In the httpd_selinux(8) man page, references to the following booleans are missing:

httpd_can_check_spam
httpd_dontaudit_search_dirs
httpd_sys_script_anon_write
httpd_tmp_exec
httpd_unified
httpd_use_gpg

+++ This bug was initially created as a clone of Bug #2144514 +++

SELinux is preventing /usr/bin/bash from execute access on the file kitinerary-extractor.

*****  Plugin catchall_boolean (89.3 confidence) suggests   ******************

If you want to unify HTTPD handling of all content files.
Then you must tell SELinux about this by enabling the 'httpd_unified' boolean.
You can read 'httpd_selinux' man page for more details.
Do
setsebool -P httpd_unified 1

*****  Plugin catchall (11.6 confidence) suggests   **************************

If you believe that bash should be allowed execute access on the kitinerary-extractor file by default.                                                                             
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'sh' --raw | audit2allow -M my-sh
# semodule -X 300 -i my-sh.pp


Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                system_u:object_r:httpd_sys_rw_content_t:s0
Target Objects                kitinerary-extractor [ file ]
Source                        sh
Source Path                   /usr/bin/bash
Port                          <Unknown>
Host                          server.interlinx.bc.ca
Source RPM Packages           bash-4.4.20-4.el8_6.x86_64
Target RPM Packages
SELinux Policy RPM            selinux-policy-targeted-3.14.3-108.el8.noarch
Local Policy RPM              selinux-policy-targeted-3.14.3-108.el8.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     server.interlinx.bc.ca
Platform                      Linux server.interlinx.bc.ca
                              4.18.0-372.32.1.el8_6.x86_64 #1 SMP Tue Oct 25
                              05:53:57 EDT 2022 x86_64 x86_64
Alert Count                   2
First Seen                    2022-11-21 07:21:34 EST
Last Seen                     2022-11-21 07:21:34 EST
Local ID                      1f75424b-3f34-4224-8beb-42ce08c4f6e1

Raw Audit Messages
type=AVC msg=audit(1669033294.816:11840): avc:  denied  { execute } for  pid=640400 comm="sh" name="kitinerary-extractor" dev="dm-7" ino=3409397 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_sys_rw_content_t:s0 tclass=file permissive=0


type=SYSCALL msg=audit(1669033294.816:11840): arch=x86_64 syscall=access success=no exit=EACCES a0=556b86fdb880 a1=1 a2=7ffcedc6a2b0 a3=0 items=0 ppid=447045 pid=640400 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=sh exe=/usr/bin/bash subj=system_u:system_r:httpd_t:s0 key=(null)              

Hash: sh,httpd_t,httpd_sys_rw_content_t,file,execute

While one suggestion is to use the httpd_unified boolean and refers one to the httpd_selinux about it, that manpage doesn't even mention the boolean, so I cannot enable it with any confidence about what it's doing?  But one also has to wonder if it's too big of a hammer.

For context, this AVC seems to have happened in relation to NextCloud.

# debugfs /dev/dm-7                                                                                                                                                 
debugfs 1.45.6 (20-Mar-2020)
ncheck 3409397
debugfs:  ncheck 3409397
Inode   Pathname
3409397 /lib/nextcloud/apps/mail/vendor/christophwurst/kitinerary-bin/bin/kitinerary-extractor

--- Additional comment from Zdenek Pytela on 2022-12-21 09:51:54 CET ---

Brian,

What is the reason having the file labeled as httpd_sys_rw_content_t? Type of the file on the default location is

rhel88# matchpathcon /usr/libexec/kf5/kitinerary-extractor
/usr/libexec/kf5/kitinerary-extractor   system_u:object_r:bin_t:s0

and httpd is allowed to execute it:

rhel88# sesearch -A -s httpd_t -t bin_t -c file -p execute
allow httpd_t base_ro_file_type:file { execute execute_no_trans getattr ioctl lock map open read };
allow httpd_t bin_t:file { execute execute_no_trans getattr ioctl lock map open read };


Other than that, you are right, the boolean seems to be quite powerful and not quite well documented:

rhel88# semanage boolean -l | grep -e ^SELinux -e httpd_unified
SELinux boolean                State  Default Description
httpd_unified                  (off  ,  off)  Unify HTTPD handling of all content files.

It also needs to be troubleshooted why the man page does not mention all httpd booleans.