podman-compose Concept

Add a user like podman to your system and enable “auto start” for your user by enabling loginctl enable-linger podman.
In /etc/containers/registries.conf set unqualified-search-registries = [ "docker.io"].


As podman create two folders /home/podman/compose and /home/podman/storage.

Add a systemd user service:

[podman@53c70r ~]$ cat /home/podman/.config/systemd/user/podman-compose@.service 
[Unit]
Description=%i podman compose service
Wants=network.target
After=network-online.target

[Service]
Type=forking
TimeoutStartSec=infinity
TimeoutStopSec=70
Restart=on-failure
RemainAfterExit=true
WorkingDirectory=/home/podman/compose/%I
ExecStart=podman-compose up -d
ExecStop=podman-compose down

[Install]
WantedBy=default.target

Reload systemd: systemctl --user daemon-reload.
Now put your docker-compose.yml to e.g. /home/podman/compose/nextcloud/docker-compose.yml.
For example (the :Z flag only works for SELinux enforced systems):

[podman@53c70r ~]$ cat /home/podman/compose/nextcloud/docker-compose.yml 

version: '3'

services:
  db:
    image: mariadb:10.5
    command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
    restart: always
    volumes:
      - /home/podman/storage/nextcloud/db:/var/lib/mysql:Z
    environment:
      - MYSQL_ROOT_PASSWORD=
      - MYSQL_PASSWORD=
      - MYSQL_DATABASE=nextcloud
      - MYSQL_USER=nextcloud
    dns: 127.0.0.53
    cpus: 1

  redis:
    image: redis:alpine
    restart: always
    cpus: 1

  app:
    image: nextcloud:fpm-alpine
    restart: always
    volumes:
      - /home/podman/storage/nextcloud/html:/var/www/html:z
      - /home/podman/storage/nextcloud/php-fpm/www2.conf:/usr/local/etc/php-fpm.d/www2.conf:ro,Z
    environment:
      - MYSQL_HOST=db
      - REDIS_HOST=redis
      - MYSQL_PASSWORD=
      - MYSQL_DATABASE=nextcloud
      - MYSQL_USER=nextcloud
    depends_on:
      - db
      - redis
    dns: 127.0.0.53
    cpus: 1

  web:
    image: nginx:alpine
    restart: always
    ports:
      - 127.0.0.1:10000:80
    volumes:
      - /home/podman/storage/nextcloud/nginx/nginx.conf:/etc/nginx/nginx.conf:ro,Z
      - /home/podman/storage/nextcloud/html:/var/www/html:ro,z
    depends_on:
      - app
    cpus: 1
    dns: 127.0.0.53

  cron:
    image: nextcloud:fpm-alpine
    restart: always
    volumes:
      - /home/podman/storage/nextcloud/html:/var/www/html:z
    entrypoint: /cron.sh
    depends_on:
      - db
      - redis
    cpus: 1
    dns: 127.0.0.53

Now you can simple enable and start your service with systemctl --user enable --now podman-compose@nextcloud.

Fresh Install of LineageOS with MicroG

Since I flashed my phone a lot and had some corrupt partitions over time it was a good idea to wipe my whole phone clean;

Unlock your phones bootloader.
Download the official LineageOS image. (only the .zip is needed)
Follow this steps and extract all partition images.
You should get this files:

-rw-rw-r--. 1 user user    1785856  6. Dez 11:58 aboot.img
-rw-rw-r--. 1 user user   67108864  6. Dez 11:57 boot.img
-rw-r--r--. 1 user user        492  1. Jan 2009  care_map.pb
-rw-rw-r--. 1 user user     266240  6. Dez 11:58 cmnlib64.img
-rw-rw-r--. 1 user user     208896  6. Dez 11:58 cmnlib.img
-rw-rw-r--. 1 user user      40960  6. Dez 11:58 devcfg.img
-rw-rw-r--. 1 user user   16777216  6. Dez 11:58 dsp.img
-rw-rw-r--. 1 user user    8388608  6. Dez 11:57 dtbo.img
-rw-rw-r--. 1 user user     323584  6. Dez 11:58 keymaster.img
-rw-rw-r--. 1 user user      61440  6. Dez 11:58 lksecapp.img
-rw-rw-r--. 1 user user   17809408  6. Dez 11:58 mdtp.img
drwxr-xr-x. 1 user user          6  6. Dez 11:55 META-INF
-rw-rw-r--. 1 user user   92274688  6. Dez 11:58 modem.img
-rw-r--r--. 1 user user  731475324  1. Jan 2009  payload.bin
-rw-r--r--. 1 user user        155  1. Jan 2009  payload_properties.txt
-rw-rw-r--. 1 user user     176128  6. Dez 11:58 rpm.img
-rw-rw-r--. 1 user user     454656  6. Dez 11:58 sbl1.img
-rw-rw-r--. 1 user user 3221225472  6. Dez 11:58 system.img
-rw-rw-r--. 1 user user    1531904  6. Dez 11:58 tz.img
-rw-rw-r--. 1 user user       4096  6. Dez 11:58 vbmeta.img
-rw-rw-r--. 1 user user 1073741824  6. Dez 11:58 vendor.img

