[CentOS] SELinux permissions for apache

Tim Dunphy bluethundr at gmail.com
Thu Jan 22 21:39:59 UTC 2015


>
> Exactly, SELinux is great. Its a good room to have when you can get it
> working and it's another good layer of protection. Its better to learn to
> use the tool then just turn it off.
> Not every label has a rw option but it never hurts to try. :-)



yeah man thanks. I really think it was lazy adminning on my part to chose
not to use it. I want to correct that! Unfortunately taht was a dirty habit
I picked up by working in some small shops that always turned it off. I'm
going to start using it and gain some familiarity with it!

Thanks

On Thu, Jan 22, 2015 at 3:22 PM, Jeremy Hoel <jthoel at gmail.com> wrote:

> Exactly, SELinux is great. Its a good room to have when you can get it
> working and it's another good layer of protection. Its better to learn to
> use the tool then just turn it off.
>
> Not every label has a rw option but it never hurts to try. :-)
> On Jan 22, 2015 1:18 PM, "Tim Dunphy" <bluethundr at gmail.com> wrote:
>
> > >
> > > The easiest answer is to edit the Selinux config file. By default it is
> > > set to enforce, which really locks it down.
> > > cd /etc/selinux
> > > edit the config file and change SELUNIX=enforcing to SELUNIX=permissive
> > > Save the file and restart httpd, you should be fine..
> >
> >
> > Yeah dude, exactly. Except I actually do want to start using it. I've
> been
> > disabling SELINUX forever because I wasn't familiar with using it. I've
> > decided to change my tune on that this year and get more familiar with
> hit.
> > I've always recognized it to be a good thing. Even if I didn't really
> have
> > a clue about it.
> >
> > Thanks for the suggestion anyway!
> >
> > Tim
> >
> > On Thu, Jan 22, 2015 at 2:47 PM, John Plemons <john at mavin.com> wrote:
> >
> > > The easiest answer is to edit the Selinux config file. By default it is
> > > set to enforce, which really locks it down.
> > >
> > > cd /etc/selinux
> > >
> > > edit the config file and change SELUNIX=enforcing to SELUNIX=permissive
> > >
> > > Save the file and restart httpd, you should be fine..
> > >
> > > john plemons
> > >
> > >
> > >
> > >
> > > On 1/22/2015 1:36 PM, Tim Dunphy wrote:
> > >
> > >> Hey Jeremy,
> > >>
> > >>
> > >>
> > >>  Have you tried changing the folder where it's writing into with these
> > >>> lables?   httpd_sys_content_rw_t or httpd_user_content_rw_t
> > >>>
> > >>
> > >> Adding 'rw' to the command did the trick. I tried
> > httpd_sys_content_rw_t
> > >> and
> > >> that works fine! Thanks for the tip!
> > >>
> > >> Tim
> > >>
> > >> On Thu, Jan 22, 2015 at 1:19 PM, Jeremy Hoel <jthoel at gmail.com>
> wrote:
> > >>
> > >>  Have you tried changing the folder where it's writing into with these
> > >>> lables?   httpd_sys_content_rw_t or httpd_user_content_rw_t
> > >>>
> > >>> On Thu, Jan 22, 2015 at 11:09 AM, Tim Dunphy <bluethundr at gmail.com>
> > >>> wrote:
> > >>>
> > >>>  Hey all,
> > >>>>
> > >>>>   I have a simple php app working that writes some info to a text
> > file.
> > >>>>
> > >>> The
> > >>>
> > >>>> app will only work correctly if SELinux is disabled. If it's enabled
> > and
> > >>>> try to use the app, it fails. It seems that SELinux is denying the
> app
> > >>>> ability to write to the text file.
> > >>>>
> > >>>> So I tried running the following command:
> > >>>>
> > >>>> chcon -R -t httpd_sys_content_t /var/www
> > >>>>
> > >>>> And tried veriying the command with the following:
> > >>>>
> > >>>> ls -RZ /var/www
> > >>>>
> > >>>> And everything seems to be in order. For example I see:
> > >>>>
> > >>>> -rw-r--r--. apache apache system_u:object_r:httpd_sys_content_t:s0
> > >>>> vieworders.php
> > >>>>
> > >>>> But the app stil won't function correctly unless SELinux is set to
> > off.
> > >>>> What can I do to get it work with it enabled?
> > >>>>
> > >>>> Thanks
> > >>>> Tim
> > >>>> --
> > >>>> GPG me!!
> > >>>>
> > >>>> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
> > >>>> _______________________________________________
> > >>>> CentOS mailing list
> > >>>> CentOS at centos.org
> > >>>> http://lists.centos.org/mailman/listinfo/centos
> > >>>>
> > >>>>  _______________________________________________
> > >>> CentOS mailing list
> > >>> CentOS at centos.org
> > >>> http://lists.centos.org/mailman/listinfo/centos
> > >>>
> > >>>
> > >>
> > >>
> > > _______________________________________________
> > > CentOS mailing list
> > > CentOS at centos.org
> > > http://lists.centos.org/mailman/listinfo/centos
> > >
> >
> >
> >
> > --
> > GPG me!!
> >
> > gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
> > _______________________________________________
> > CentOS mailing list
> > CentOS at centos.org
> > http://lists.centos.org/mailman/listinfo/centos
> >
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>



-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B



More information about the CentOS mailing list