I've been able to figure this out a little easier in the past just due to the context but this one has me stumped. When I run sealert -a /var/log/audit/audit.log and get the typical output such as...
--------------------------------------------------------------------------------
SELinux is preventing /usr/sbin/php-fpm from write access on the file index.html.
***** Plugin httpd_write_content (92.2 confidence) suggests ***************
If you want to allow php-fpm to have write access on the index.html file
Then you need to change the label on 'index.html'
Do
# semanage fcontext -a -t httpd_sys_rw_content_t 'index.html'
# restorecon -v 'index.html'
...
...
...
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context unconfined_u:object_r:httpd_sys_content_t:s0:c30
Target Objects index.html [ file ]
Source php-fpm
Source Path /usr/sbin/php-fpm
Port <Unknown>
Host <Unknown>
Source RPM Packages php-fpm-...
Target RPM Packages
Policy RPM selinux-policy-3.14.3-20.el8.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name --REMOVED--
Platform --REMOVED--
Alert Count 12
First Seen 2020-07-28 10:31:59 EDT
Last Seen 2020-07-28 10:31:59 EDT
Local ID --REMOVED--
Raw Audit Messages
type=AVC msg=audit(...): avc: denied { write } for pid=... comm="php-fpm" name="index.html" dev="sda" ino=... scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0:c30 tclass=file permissive=0
type=SYSCALL msg=audit(...): arch=x86_64 syscall=access success=no exit=EACCES a0=... a1=2 a2=0 a3=0 items=0 ppid=... pid=... auid=... uid=... gid=... euid=... suid=... fsuid=... egid=... sgid=... fsgid=... tty=(none) ses=... comm=php-fpm exe=/usr/sbin/php-fpm subj=system_u:system_r:httpd_t:s0 key=(null)ARCH=x86_64 SYSCALL=access AUID=unset UID=... GID=... EUID=... SUID=... FSUID=... EGID=... SGID=... FSGID=...
Hash: php-fpm,httpd_t,httpd_sys_content_t,file,write
--------------------------------------------------------------------------------
(some info removed for brevity, some for privacy)
There is nothing in this synopsis that indicates the location of the index.html file anywhere. My only thought it that one of the bits of info returned can be used to be a more detailed answer? But which? I'm sure with a little time I could figure out this specific one, as there won't be too many index.html files on my system, but I keep running into this and it's very time consuming trying to locate the files being referenced. Any help would be greatly appreciated!
You should be able to track it down using find and the inode number
ino=...that you have removed.