Now erase all partitions of your phone:

fastboot erase aboot_a
fastboot erase aboot_b
fastboot erase boot_a
fastboot erase boot_b
fastboot erase cmnlib64_a
fastboot erase cmnlib64_b
fastboot erase cmnlib_a
fastboot erase cmnlib_b
fastboot erase devcfg_a
fastboot erase devcfg_b
fastboot erase dsp_a
fastboot erase dsp_b
fastboot erase dtbo_a
fastboot erase dtbo_b
fastboot erase keymaster_a
fastboot erase keymaster_b
fastboot erase lksecapp_a
fastboot erase lksecapp_b
fastboot erase mdtp_a
fastboot erase mdtp_b
fastboot erase modem_a
fastboot erase modem_b
fastboot erase rpm_a
fastboot erase rpm_b
fastboot erase sbl1_a
fastboot erase sbl1_b
fastboot erase system_a
fastboot erase system_b
fastboot erase tz_a
fastboot erase tz_b
fastboot erase vbmeta_a
fastboot erase vbmeta_b
fastboot erase vendor_a
fastboot erase vendor_b

Re-flash the following partitions:

fastboot flash aboot_a aboot.img
fastboot flash aboot_b aboot.img
fastboot flash cmnlib64_a cmnlib64.img
fastboot flash cmnlib64_b cmnlib64.img
fastboot flash cmnlib_a cmnlib.img
fastboot flash cmnlib_b cmnlib.img
fastboot flash devcfg_a devcfg.img
fastboot flash devcfg_b devcfg.img
fastboot flash dsp_a dsp.img
fastboot flash dsp_b dsp.img
fastboot flash keymaster_a keymaster.img
fastboot flash keymaster_b keymaster.img
fastboot flash lksecapp_a lksecapp.img
fastboot flash lksecapp_b lksecapp.img
fastboot flash mdtp_a mdtp.img
fastboot flash mdtp_b mdtp.img
fastboot flash modem_a modem.img
fastboot flash modem_b modem.img
fastboot flash rpm_a rpm.img
fastboot flash rpm_b rpm.img
fastboot flash sbl1_a sbl1.img
fastboot flash sbl1_b sbl1.img
fastboot flash tz_a tz.img
fastboot flash tz_b tz.img

You can flash boot, dtbo, system, vbmeta and vendor too if you don’t want to use MicroG.
Do not forget to lock your bootloader in this case.

For LineageOS with MicroG download the second image now.
Extract the partition images again like we did before.
You now should get this files:

-rw-r--r--. 1 root root   67108864  6. Dez 01:57 boot.img
-rw-rw-r--. 1 user user        506  1. Jan 2009  care_map.pb
-rw-r--r--. 1 root root    8388608  6. Dez 01:57 dtbo.img
drwxr-xr-x. 1 user user          6  6. Dez 01:36 META-INF
-rw-rw-r--. 1 user user  728089673  1. Jan 2009  payload.bin
-rw-rw-r--. 1 user user        155  1. Jan 2009  payload_properties.txt
-rw-r--r--. 1 root root 3221225472  6. Dez 01:58 system.img
-rw-r--r--. 1 root root       4096  6. Dez 01:58 vbmeta.img
-rw-r--r--. 1 root root 1073741824  6. Dez 01:58 vendor.img

Flash the remaining files and wipe data to be sure no remaining userdata is left:

fastboot flash boot_a boot.img
fastboot flash boot_b boot.img
fastboot flash dtbo_a dtbo.img
fastboot flash dtbo_b dtbo.img
fastboot flash system_a system.img
fastboot flash system_b system.img
fastboot flash vbmeta_a vbmeta.img
fastboot flash vbmeta_b vbmeta.img
fastboot flash vendor_a vendor.img
fastboot flash vendor_b vendor.img

fastboot -w

Lock the bootloader.
You should now have a fully working and completely clean LineageOS.

