Hey all,
There's a website I help run that uses the Cassandra DB as its database. I notice that if I run the web server in SELinux permissive mode, the site works fine. But if I put it into enforcing mode, the site goes down with this error:
Warning: require_once(/McFrazier/PhpBinaryCql/CqlClient.php): failed to open stream: Permission denied in /var/www/jf-ref/includes/classes/class.CQL.php on line 2 Fatal error: require_once(): Failed opening required '/McFrazier/PhpBinaryCql/CqlClient.php' (include_path='.:/php/includes') in /var/www/jf-ref/includes/classes/class.CQL.php on line 2
I've tried performing a chcon -R command on both the /McFrazier and the /var/www/jf-ref directories. But there's no change to the site being up. Can I get some opinions on how to get this working under SELinux?
Thanks Tim
An easy way to start troubleshooting these is to look at the audit logs and see what SELInux is blocking. You have /McFrazier in the email.. if that's off the root tree than unless you've set permissions to allow httpd to look at tat folder, I bet that's one problem.
if you run ls -Z you can see the labels that are present on those folders, that might be helpful too.
On Wed, Mar 4, 2015 at 8:14 PM, Tim Dunphy bluethundr@gmail.com wrote:
Hey all,
There's a website I help run that uses the Cassandra DB as its database. I notice that if I run the web server in SELinux permissive mode, the site works fine. But if I put it into enforcing mode, the site goes down with this error:
Warning: require_once(/McFrazier/PhpBinaryCql/CqlClient.php): failed to open stream: Permission denied in /var/www/jf-ref/includes/classes/class.CQL.php on line 2 Fatal error: require_once(): Failed opening required '/McFrazier/PhpBinaryCql/CqlClient.php' (include_path='.:/php/includes') in /var/www/jf-ref/includes/classes/class.CQL.php on line 2
I've tried performing a chcon -R command on both the /McFrazier and the /var/www/jf-ref directories. But there's no change to the site being up. Can I get some opinions on how to get this working under SELinux?
Thanks Tim
-- GPG me!!
gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Hi Jeremy,
An easy way to start troubleshooting these is to look at the audit logs and
see what SELInux is blocking. You have /McFrazier in the email.. if that's off the root tree than unless you've set permissions to allow httpd to look at tat folder, I bet that's one problem. if you run ls -Z you can see the labels that are present on those folders, that might be helpful too
When I take a look at my audit logs, this is the SELinux error I'm seeing for this file:
.
type=AVC msg=audit(1425569361.321:11416): avc: *denied* { getattr } for pid=12404 comm="httpd" path="*/McFrazier/PhpBinaryCql/CqlClient.php*" dev="vda" ino=1966101 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file type=AVC msg=audit(1425569168.760:11351): avc: denied { read } for pid=12406 comm="httpd" name="*CqlClient.php*" dev="vda" ino=1966101 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file
This is the selinux permissions on that file:
[root@web1:~] #ls -Z /McFrazier/PhpBinaryCql/CqlClient.php -rwxrw-rw-. apache apache system_u:object_r:default_t:s0 /McFrazier/PhpBinaryCql/CqlClient.php
So I tried giving apache access to that file using this command:
[root@web1:~] #semanage fcontext -a -t httpd_sys_content /McFrazier/PhpBinaryCql/CqlClient.php ValueError: Type httpd_sys_content is invalid, must be a file or device type
Seemed logical enough to me, but it doesn't work. I've been googling around for a while to figure out how to get this to work. But no luck just yet.
If I do a semanage fcontext -l | grep httpd command to see what other labels might apply I see a lot of different types. But that one seemed to make the most sense.
Any thoughts?
Thanks Tim
On Wed, Mar 4, 2015 at 11:12 PM, Jeremy Hoel jthoel@gmail.com wrote:
An easy way to start troubleshooting these is to look at the audit logs and see what SELInux is blocking. You have /McFrazier in the email.. if that's off the root tree than unless you've set permissions to allow httpd to look at tat folder, I bet that's one problem.
if you run ls -Z you can see the labels that are present on those folders, that might be helpful too.
