{"id":1814,"date":"2016-10-21T19:19:17","date_gmt":"2016-10-21T17:19:17","guid":{"rendered":"http:\/\/monodes.com\/predaelli\/?p=1814"},"modified":"2016-10-21T19:19:17","modified_gmt":"2016-10-21T17:19:17","slug":"sometimes-it-is-annoying","status":"publish","type":"post","link":"https:\/\/monodes.com\/predaelli\/2016\/10\/21\/sometimes-it-is-annoying\/","title":{"rendered":"Sometimes it is annoying"},"content":{"rendered":"<p>Who? SELinux of course!<\/p>\n<p>Mind me, it is a wonderful tool. Tell me I&#8217;m old-fashioned, tell me I&#8217;m unacknowledged about the security it brings.<\/p>\n<p>This after I just wanted to add a theme to my WordPress inner company blog.<\/p>\n<p>SELinux kept saying something like &#8220;<strong>I don&#8217;t think so!&#8221;<\/strong>.<\/p>\n<p><!--more--><\/p>\n<p>I ended up switching it off. For a while.<\/p>\n<p>Yet this \u00ab<em><a href=\"https:\/\/blog.lysender.com\/2015\/07\/centos-7-selinux-php-apache-cannot-writeaccess-file-no-matter-what\/\">CentOS 7 + SELinux + PHP + Apache \u2013 cannot write\/access file no matter what\u00bb from Lysender&#8217;s Daily Log Book<\/a> <\/em>is a nice page to save and study.<\/p>\n<p>I wish I&#8217;ve studied RHCE and related certifications a little more&#8230;<\/p>\n<p><!--nextpage--><\/p>\n<blockquote>\n<h1 class=\"entry-title\">CentOS 7 + SELinux + PHP + Apache \u2013 cannot write\/access file no matter what<\/h1>\n<div class=\"entry-meta\"><span class=\"meta-prep meta-prep-author\">Posted on<\/span> <a title=\"10:29 pm\" href=\"https:\/\/blog.lysender.com\/2015\/07\/centos-7-selinux-php-apache-cannot-writeaccess-file-no-matter-what\/\" rel=\"bookmark\"><span class=\"entry-date\">July 8, 2015<\/span><\/a> <span class=\"meta-sep\">by<\/span> <span class=\"author vcard\"><a class=\"url fn n\" title=\"View all posts by lysender\" href=\"https:\/\/blog.lysender.com\/author\/lysender\/\">lysender<\/a><\/span><\/div>\n<div class=\"article-top-ad\"><iframe loading=\"lazy\" src=\"https:\/\/blog.lysender.com\/ads\/article-top.html\" width=\"300\" height=\"150\" frameborder=\"0\" scrolling=\"no\"><\/iframe><\/div>\n<div class=\"entry-content\">\n<p>I\u2019ve spent 2-3 hours pulling my hair trying to setup a supposed to be simple PHP\/MySQL web application on an Amazon EC2 instance running on CentOS 7. Apache logs keep saying that it can\u2019t write to file due to permission where file permissions are properly setup, only to realize it was <a href=\"http:\/\/selinuxproject.org\/page\/Main_Page\">SELinux<\/a> in action.<\/p>\n<h2>Problem 1: Can\u2019t serve files on a custom directory<\/h2>\n<p>The first problem I have encountered is that I tried to setup the application inside <code class=\"\" data-line=\"\">\/data\/www\/html\/sites\/mysite<\/code>. When viewed on the browser, it says 403 Forbidden and error logs says:<\/p>\n<div>\n<div id=\"highlighter_762517\" class=\"syntaxhighlighter  plain\">\n<table border=\"0\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td class=\"gutter\">\n<div class=\"line number1 index0 alt2\">1<\/div>\n<\/td>\n<td class=\"code\">\n<div class=\"container\">\n<div class=\"line number1 index0 alt2\"><code class=\"\" data-line=\"\">13)Permission denied: [client 121.54.44.93:23180] AH00529: \/data\/www\/html\/sites\/mysite\/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable and that &#039;\/data\/www\/html\/sites\/mysite\/&#039; is executable<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<p>The directory structure has proper ownership and permissions, ex: directory is owned by <code class=\"\" data-line=\"\">apache:apache<\/code>, file permission is <code class=\"\" data-line=\"\">0644<\/code> and directory permission is <code class=\"\" data-line=\"\">0755<\/code>. It doesn\u2019t make sense at all. I noticed though that the default document root has no problem serving the php file so I decided to serve it off the <code class=\"\" data-line=\"\">\/var\/www\/html\/mysite<\/code> directory, which is the default document root.