F-Droid privileged extension installation (auto update)

Go to

https://f-droid.org/en/packages/org.fdroid.fdroid.privileged.ota/

download the latest package and do gpg signature verification

tmp=$(mktemp -d) && cd $tmp
wget https://f-droid.org/repo/org.fdroid.fdroid.privileged.ota_2110.zip
unzip org.fdroid.fdroid.privileged.ota_2110.zip

Activate ADB root shell under developer settings on your phone.
Install the packages

adb root
adb remount
adb push F-DroidPrivilegedExtension.apk /system/priv-app/
adb push 80-fdroid.sh /system/addon.d/
adb push permissions_org.fdroid.fdroid.privileged.xml /system/etc/permissions/

Install normal user space F-Droid and reboot your phone.

Done.

You should be able to see “Automatically install updates” in F-Droid settings.

Don’t forget to disable ADB root shell again.

Project “Find My Device”

Since I use LineageOS without any google services some important feature was still missing to find my phone once I lost it. The idea was simple. Gain persistent access, call API requests to get the needed information and send it back to my Nextcloud. I noticed that being able to access the API directly you could actually start to script your own little snippets but we will get to this later.

Lets start with the transport problem. Somehow we have to get access to our smartphone at any time punching holes through firewalls. First method would be to use your own VPN like Wireguard or OpenVPN. But a much more convenient (but battery draining method) would be to use a tor hidden service maybe even using bridges to obfuscate its real intention (Maybe “Orbot”).

Install Termux, Termux:API and Termux:Boot on your Android.
Lets setup the SSH Server and install some dependencies we need later:

Open Termux on your phone and type in:

pkg install root-repo
pkg update
pkg upgrade
pkg install openssh termux-api jq zip
# this will set the password for first login but it is highly advised to use pub-key authentication for your later ssh session
passwd
sshd

Now you should be able to access your phones Termux environment by ssh’ing into it from your Notebook:

ssh root@your.mobile -p 8022

Lets make the ssh session persistent over boot and change some settings (I’ll just show you the content of my setup):

cd ~

~ $ cat /data/data/com.termux/files/usr/etc/ssh/sshd_config
PrintMotd yes
# set this to yes if you want to enable password authentication
PasswordAuthentication no
Subsystem sftp /data/data/com.termux/files/usr/libexec/sftp-server

~ $ cat ~/.termux/boot/start-sshd
#!/data/data/com.termux/files/usr/bin/sh
termux-wake-lock
sshd

After that you should open Termux:Boot once on your phone. Maybe reboot your phone to check if everything works so far. (ssh should be available after reboot)

Well, let us start to have some fun.

Go to app permission settings of your android and give all permissions to Termux:API.

Now ssh into your phone and execute:

termux-setup-storage

tabbing “termux-” will actually show all your tools you can use to control your phone. Should look like this:

~ $ termux-
termux-audio-info            termux-fix-shebang           termux-open                  termux-telephony-deviceinfo
termux-battery-status        termux-info                  termux-open-url              termux-toast
termux-brightness            termux-infrared-frequencies  termux-reload-settings       termux-torch
termux-call-log              termux-infrared-transmit     termux-reset                 termux-tts-engines
termux-camera-info           termux-job-scheduler         termux-sensor                termux-tts-speak
termux-camera-photo          termux-keystore              termux-setup-storage         termux-usb
termux-change-repo           termux-location              termux-share                 termux-vibrate
termux-chroot                termux-media-player          termux-sms-inbox             termux-volume
termux-clipboard-get         termux-media-scan            termux-sms-list              termux-wake-lock
termux-clipboard-set         termux-microphone-record     termux-sms-send              termux-wake-unlock
termux-contact-list          termux-nfc                   termux-speech-to-text        termux-wallpaper
termux-dialog                termux-notification          termux-storage-get           termux-wifi-connectioninfo
termux-download              termux-notification-list     termux-telephony-call        termux-wifi-enable
termux-fingerprint           termux-notification-remove   termux-telephony-cellinfo    termux-wifi-scaninfo

