httpd_sys_content_t is created in the apache policy by "apache_content_template(sys)" which will also create httpd_sys_rw_content_t but the different interfaces concerning the 'sys_content'(apache_list_sys_content, apache_manage_sys_content, apache_search_sys_content, apache_read_sys_content ...) only give access to httpd_sys_content_t and no access at all to httpd_sys_rw_content_t I'm using httpd_sys_rw_content_t for marking web rw content in /var/www (The only problem being that webapp-config doesn't generate modules for marking rw content), but it's currently unusable by nginx (for example), as the only "httpd" rule nginx contains is "apache_read_sys_content(nginx_t)" which does not give read access to httpd_sys_rw_content_t. I'm also using this domain for phpfpm (e.g. manage_files_pattern(phpfpm_t, httpd_sys_rw_content_t, httpd_sys_rw_content_t) and thus would need a apache_manage_rw_sys_content interface. Reproducible: Always Steps to Reproduce: 1. Install given selinux rules
Concerning the possible "apache_manage_rw_sys_content interface", in fact there is no need for such a thing, as apache_manage_all_rw_content already give read/write rights for httpd_sys_rw_content_t and httpd_user_rw_content_t (which doesn't seem to be used)
This seems to be by design. If you need to access the rw content, you can use the apache_*_all_rw_content methods. We can't add in interfaces for types that are generated by a template - the only possibilities here are to either use attributes (such as is the case with the apache_*_all_rw_content methods) or define the types in the main module (and not through the template). You also mentioned that for the manage part, you would use the apache_manage_all_rw_content. Are there any other things in this bug report that you consider as needed? Or are the attribute-related interfaces sufficient for you?
Ok, using the apache_*_all_rw_content should do the job