<\/p>\n<h2>Problem 2: Can\u2019t write to file<\/h2>\n<p>Moving to the default document root directory did the trick and I was able to run the application but with errors. The error says it can\u2019t write to file although again, proper permissions are already set to the directory. Below is the error (it is a custom error log, but if writing to log file doesn\u2019t work, imagine how your upload functionality would work):<\/p>\n<div>\n<div id=\"highlighter_729185\" class=\"syntaxhighlighter  plain\">\n<table border=\"0\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td class=\"gutter\">\n<div class=\"line number1 index0 alt2\">1<\/div>\n<\/td>\n<td class=\"code\">\n<div class=\"container\">\n<div class=\"line number1 index0 alt2\"><code class=\"\" data-line=\"\">PHP Warning:\u00a0 fopen(\/var\/www\/html\/mysite\/application\/config\/..\/..\/logs\/web\/20150708.ALL.log): failed to open stream: Permission denied in \/var\/www\/html\/mysite\/application\/core\/App_Exceptions.php<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<h2>Surprise! SELinux is here!<\/h2>\n<blockquote><p>You guys choose CentOS, so you got SELinux as well.<\/p><\/blockquote>\n<p>After realizing that it was SELinux whose messing with me for the past 2 hours, I was thinking of ditching CentOS and go with the recommended Ubuntu instead. But then my instinct tells me that if SELinux is blocking the read\/write operations, it must did it for a good reason, and that was for security. I realize that you need to specify which files\/directories Apache can serve files and which files\/directories it can write into.<\/p>\n<p>SELinux seems to have some rules\/policies that applies to files\/directories on top of the unix file permissions structure. When I run the command below on the default document root, I saw more information on the file\/directory permissions.<\/p>\n<div>\n<div id=\"highlighter_792066\" class=\"syntaxhighlighter  bash\">\n<table border=\"0\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td class=\"gutter\">\n<div class=\"line number1 index0 alt2\">1<\/div>\n<\/td>\n<td class=\"code\">\n<div class=\"container\">\n<div class=\"line number1 index0 alt2\"><code class=\"\" data-line=\"\">ls<\/code> <code class=\"\" data-line=\"\">-Z <\/code><code class=\"\" data-line=\"\">\/var\/www\/html\/mysite<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<p>Below is the output (some information removed):<\/p>\n<div>\n<div id=\"highlighter_684507\" class=\"syntaxhighlighter  plain\">\n<table border=\"0\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td class=\"gutter\">\n<div class=\"line number1 index0 alt2\">1<\/div>\n<div class=\"line number2 index1 alt1\">2<\/div>\n<\/td>\n<td class=\"code\">\n<div class=\"container\">\n<div class=\"line number1 index0 alt2\"><code class=\"\" data-line=\"\">drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 application<\/code><\/div>\n<div class=\"line number2 index1 alt1\"><code class=\"\" data-line=\"\">-rw-r--r--. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 index.php<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<p>And below is what I got for other normal directories:<\/p>\n<div>\n<div id=\"highlighter_776687\" class=\"syntaxhighlighter  plain\">\n<table border=\"0\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td class=\"gutter\">\n<div class=\"line number1 index0 alt2\">1<\/div>\n<\/td>\n<td class=\"code\">\n<div class=\"container\">\n<div class=\"line number1 index0 alt2\"><code class=\"\" data-line=\"\">drwxr-xr-x. apache apache unconfined_u:object_r:default_t:s0 www<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<p>Therefore, we can conclude that we need to specify the proper SELinux permissions on directories in order to serve files on a custom directory and set another SELinux permissions to allow writing to file. Therefore, we can solve the original problem then.