Hey! I actually found the right context to apply.
I tried setting this context on the /McFrazier directory:
semanage fcontext -a -t httpd_sys_script_exec_t '/McFrazier(/.*)?'
Then did a restorecon -R -v /McFrazier/. And now the site comes up!
Thanks for your help! Tim
On Thu, Mar 5, 2015 at 11:02 AM, Tim Dunphy bluethundr@gmail.com wrote:
Hi Jeremy,
An easy way to start troubleshooting these is to look at the audit logs and
see what SELInux is blocking. You have /McFrazier in the email.. if that's off the root tree than unless you've set permissions to allow httpd to look at tat folder, I bet that's one problem. if you run ls -Z you can see the labels that are present on those folders, that might be helpful too
When I take a look at my audit logs, this is the SELinux error I'm seeing for this file:
.
type=AVC msg=audit(1425569361.321:11416): avc: *denied* { getattr } for pid=12404 comm="httpd" path="*/McFrazier/PhpBinaryCql/CqlClient.php*" dev="vda" ino=1966101 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file type=AVC msg=audit(1425569168.760:11351): avc: denied { read } for pid=12406 comm="httpd" name="*CqlClient.php*" dev="vda" ino=1966101 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file
This is the selinux permissions on that file:
[root@web1:~] #ls -Z /McFrazier/PhpBinaryCql/CqlClient.php -rwxrw-rw-. apache apache system_u:object_r:default_t:s0 /McFrazier/PhpBinaryCql/CqlClient.php
So I tried giving apache access to that file using this command:
[root@web1:~] #semanage fcontext -a -t httpd_sys_content /McFrazier/PhpBinaryCql/CqlClient.php ValueError: Type httpd_sys_content is invalid, must be a file or device type
Seemed logical enough to me, but it doesn't work. I've been googling around for a while to figure out how to get this to work. But no luck just yet.
If I do a semanage fcontext -l | grep httpd command to see what other labels might apply I see a lot of different types. But that one seemed to make the most sense.
Any thoughts?
Thanks Tim
On Wed, Mar 4, 2015 at 11:12 PM, Jeremy Hoel jthoel@gmail.com wrote:
An easy way to start troubleshooting these is to look at the audit logs and see what SELInux is blocking. You have /McFrazier in the email.. if that's off the root tree than unless you've set permissions to allow httpd to look at tat folder, I bet that's one problem.
if you run ls -Z you can see the labels that are present on those folders, that might be helpful too.
On Wed, Mar 4, 2015 at 8:14 PM, Tim Dunphy bluethundr@gmail.com wrote:
Hey all,
There's a website I help run that uses the Cassandra DB as its
database. I
notice that if I run the web server in SELinux permissive mode, the site works fine. But if I put it into enforcing mode, the site goes down with this error:
Warning: require_once(/McFrazier/PhpBinaryCql/CqlClient.php): failed to open stream: Permission denied in /var/www/jf-ref/includes/classes/class.CQL.php on line 2 Fatal error: require_once(): Failed opening required '/McFrazier/PhpBinaryCql/CqlClient.php'
(include_path='.:/php/includes') in
/var/www/jf-ref/includes/classes/class.CQL.php on line 2
I've tried performing a chcon -R command on both the /McFrazier and the /var/www/jf-ref directories. But there's no change to the site being up. Can I get some opinions on how to get this working under SELinux?
Thanks Tim
-- GPG me!!
gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-- GPG me!!
gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B