Hi Jeremy,
An easy way to start troubleshooting these is to look at the audit logs and
> see what SELInux is blocking. You have /McFrazier in the email.. if that's
> off the root tree than unless you've set permissions to allow httpd to look
> at tat folder, I bet that's one problem.
> if you run ls -Z you can see the labels that are present on those folders,
> that might be helpful too
When I take a look at my audit logs, this is the SELinux error I'm seeing
for this file:
> .
type=AVC msg=audit(1425569361.321:11416): avc: *denied* { getattr } for
pid=12404 comm="httpd" path="*/McFrazier/PhpBinaryCql/CqlClient.php*"
dev="vda" ino=1966101 scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:default_t:s0 tclass=file
type=AVC msg=audit(1425569168.760:11351): avc: denied { read } for
pid=12406 comm="httpd" name="*CqlClient.php*" dev="vda" ino=1966101
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:default_t:s0 tclass=file
This is the selinux permissions on that file:
[root at web1:~] #ls -Z /McFrazier/PhpBinaryCql/CqlClient.php
-rwxrw-rw-. apache apache system_u:object_r:default_t:s0
/McFrazier/PhpBinaryCql/CqlClient.php
So I tried giving apache access to that file using this command:
[root at web1:~] #semanage fcontext -a -t httpd_sys_content
/McFrazier/PhpBinaryCql/CqlClient.php
ValueError: Type httpd_sys_content is invalid, must be a file or device type
Seemed logical enough to me, but it doesn't work. I've been googling around
for a while to figure out how to get this to work. But no luck just yet.
If I do a semanage fcontext -l | grep httpd command to see what other
labels might apply I see a lot of different types. But that one seemed to
make the most sense.
Any thoughts?
Thanks
Tim
On Wed, Mar 4, 2015 at 11:12 PM, Jeremy Hoel <jthoel at gmail.com> wrote:
> An easy way to start troubleshooting these is to look at the audit logs and
> see what SELInux is blocking. You have /McFrazier in the email.. if that's
> off the root tree than unless you've set permissions to allow httpd to look
> at tat folder, I bet that's one problem.
>
> if you run ls -Z you can see the labels that are present on those folders,
> that might be helpful too.
>
> On Wed, Mar 4, 2015 at 8:14 PM, Tim Dunphy <bluethundr at gmail.com> wrote:
>
> > Hey all,
> >
> > There's a website I help run that uses the Cassandra DB as its
> database. I
> > notice that if I run the web server in SELinux permissive mode, the site
> > works fine. But if I put it into enforcing mode, the site goes down with
> > this error:
> >
> > Warning: require_once(/McFrazier/PhpBinaryCql/CqlClient.php): failed to
> > open stream: Permission denied in
> > /var/www/jf-ref/includes/classes/class.CQL.php on line 2 Fatal error:
> > require_once(): Failed opening required
> > '/McFrazier/PhpBinaryCql/CqlClient.php' (include_path='.:/php/includes')
> in
> > /var/www/jf-ref/includes/classes/class.CQL.php on line 2
> >
> > I've tried performing a chcon -R command on both the /McFrazier and the
> > /var/www/jf-ref directories. But there's no change to the site being up.
> > Can I get some opinions on how to get this working under SELinux?
> >
> > Thanks
> > Tim
> >
> >
> > --
> > GPG me!!
> >
> > gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
> > _______________________________________________
> > CentOS mailing list
> > CentOS at centos.org
> > http://lists.centos.org/mailman/listinfo/centos
> >
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
--
GPG me!!
gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B