<\/p>\n<h2>Fixing the original problem<\/h2>\n<p>So we want to serve our files at <code class=\"\" data-line=\"\">\/data\/www\/html\/sites\/mysite<\/code> and enable writing to log files and file uploads as well? Let\u2019s play nice with SELinux.<\/p>\n<p>First, copy the files as usual to <code class=\"\" data-line=\"\">\/data\/www\/html\/sites\/mysite<\/code>, then set the proper ownership and permissions.<\/p>\n<div>\n<div id=\"highlighter_307940\" class=\"syntaxhighlighter  bash\">\n<table border=\"0\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td class=\"gutter\">\n<div class=\"line number1 index0 alt2\">1<\/div>\n<div class=\"line number2 index1 alt1\">2<\/div>\n<div class=\"line number3 index2 alt2\">3<\/div>\n<div class=\"line number4 index3 alt1\">4<\/div>\n<div class=\"line number5 index4 alt2\">5<\/div>\n<div class=\"line number6 index5 alt1\">6<\/div>\n<div class=\"line number7 index6 alt2\">7<\/div>\n<div class=\"line number8 index7 alt1\">8<\/div>\n<div class=\"line number9 index8 alt2\">9<\/div>\n<div class=\"line number10 index9 alt1\">10<\/div>\n<div class=\"line number11 index10 alt2\">11<\/div>\n<div class=\"line number12 index11 alt1\">12<\/div>\n<div class=\"line number13 index12 alt2\">13<\/div>\n<div class=\"line number14 index13 alt1\">14<\/div>\n<div class=\"line number15 index14 alt2\">15<\/div>\n<div class=\"line number16 index15 alt1\">16<\/div>\n<\/td>\n<td class=\"code\">\n<div class=\"container\">\n<div class=\"line number1 index0 alt2\"><code class=\"\" data-line=\"\"># Ownership<\/code><\/div>\n<div class=\"line number2 index1 alt1\"><code class=\"\" data-line=\"\">sudo<\/code> <code class=\"\" data-line=\"\">chown<\/code> <code class=\"\" data-line=\"\">apache:apache -R <\/code><code class=\"\" data-line=\"\">\/data\/www\/html\/sites\/mysite<\/code><\/div>\n<div class=\"line number3 index2 alt2\"><code class=\"\" data-line=\"\">cd<\/code> <code class=\"\" data-line=\"\">\/data\/www\/html\/sites\/mysite<\/code><\/div>\n<div class=\"line number4 index3 alt1\"><\/div>\n<div class=\"line number5 index4 alt2\"><code class=\"\" data-line=\"\"># File permissions, recursive<\/code><\/div>\n<div class=\"line number6 index5 alt1\"><code class=\"\" data-line=\"\">find<\/code> <code class=\"\" data-line=\"\">. -<\/code><code class=\"\" data-line=\"\">type<\/code> <code class=\"\" data-line=\"\">f -<\/code><code class=\"\" data-line=\"\">exec<\/code> <code class=\"\" data-line=\"\">chmod<\/code> <code class=\"\" data-line=\"\">0644 {} \\;<\/code><\/div>\n<div class=\"line number7 index6 alt2\"><\/div>\n<div class=\"line number8 index7 alt1\"><code class=\"\" data-line=\"\"># Dir permissions, recursive<\/code><\/div>\n<div class=\"line number9 index8 alt2\"><code class=\"\" data-line=\"\">find<\/code> <code class=\"\" data-line=\"\">. -<\/code><code class=\"\" data-line=\"\">type<\/code> <code class=\"\" data-line=\"\">d -<\/code><code class=\"\" data-line=\"\">exec<\/code> <code class=\"\" data-line=\"\">chmod<\/code> <code class=\"\" data-line=\"\">0755 {} \\;<\/code><\/div>\n<div class=\"line number10 index9 alt1\"><\/div>\n<div class=\"line number11 index10 alt2\"><code class=\"\" data-line=\"\"># SELinux serve files off Apache, resursive<\/code><\/div>\n<div class=\"line number12 index11 alt1\"><code class=\"\" data-line=\"\">sudo<\/code> <code class=\"\" data-line=\"\">chcon -t httpd_sys_content_t <\/code><code class=\"\" data-line=\"\">\/data\/www\/html\/sites\/mysite<\/code> <code class=\"\" data-line=\"\">-R<\/code><\/div>\n<div class=\"line number13 index12 alt2\"><\/div>\n<div class=\"line number14 index13 alt1\"><code class=\"\" data-line=\"\"># Allow write only to specific dirs<\/code><\/div>\n<div