SELinux Kills Cassandra Based Website

Home » CentOS » SELinux Kills Cassandra Based Website
CentOS 3 Comments

Hey all,

There’s a website I help run that uses the Cassandra DB as its database. I
notice that if I run the web server in SELinux permissive mode, the site works fine. But if I put it into enforcing mode, the site goes down with this error:

Warning: require_once(/McFrazier/PhpBinaryCql/CqlClient.php): failed to open stream: Permission denied in
/var/www/jf-ref/includes/classes/class.CQL.php on line 2 Fatal error:
require_once(): Failed opening required
‘/McFrazier/PhpBinaryCql/CqlClient.php’ (include_path=’.:/php/includes’) in
/var/www/jf-ref/includes/classes/class.CQL.php on line 2

I’ve tried performing a chcon -R command on both the /McFrazier and the
/var/www/jf-ref directories. But there’s no change to the site being up. Can I get some opinions on how to get this working under SELinux?

Thanks Tim

3 thoughts on - SELinux Kills Cassandra Based Website

  • An easy way to start troubleshooting these is to look at the audit logs and see what SELInux is blocking. You have /McFrazier in the email.. if that’s off the root tree than unless you’ve set permissions to allow httpd to look at tat folder, I bet that’s one problem.

    if you run ls -Z you can see the labels that are present on those folders, that might be helpful too.

  • Hi Jeremy,

    An easy way to start troubleshooting these is to look at the audit logs and

    When I take a look at my audit logs, this is the SELinux error I’m seeing for this file:

    type=AVC msg=audit(1425569361.321:11416): avc: *denied* { getattr } for pid404 comm=”httpd” path=”*/McFrazier/PhpBinaryCql/CqlClient.php*”
    dev=”vda” ino66101 scontext=system_u:system_r:httpd_t:s0
    tcontext=system_u:object_r:default_t:s0 tclass=file type=AVC msg=audit(1425569168.760:11351): avc: denied { read } for pid406 comm=”httpd” name=”*CqlClient.php*” dev=”vda” ino66101
    scontext=system_u:system_r:httpd_t:s0
    tcontext=system_u:object_r:default_t:s0 tclass=file

    This is the selinux permissions on that file:

    [root@web1:~] #ls -Z /McFrazier/PhpBinaryCql/CqlClient.php
    -rwxrw-rw-. apache apache system_u:object_r:default_t:s0
    /McFrazier/PhpBinaryCql/CqlClient.php

    So I tried giving apache access to that file using this command:

    [root@web1:~] #semanage fcontext -a -t httpd_sys_content
    /McFrazier/PhpBinaryCql/CqlClient.php ValueError: Type httpd_sys_content is invalid, must be a file or device type

    Seemed logical enough to me, but it doesn’t work. I’ve been googling around for a while to figure out how to get this to work. But no luck just yet.

    If I do a semanage fcontext -l | grep httpd command to see what other labels might apply I see a lot of different types. But that one seemed to make the most sense.

    Any thoughts?

    Thanks Tim

  • Hey! I actually found the right context to apply.

    I tried setting this context on the /McFrazier directory:

    semanage fcontext -a -t httpd_sys_script_exec_t ‘/McFrazier(/.*)?’

    Then did a restorecon -R -v /McFrazier/. And now the site comes up!

    Thanks for your help!
    Tim