/grapher.cgi which needs 
> to write generated images to a cache in /var/cache/cricket.  I'm using 
> these file contexts to get the cgi script and static files working:
> /usr/share/[^/]*/www(/.*)?     system_u:object_r:httpd_sys_content_t:s0
> /usr/share/[^/]*/html(/.*)?    system_u:object_r:httpd_sys_content_t:s0
> /usr/share/[^/]*/cgi-bin(/.*)? system_u:object_r:httpd_sys_script_exec_t:s0
> so grapher.cgi is running as httpd_sys_script_exec_t.  What type 
> should I make /var/cache/cricket(/.*)? to allow the cgi to 
> read/write/create files in this directory?
> I tried making /var/cache/cricket system_u:object_r:httpd_cache_t.  
> Here is the output of audit2allow after running this under "setenforce 
> 0":
> #============= httpd_sys_script_t ==============
> allow httpd_sys_script_t httpd_cache_t:dir { write search getattr setattr add_name };
> allow httpd_sys_script_t httpd_cache_t:file { write read create ioctl getattr };
> Is there a better type in the standard policy than httpd_cache_t that 
> will allow httpd_sys_script_exec_t to write/create, or will I need to 
> define this policy myself?
> Thanks.

semanage fcontext -a -t httpd_sys_content_rw_t

restorecon -R -v /var/cache/cricket

Should work i believe

man httpd_selinux 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL: <>

More information about the fedora-selinux-list mailing list