class=\"line number15 index14 alt2\"><code class=\"\" data-line=\"\">sudo<\/code> <code class=\"\" data-line=\"\">chcon -t httpd_sys_rw_content_t <\/code><code class=\"\" data-line=\"\">\/data\/www\/html\/sites\/mysite\/logs<\/code> <code class=\"\" data-line=\"\">-R<\/code><\/div>\n<div class=\"line number16 index15 alt1\"><code class=\"\" data-line=\"\">sudo<\/code> <code class=\"\" data-line=\"\">chcon -t httpd_sys_rw_content_t <\/code><code class=\"\" data-line=\"\">\/data\/www\/html\/sites\/mysite\/uploads<\/code> <code class=\"\" data-line=\"\">-R<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<p><code class=\"\" data-line=\"\">httpd_sys_content_t<\/code> \u2013 for allowing Apache to serve these contents and <code class=\"\" data-line=\"\">httpd_sys_rw_content_t<\/code> \u2013 for allowing Apache to write to those path.<\/p>\n<p>That\u2019s it! I enjoyed and you share!<\/p>\n<\/div>\n<\/blockquote>\n","protected":false},"excerpt":{"rendered":"<p class=\"excerpt\">Who? SELinux of course! Mind me, it is a wonderful tool. Tell me I&#8217;m old-fashioned, tell me I&#8217;m unacknowledged about the security it brings. This after I just wanted to add a theme to my WordPress inner company blog. SELinux kept saying something like &#8220;I don&#8217;t think so!&#8221;.<\/p>\n<p class=\"more-link-p\"><a class=\"more-link\" href=\"https:\/\/monodes.com\/predaelli\/2016\/10\/21\/sometimes-it-is-annoying\/\">Read more &rarr;<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"activitypub_content_warning":"","activitypub_content_visibility":"","activitypub_max_image_attachments":4,"activitypub_interaction_policy_quote":"anyone","activitypub_status":"","footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[111,61],"tags":[130],"class_list":["post-1814","post","type-post","status-publish","format-standard","hentry","category-fedora-redhat","category-wordpress","tag-selinux"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p6daft-tg","jetpack-related-posts":[{"id":2183,"url":"https:\/\/monodes.com\/predaelli\/2017\/02\/20\/freeipa\/","url_meta":{"origin":1814,"position":0},"title":"FreeIPA","author":"Paolo Redaelli","date":"2017-02-20","format":false,"excerpt":"\u00a0 It seems I should really being learning how to set it up and to manage it: \u00a0 Identity Manage Linux users and client hosts in your realm from one central location with CLI, Web UI or RPC access. Enable Single Sign On authentication for all your systems, services and\u2026","rel":"","context":"In &quot;Documentations&quot;","block_context":{"text":"Documentations","link":"https:\/\/monodes.com\/predaelli\/category\/documentations\/"},"img":{"alt_text":"freeipa-logo-small","src":"https:\/\/i0.wp.com\/monodes.com\/predaelli\/wp-content\/uploads\/sites\/4\/2017\/02\/freeipa-logo-small-1.png?resize=350%2C200","width":350,"height":200},"classes":[]},{"id":1648,"url":"https:\/\/monodes.com\/predaelli\/2016\/06\/07\/debianisms\/","url_meta":{"origin":1814,"position":1},"title":"Debianisms","author":"Paolo Redaelli","date":"2016-06-07","format":false,"excerpt":"I was going to enable mod_rewrite on the new work box, discovering that CentOS doesn't have a2enmod. So reading apache 2.2 - CentOS\u201c-bash: a2enmod: command not found\u201d - from Server Fault I discovered that a2enmod is a debianism, on CentOS you will need to do this manually. Please refer to\u2026","rel":"","context":"In &quot;Fedora - RedHat&quot;","block_context":{"text":"Fedora - RedHat","link":"https:\/\/monodes.com\/predaelli\/category\/fedora-redhat\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":9311,"url":"https:\/\/monodes.com\/predaelli\/2022\/04\/27\/9311\/","url_meta":{"origin":1814,"position":2},"title":"As I wished to add\u2026","author":"Paolo Redaelli","date":"2022-04-27","format":false,"excerpt":"As I wished to add a little NextCloud installation to my