On Wed, Mar 4, 2015 at 8:14 PM, Tim Dunphy bluethundr@gmail.com wrote:
Hey all,
There's a website I help run that uses the Cassandra DB as its
database. I
notice that if I run the web server in SELinux permissive mode, the site works fine. But if I put it into enforcing mode, the site goes down with this error:
Warning: require_once(/McFrazier/PhpBinaryCql/CqlClient.php): failed to open stream: Permission denied in /var/www/jf-ref/includes/classes/class.CQL.php on line 2 Fatal error: require_once(): Failed opening required '/McFrazier/PhpBinaryCql/CqlClient.php' (include_path='.:/php/includes')
in
/var/www/jf-ref/includes/classes/class.CQL.php on line 2
I've tried performing a chcon -R command on both the /McFrazier and the /var/www/jf-ref directories. But there's no change to the site being up. Can I get some opinions on how to get this working under SELinux?
Thanks Tim
-- GPG me!!
gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Hey! I actually found the right context to apply.
I tried setting this context on the /McFrazier directory:
semanage fcontext -a -t httpd_sys_script_exec_t '/McFrazier(/.*)?'
Then did a restorecon -R -v /McFrazier/. And now the site comes up!
Thanks for your help! Tim
On Thu, Mar 5, 2015 at 11:02 AM, Tim Dunphy bluethundr@gmail.com wrote:
Hi Jeremy,
An easy way to start troubleshooting these is to look at the audit logs and
see what SELInux is blocking. You have /McFrazier in the email.. if that's off the root tree than unless you've set permissions to allow httpd to look at tat folder, I bet that's one problem. if you run ls -Z you can see the labels that are present on those folders, that might be helpful too
When I take a look at my audit logs, this is the SELinux error I'm seeing for this file:
.
type=AVC msg=audit(1425569361.321:11416): avc: *denied* { getattr } for pid=12404 comm="httpd" path="*/McFrazier/PhpBinaryCql/CqlClient.php*" dev="vda" ino=1966101 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file type=AVC msg=audit(1425569168.760:11351): avc: denied { read } for pid=12406 comm="httpd" name="*CqlClient.php*" dev="vda" ino=1966101 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file
This is the selinux permissions on that file:
[root@web1:~] #ls -Z /McFrazier/PhpBinaryCql/CqlClient.php -rwxrw-rw-. apache apache system_u:object_r:default_t:s0 /McFrazier/PhpBinaryCql/CqlClient.php
So I tried giving apache access to that file using this command:
[root@web1:~] #semanage fcontext -a -t httpd_sys_content /McFrazier/PhpBinaryCql/CqlClient.php ValueError: Type httpd_sys_content is invalid, must be a file or device type
Seemed logical enough to me, but it doesn't work. I've been googling around for a while to figure out how to get this to work. But no luck just yet.
If I do a semanage fcontext -l | grep httpd command to see what other labels might apply I see a lot of different types. But that one seemed to make the most sense.
Any thoughts?
Thanks Tim
On Wed, Mar 4, 2015 at 11:12 PM, Jeremy Hoel jthoel@gmail.com wrote:
An easy way to start troubleshooting these is to look at the audit logs and see what SELInux is blocking. You have /McFrazier in the email.. if that's off the root tree than unless you've set permissions to allow httpd to look at tat folder, I bet that's one problem.
if you run ls -Z you can see the labels that are present on those folders, that might be helpful too.
On Wed, Mar 4, 2015 at 8:14 PM, Tim Dunphy bluethundr@gmail.com wrote:
Hey all,
There's a website I help run that uses the Cassandra DB as its
database. I
notice that if I run the web server in SELinux permissive mode, the site works fine. But if I put it into enforcing mode, the site goes down with this error:
Warning: require_once(/McFrazier/PhpBinaryCql/CqlClient.php): failed to open stream: Permission denied in /var/www/jf-ref/includes/classes/class.CQL.php on line 2 Fatal error: require_once(): Failed opening required '/McFrazier/PhpBinaryCql/CqlClient.php'
(include_path='.:/php/includes') in
/var/www/jf-ref/includes/classes/class.CQL.php on line 2
I've tried performing a chcon -R command on both the /McFrazier and the /var/www/jf-ref directories. But there's no change to the site being up. Can I get some opinions on how to get this working under SELinux?
Thanks Tim
-- GPG me!!
gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-- GPG me!!
gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
-
Jeremy Hoel -
Tim Dunphy