SELinux preventing Apache from writing to a file

For files you want Apache to be able to write to, the type must be set to httpd_sys_rw_content_t
To permanently mark that directory as httpd_sys_rw_content_t, you can use the command

semanage fcontext -a -t httpd_sys_rw_content_t /var/www/webapp/k/site(/.*)?;
restorecon -RF /var/www/webapp/k/site/

This will survive SELINUX binary policy updates and filesystem relabeling.

SELinux Linux secures httpd (Apache web server) processes via flexible mandatory access control.

BOOLEANS
SELinux policy is customizable based on least access required. httpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd with the tightest access possible.

If you want to allow httpd to act as a rela, you must turn on the httpd_can_network_relay boolean.

setsebool -P httpd_can_network_relay 1

If you want to allow HTTPD scripts and modules to connect to databases over the network, you must turn on the httpd_can_network_connect_db boolean.

setsebool -P httpd_can_network_connect_db 1

If you want to allow httpd to run gpg in gpg-web domai, you must turn on the httpd_use_gpg boolean.

setsebool -P httpd_use_gpg 1

If you want to allow httpd to execute cgi script, you must turn on the httpd_enable_cgi boolean.

setsebool -P httpd_enable_cgi 1

If you want to allow httpd to access cifs file system, you must turn on the httpd_use_cifs boolean.

setsebool -P httpd_use_cifs 1

If you want to allow Apache to use mod_auth_pa, you must turn on the allow_httpd_mod_auth_pam boolean.

setsebool -P allow_httpd_mod_auth_pam 1

If you want to allow httpd to read home directorie, you must turn on the httpd_enable_homedirs boolean.

setsebool -P httpd_enable_homedirs 1

If you want to allow Apache to communicate with avahi service via dbu, you must turn on the httpd_dbus_avahi boolean.

setsebool -P httpd_dbus_avahi 1

If you want to unify HTTPD handling of all content files, you must turn on the httpd_unified boolean.

setsebool -P httpd_unified 1

If you want to allow HTTPD scripts and modules to connect to the network using any TCP port, you must turn on the httpd_can_network_connect boolean.

setsebool -P httpd_can_network_connect 1

If you want to allow httpd scripts and modules execmem/execstac, you must turn on the httpd_execmem boolean.

setsebool -P httpd_execmem 1

If you want to allow httpd to connect to the ldap por, you must turn on the httpd_can_connect_ldap boolean.

setsebool -P httpd_can_connect_ldap 1

If you want to allow Apache to use mod_auth_ntlm_winbin, you must turn on the allow_httpd_mod_auth_ntlm_winbind boolean.

setsebool -P allow_httpd_mod_auth_ntlm_winbind 1

If you want to unify HTTPD to communicate with the terminal. Needed for entering the passphrase for certificates at the terminal, you must turn on the httpd_tty_comm boolean.

setsebool -P httpd_tty_comm 1

If you want to allow httpd to act as a FTP client connecting to the ftp port and ephemeral port, you must turn on the httpd_can_connect_ftp boolean.

setsebool -P httpd_can_connect_ftp 1

If you want to allow httpd to read user conten, you must turn on the httpd_read_user_content boolean.

setsebool -P httpd_read_user_content 1

If you want to allow httpd to access nfs file system, you must turn on the httpd_use_nfs boolean.

setsebool -P httpd_use_nfs 1

If you want to allow Apache to execute tmp content, you must turn on the httpd_tmp_exec boolean.

setsebool -P httpd_tmp_exec 1

If you want to allow httpd processes to manage IPA conten, you must turn on the httpd_manage_ipa boolean.

setsebool -P httpd_manage_ipa 1

If you want to allow http daemon to send mai, you must turn on the httpd_can_sendmail boolean.

setsebool -P httpd_can_sendmail 1

If you want to allow httpd to use built in scripting (usually php, you must turn on the httpd_builtin_scripting boolean.

setsebool -P httpd_builtin_scripting 1

If you want to allow http daemon to check spa, you must turn on the httpd_can_check_spam boolean.

setsebool -P httpd_can_check_spam 1

If you want to allow BIND to bind apache port, you must turn on the named_bind_http_port boolean.

setsebool -P named_bind_http_port 1

If you want to allow httpd to connect to memcache serve, you must turn on the httpd_can_network_memcache boolean.

setsebool -P httpd_can_network_memcache 1

If you want to allow HTTPD scripts and modules to connect to cobbler over the network, you must turn on the httpd_can_network_connect_cobbler boolean.

setsebool -P httpd_can_network_connect_cobbler 1

If you want to allow HTTPD to run SSI executables in the same domain as system CGI scripts, you must turn on the httpd_ssi_exec boolean.

setsebool -P httpd_ssi_exec 1

If you want to allow httpd to act as a FTP server by listening on the ftp port, you must turn on the httpd_enable_ftp_server boolean.

setsebool -P httpd_enable_ftp_server 1

If you want to allow http daemon to connect to zabbi, you must turn on the httpd_can_connect_zabbix boolean.

setsebool -P httpd_can_connect_zabbix 1

If you want to allow httpd daemon to change system limit, you must turn on the httpd_setrlimit boolean.

setsebool -P httpd_setrlimit 1

SHARING FILES
If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean.

Allow httpd servers to read the /var/httpd directory by adding the public_content_t file type to the directory and by restoring the file type.

semanage fcontext -a -t public_content_t “/var/httpd(/.*)?”
restorecon -F -R -v /var/httpd

Allow httpd servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_httpd_anon_write boolean to be set.

semanage fcontext -a -t public_content_rw_t “/var/httpd/incoming(/.*)?”
restorecon -F -R -v /var/httpd/incoming

If you want to allow apache scripts to write to public content, directories/files must be labeled public_rw_content_t., you must turn on the allow_httpd_sys_script_anon_write boolean.

setsebool -P allow_httpd_sys_script_anon_write 1

If you want to allow Apache to modify public files used for public file transfer services, directories/files must be labeled public_content_rw_t., you must turn on the allow_httpd_anon_write boolean.

setsebool -P allow_httpd_anon_write 1