small corporate server I used its web installer that quaralled that PHP 7.2 is too old. I was used to Debian way of handling multiple versions of a package (having the major version in the package name). These notes\u2026","rel":"","context":"In &quot;Documentations&quot;","block_context":{"text":"Documentations","link":"https:\/\/monodes.com\/predaelli\/category\/documentations\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":11099,"url":"https:\/\/monodes.com\/predaelli\/2024\/01\/06\/how-standard-ebooks-serves-millions-of-requests-per-month-with-a-2gb-vps-or-a-paean-to-the-classic-web-alex-cabal\/","url_meta":{"origin":1814,"position":3},"title":"How Standard Ebooks serves millions of requests per month with a 2GB VPS; or, a paean to the classic web &#8211; Alex Cabal","author":"Paolo Redaelli","date":"2024-01-06","format":false,"excerpt":"Source: How Standard Ebooks serves millions of requests per month with a 2GB VPS; or, a paean to the classic web - Alex Cabal Standard Ebooks is a project that takes transcriptions of public domain literature, like the kind typically available at Project Gutenberg, and creates beautiful, modern ebooks out\u2026","rel":"","context":"In &quot;Senza categoria&quot;","block_context":{"text":"Senza categoria","link":"https:\/\/monodes.com\/predaelli\/category\/senza-categoria\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":8930,"url":"https:\/\/monodes.com\/predaelli\/2021\/11\/18\/apache-nuttx\/","url_meta":{"origin":1814,"position":4},"title":"Apache NuttX","author":"Paolo Redaelli","date":"2021-11-18","format":"link","excerpt":"Apache NuttX Apache NuttX is a mature, real-time embedded operating system (RTOS). \u00a0 Apache NuttX NuttX is a real-time operating system (RTOS) with an emphasis on standards compliance and small footprint. Scalable from 8-bit to 32-bit microcontroller environments, the primary governing standards in NuttX are Posix and ANSI standards. Additional\u2026","rel":"","context":"In &quot;Software&quot;","block_context":{"text":"Software","link":"https:\/\/monodes.com\/predaelli\/category\/software\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":9399,"url":"https:\/\/monodes.com\/predaelli\/2022\/05\/26\/apache-nuttx-2\/","url_meta":{"origin":1814,"position":5},"title":"Apache NuttX","author":"Paolo Redaelli","date":"2022-05-26","format":false,"excerpt":"I shall keep an eye on this... Apache NuttX Apache NuttX is a mature, real-time embedded operating system (RTOS). NuttX is a real-time operating system (RTOS) with an emphasis on standards compliance and small footprint. Scalable from 8-bit to 32-bit microcontroller environments, the primary governing standards in NuttX are Posix\u2026","rel":"","context":"In &quot;Embedded&quot;","block_context":{"text":"Embedded","link":"https:\/\/monodes.com\/predaelli\/category\/software\/embedded\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"jetpack_likes_enabled":true,"_links":{"self":[{"href":"https:\/\/monodes.com\/predaelli\/wp-json\/wp\/v2\/posts\/1814","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/monodes.com\/predaelli\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/monodes.com\/predaelli\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/monodes.com\/predaelli\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/monodes.com\/predaelli\/wp-json\/wp\/v2\/comments?post=1814"}],"version-history":[{"count":0,"href":"https:\/\/monodes.com\/predaelli\/wp-json\/wp\/v2\/posts\/1814\/revisions"}],"wp:attachment":[{"href":"https:\/\/monodes.com\/predaelli\/wp-json\/wp\/v2\/media?parent=1814"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/monodes.com\/predaelli\/wp-json\/wp\/v2\/categories?post=1814"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/monodes.com\/predaelli\/wp-json\/wp\/v2\/tags?post=1814"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}