SELinux errors from WordFence

something in WF interacts with sendmail and generates SELinux access errors from time to time … trying to figure out why sendmail would need read/write access to most if not all of the files in /home/blueridge/public_html/wp-content/wflogs/

at the moment I have all of the wflogs files having the “type” of httpd_sys_rw_content_t

an example /var/log/messages entry

Apr 16 12:11:18 vhost95 setroubleshoot: SELinux is preventing sendmail from ‘read, write’ accesses on the file /home/blueridge/public_html/wp-content/wflogs/ips.php. For complete SELinux messages run: sealert -l 732aab86-8c71-4521-96b0-a83cf657464d

Apr 16 12:11:18 vhost95 python: SELinux is preventing sendmail from ‘read, write’ accesses on the file /home/blueridge/public_html/wp-content/wflogs/ips.php.#012#012***** Plugin restorecon (99.5 confidence) suggests ************************#012#012If you want to fix the label. #012/home/blueridge/public_html/wp-content/wflogs/ips.php default label should be httpd_sys_content_t.#012Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly.#012Do#012# /sbin/restorecon -v /home/blueridge/public_html/wp-content/wflogs/ips.php#012#012***** Plugin catchall (1.49 confidence) suggests **************************#012#012If you believe that sendmail should be allowed read write access on the ips.php file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c ‘sendmail’ –raw | audit2allow -M my-sendmail#012# semodule -i my-sendmail.pp#012

Restorecon wants to change the files to httpd_sys_content_t … but the php modules in WF need httpd_sys_rw_content_t in order to write to them and update them … at least that was the only way I could get WF to work at all …

thoughts anyone ?