From this point it’s really up to the limitations of your imagination. Some examples could be…

Capture all telemetry and send it to your Nextcloud:

cd ~

~ $ cat scripts/get_telemetry
date="$(date +'%d-%m-%y_%H-%M-%S')"
path="/data/data/com.termux/files/home/records/$date"
echo "create dir..."
mkdir -p $path/txt
echo "get wifi..."
termux-wifi-scaninfo > $path/txt/wifi.txt
echo "get cellinfo..."
termux-telephony-cellinfo > $path/txt/cell.txt
echo "get all sensor data..."
termux-sensor -a -n 1 > $path/txt/sensor.txt
echo "get location..."
while :
do
        echo "trying..."
        termux-location > $path/txt/location.txt
        if [ -s $path/txt/location.txt ]
        then
                echo "got location..."
                break
        fi
done
echo "export to nextcloud..."
zip -r $path/$date.zip $path/txt >&- 2>&-
curl -u USERNAME:GENERATE_YOUR_NEXTCLOUD_APP_KEY -T $path/$date.zip https://cloud.53c70r.de/remote.php/dav/files/sector/termux/

Play presidential alert:

cd ~

~ $ cat scripts/presidential_alert
lat=$(termux-location | jq -r ".latitude")
long=$(termux-location -r last | jq -r ".longitude")
termux-notification -c 'SEE EMERGENCY INFORMATION' -t "LOST DEVICE"
setsid -f sh -c "while true; do termux-volume music 15; sleep 1; done"
termux-torch on
termux-vibrate -f -d 2000
sleep 2
termux-media-player play /data/data/com.termux/files/home/scripts/data/eas.mp3
sleep 11
termux-torch off
termux-tts-speak -s MUSIC "GPS coordinates. latitude: $lat, longitude: $long. WARNING. This system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials."
killall sh

Some loud alarm:

cd ~

~ $ cat scripts/loud_alarm
setsid -f sh -c "while true; do termux-volume music 15; sleep 1; done"
setsid -f sh -c "while true; do termux-torch on; sleep 1; termux-torch off; sleep 1; done"
termux-media-player play /data/data/com.termux/files/home/scripts/data/alarm.mp3
termux-torch off
killall sh

Persistent ssh root backdoor on android

Tested on Android 10.
Get a root shell to your android via adb and execute;

remount
ssh-keygen -A
mkdir /root
cp -r /data/ssh /root
cp /etc/ssh/sshd_config /root
chmod 740 /root
chmod 700 /root/ssh
touch /root/ssh/authorized_keys
chmod 600 /root/ssh/authorized_keys
chown root:root -R /root

Add your ssh pub-key to “/root/ssh/authorized_keys” than execute:

sed -i 's/\/data\//\/root\//g' /etc/ssh/sshd_config
echo "HostKey /root/ssh/ssh_host_ed25519_key" >> /etc/ssh/sshd_config

Add the file “/root/start” with content;

#!/bin/sh
/bin/sshd -f /root/sshd_config

Add our daemon under “/system/etc/init/sshd.rc”;

service sshd /system/bin/sh /root/start
    user root
    group root
    oneshot
    seclabel u:r:su:s0

on property:sys.boot_completed=1 && property:sys.logbootcomplete=1
    start sshd

Reboot your device, done.

(On LineageOS 18.1 sshd will crash at the moment)
https://gitlab.com/LineageOS/issues/android/-/issues/3437

signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x0
Cause: null pointer dereference
    x0  0000000000000000  x1  0000007b0bd1dfb8  x2  0000000000000008  x3  0000000000000010
    x4  0000000000000000  x5  8080808080808080  x6  fefefefefefefeff  x7  7f7f7f7f7f7f7f7f
    x8  0101010101010101  x9  ffffff84f42e2047  x10 0000000000000068  x11 000000000b52b678
    x12 000000004f1d3b2b  x13 0000007ff25268cb  x14 0000007b0b6ddd42  x15 0000ffff00000fff
    x16 00000058c010e3f8  x17 0000007b0b66bb30  x18 0000007b0c578000  x19 0000000000000000
    x20 00000058c0110000  x21 000000791b5241f0  x22 000000791b5248e0  x23 0000000000000000
    x24 00000058c00d9e8d  x25 0000007b0baa6ae0  x26 0000000000000001  x27 0000000000000003
    x28 00000058c0111000  x29 0000007ff2527910
    lr  00000058c01071c8  sp  0000007ff2527330  pc  0000007b0b66bb40  pst 0000000080000000

