Heb je dat wel eens? Configureer je een webserver en alles zou moeten werken, maar het werkt niet…
Je hebt met 3 zaken te maken, MySQL, php en Apache. Alledrie de configs zijn in orde en toch mag/kan je niet schrijven naar files welke al zelfs op security 777 staan.. hmm.. eens googlelen.. Hier kwam ik de oplossing tegen. Hier liep ik tegen aan terwijl we UserSpice wilde installeren 😉
Snippet van de pagina: CentOS 7 + SELinux + PHP + Apache – cannot write/access file no matter what July 8, 2015 I’ve spent 2-3 hours pulling my hair trying to setup a supposed to be simple PHP/MySQL web application on an Amazon EC2 instance running on CentOS 7. Apache logs keep saying that it can’t write to file due to permission where file permissions are properly setup, only to realize it was SELinux in action.
Problem 1: Can’t serve files on a custom directory
The first problem I have encountered is that I tried to setup the application inside /data/www/html/sites/mysite. When viewed on the browser, it says 403 Forbidden and error logs says:
|
1
|
13)Permission denied: [client 121.54.44.93:23180] AH00529: /data/www/html/sites/mysite/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable and that '/data/www/html/sites/mysite/' is executable |
The directory structure has proper ownership and permissions, ex: directory is owned byapache:apache, file permission is0644and directory permission is0755. It doesn’t make sense at all. I noticed though that the default document root has no problem serving the php file so I decided to serve it off the/var/www/html/mysitedirectory, which is the default document root. Problem 2: Can’t write to file Moving to the default document root directory did the trick and I was able to run the application but with errors. The error says it can’t write to file although again, proper permissions are already set to the directory. Below is the error (it is a custom error log, but if writing to log file doesn’t work, imagine how your upload functionality would work):
|
1
|
PHP Warning: fopen(/var/www/html/mysite/application/config/../../logs/web/20150708.ALL.log): failed to open stream: Permission denied in /var/www/html/mysite/application/core/App_Exceptions.php |
Surprise! SELinux is here!
You guys choose CentOS, so you got SELinux as well.
After realizing that it was SELinux whose messing with me for the past 2 hours, I was thinking of ditching CentOS and go with the recommended Ubuntu instead. But then my instinct tells me that if SELinux is blocking the read/write operations, it must did it for a good reason, and that was for security. I realize that you need to specify which files/directories Apache can serve files and which files/directories it can write into. SELinux seems to have some rules/policies that applies to files/directories on top of the unix file permissions structure. When I run the command below on the default document root, I saw more information on the file/directory permissions.
|
1
|
ls -Z /var/www/html/mysite |
Below is the output (some information removed):
|
1
2
|
drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 application-rw-r--r--. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 index.php |
And below is what I got for other normal directories:
|
1
|
drwxr-xr-x. apache apache unconfined_u:object_r:default_t:s0 www |
Therefore, we can conclude that we need to specify the proper SELinux permissions on directories in order to serve files on a custom directory and set another SELinux permissions to allow writing to file. Therefore, we can solve the original problem then. Fixing the original problem So we want to serve our files at/data/www/html/sites/mysiteand enable writing to log files and file uploads as well? Let’s play nice with SELinux. First, copy the files as usual to/data/www/html/sites/mysite, then set the proper ownership and permissions.
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
# Ownershipsudo chown apache:apache -R /data/www/html/sites/mysitecd /data/www/html/sites/mysite# File permissions, recursivefind . -type f -exec chmod 0644 {} \;# Dir permissions, recursivefind . -type d -exec chmod 0755 {} \;# SELinux serve files off Apache, resursivesudo chcon -t httpd_sys_content_t /data/www/html/sites/mysite -R# Allow write only to specific dirssudo chcon -t httpd_sys_rw_content_t /data/www/html/sites/mysite/logs -Rsudo chcon -t httpd_sys_rw_content_t /data/www/html/sites/mysite/uploads -R |
httpd_sys_content_t– for allowing Apache to serve these contents andhttpd_sys_rw_content_t– for allowing Apache to write to those path.
Thank You!
It works on SELinux enabled CentOS 7 box with nginx + PHP-FPM 7.2 too.