SELinux Permissions For Apache

Home » CentOS » SELinux Permissions For Apache
CentOS 6 Comments

Hey all,

I have a simple php app working that writes some info to a text file. The app will only work correctly if SELinux is disabled. If it’s enabled and try to use the app, it fails. It seems that SELinux is denying the app ability to write to the text file.

So I tried running the following command:

chcon -R -t httpd_sys_content_t /var/www

And tried veriying the command with the following:

ls -RZ /var/www

And everything seems to be in order. For example I see:

-rw-r–r–. apache apache system_u:object_r:httpd_sys_content_t:s0
vieworders.php

But the app stil won’t function correctly unless SELinux is set to off. What can I do to get it work with it enabled?

Thanks Tim

6 thoughts on - SELinux Permissions For Apache

  • Have you tried changing the folder where it’s writing into with these lables? httpd_sys_content_rw_t or httpd_user_content_rw_t

  • Hey Jeremy,

    Adding ‘rw’ to the command did the trick. I tried httpd_sys_content_rw_t and that works fine! Thanks for the tip!

    Tim

  • The easiest answer is to edit the Selinux config file. By default it is set to enforce, which really locks it down.

    cd /etc/selinux

    edit the config file and change SELUNIX=enforcing to SELUNIX=permissive

    Save the file and restart httpd, you should be fine..

    john plemons

  • Yeah dude, exactly. Except I actually do want to start using it. I’ve been disabling SELINUX forever because I wasn’t familiar with using it. I’ve decided to change my tune on that this year and get more familiar with hit. I’ve always recognized it to be a good thing. Even if I didn’t really have a clue about it.

    Thanks for the suggestion anyway!

    Tim

  • Exactly, SELinux is great. Its a good room to have when you can get it working and it’s another good layer of protection. Its better to learn to use the tool then just turn it off.

    Not every label has a rw option but it never hurts to try. :-)

  • yeah man thanks. I really think it was lazy adminning on my part to chose not to use it. I want to correct that! Unfortunately taht was a dirty habit I picked up by working in some small shops that always turned it off. I’m going to start using it and gain some familiarity with it!

    Thanks