backtrace:
      #00 pc 000000000004ab40  /apex/com.android.runtime/lib64/bionic/libc.so (strlen_default+16) (BuildId: be9c72fe4db37cd191b589b74d090d13)
      #01 pc 00000000000361c4  /system/bin/sshd (main+1720) (BuildId: 610e2671bc203f1b61ef273d60564a86)
      #02 pc 000000000004988c  /apex/com.android.runtime/lib64/bionic/libc.so (__libc_init+108) (BuildId: be9c72fe4db37cd191b589b74d090d13)

NGINX with ModSecurity and Fail2ban

cat /etc/fail2ban/filter.d/modsecurity.conf

# Fail2Ban filter for modsecurity
#
[Definition]

failregex = ^<HOST> \- \S+ \[\] \"(.*)\S+\" 444 .+$

will check for HTTP status code 444.

Add this to your “/etc/fail2ban/jail.local”:

[modsecurity]
port = http,https
logpath = %(nginx_access_log)s
enabled = true

SELinux Murmur Server Policy for Fedora

sudo -i
mkdir ~/selinux/murmur
cd ~/selinux/murmur
sepolgen --inetd /usr/sbin/murmurd -n murmur -u system_u

Add this to murmur.te:

# Add Port defenition
type murmur_port_t;
corenet_port(murmur_port_t)

Run

semanage dontaudit off
./murmur.sh
semanage port -a -t murmur_port_t 64738 -p tcp
semanage port -a -t murmur_port_t 64738 -p udp
systemctl start murmur.service

Login to your server, restart it, generate some system calls…
Than execute and check if the policy is restrictive enough:

./murmur.sh --update

Clean up your audit log

> /var/log/audit/audit.log
rm -rf /var/log/audit/audit.log.*

Generate system calls again and rerun “–update”.
If murmur does not generate any more violations your policy is good to go.

Set it to enforcing by removing “#” before “permissive murmur_t;” in “murmur.te”.

Rerun

./murmur.sh

Restart murmur and check if everything is working as expected.

Finally enable “don’t audit” again:

semanage dontaudit on

WordPress on SELinux enforced systems

First of all SELinux is your friend not your enemy.
Hosting WordPress on SELinux enforced systems like Centos8 will mostly ruin your security concept since the majority would straight away disable SELinux leaving the system open to all other nasty exploitation attacks against running services.

TL;DR
Please don’t forget to adjust your WordPress root path.
For more information read the man page semanage-fcontext(8).

semanage fcontext -a -t httpd_sys_rw_content_t "/usr/share/nginx/html/wordpress/wp-content"
semanage fcontext -a -t httpd_sys_rw_content_t "/usr/share/nginx/html/wordpress/wp-content/plugins(/.*)?"
semanage fcontext -a -t httpd_sys_rw_content_t "/usr/share/nginx/html/wordpress/wp-content/themes(/.*)?"
semanage fcontext -a -t httpd_sys_rw_content_t "/usr/share/nginx/html/wordpress/wp-content/upgrade(/.*)?"
semanage fcontext -a -t httpd_sys_rw_content_t "/usr/share/nginx/html/wordpress/wp-content/uploads(/.*)?"
semanage fcontext -a -t httpd_sys_rw_content_t "/usr/share/nginx/html/wordpress/wp-content/wflogs(/.*)?"

Make sure your default label for e.g. /usr/share/nginx/ is “httpd_sys_content_t”.

[root@53c70r wordpress]# semanage fcontext -l | grep /usr/share/nginx/
/usr/share/nginx/html(/.*)?                        all files          system_u:object_r:httpd_sys_content_t:s0

This will cause all other files not defined by our own file context to be read only.
Finaly execute

restorecon -RFv /usr/share/nginx/

After the command being executed labeling should look as follow:

[root@53c70r wordpress]# ll -Z
total 208
-rw-r--r--.  1 nginx nginx system_u:object_r:httpd_sys_content_t:s0      405 Apr 17 23:32 index.php
-rw-r--r--.  1 nginx nginx system_u:object_r:httpd_sys_content_t:s0    19915 Aug 27 23:24 license.txt
-rw-r--r--.  1 nginx nginx system_u:object_r:httpd_sys_content_t:s0     7278 Sep 23 00:56 readme.html
-rw-r--r--.  1 nginx nginx system_u:object_r:httpd_sys_content_t:s0     7101 Aug 27 23:24 wp-activate.php
drwxr-xr-x.  9 nginx nginx system_u:object_r:httpd_sys_content_t:s0     4096 Jan 19  2020 wp-admin
-rw-r--r--.  1 nginx nginx system_u:object_r:httpd_sys_content_t:s0      351 Apr 17 23:32 wp-blog-header.php
-rw-r--r--.  1 nginx nginx system_u:object_r:httpd_sys_content_t:s0     2332 Aug 27 23:24 wp-comments-post.php
-rw-r--r--.  1 nginx nginx system_u:object_r:httpd_sys_content_t:s0     2897 Jan 19  2020 wp-config.php
-rw-r--r--.  1 nginx nginx system_u:object_r:httpd_sys_content_t:s0     2913 Apr 17 23:32 wp-config-sample.php
drwxr-xr-x.  7 nginx nginx system_u:object_r:httpd_sys_rw_content_t:s0    96 Sep 23 00:57 wp-content
-rw-r--r--.  1 nginx nginx system_u:object_r:httpd_sys_content_t:s0     3940 Apr 17 23:32 wp-cron.php
drwxr-xr-x. 24 nginx nginx system_u:object_r:httpd_sys_content_t:s0     8192 Aug 27 23:24 wp-includes
-rw-r--r--.  1 nginx nginx system_u:object_r:httpd_sys_content_t:s0     2496 Apr 17 23:32 wp-links-opml.php
-rw-r--r--.  1 nginx nginx system_u:object_r:httpd_sys_content_t:s0     3300 Apr 17 23:32 wp-load.php
-rw-r--r--.  1 nginx nginx system_u:object_r:httpd_sys_content_t:s0    48761 Aug 27 23:24 wp-login.php
-rw-r--r--.  1 nginx nginx system_u:object_r:httpd_sys_content_t:s0     8509 Jun 17 12:56 wp-mail.php
-rw-r--r--.  1 nginx nginx system_u:object_r:httpd_sys_content_t:s0    20181 Aug 27 23:24 wp-settings.php
-rw-r--r--.  1 nginx nginx system_u:object_r:httpd_sys_content_t:s0    31159 Aug 27 23:24 wp-signup.php
-rw-r--r--.  1 nginx nginx system_u:object_r:httpd_sys_content_t:s0     4755 Apr 17 23:32 wp-trackback.php
-rw-r--r--.  1 nginx nginx system_u:object_r:httpd_sys_content_t:s0     3236 Aug 27 23:24 xmlrpc.php

[root@53c70r wordpress]# ll -Z wp-content/
total 4
-rw-r--r--. 1 nginx nginx system_u:object_r:httpd_sys_content_t:s0     28 Jan 19  2020 index.php
drwxr-xr-x. 7 nginx nginx system_u:object_r:httpd_sys_rw_content_t:s0 129 Sep 23 00:49 plugins
drwxr-xr-x. 4 nginx nginx system_u:object_r:httpd_sys_rw_content_t:s0  56 Aug 27 23:17 themes
drwxr-xr-x. 2 nginx nginx system_u:object_r:httpd_sys_rw_content_t:s0   6 Sep 23 00:56 upgrade
drwxr-xr-x. 6 nginx nginx system_u:object_r:httpd_sys_rw_content_t:s0  68 Jan 19  2020 uploads
drwxr-xr-x. 2 nginx nginx system_u:object_r:httpd_sys_rw_content_t:s0 224 Jan 19  2020 wflogs

If you want to upgrade your WordPress later just execute this before

setsebool httpd_unified 1

And when your upgrade is finished

setsebool httpd_unified 0