Hey! I actually found the right context to apply. I tried setting this context on the /McFrazier directory: semanage fcontext -a -t httpd_sys_script_exec_t '/McFrazier(/.*)?' Then did a restorecon -R -v /McFrazier/. And now the site comes up! Thanks for your help! Tim On Thu, Mar 5, 2015 at 11:02 AM, Tim Dunphy <bluethundr at gmail.com> wrote: > Hi Jeremy, > > An easy way to start troubleshooting these is to look at the audit logs and >> see what SELInux is blocking. You have /McFrazier in the email.. if >> that's >> off the root tree than unless you've set permissions to allow httpd to >> look >> at tat folder, I bet that's one problem. >> if you run ls -Z you can see the labels that are present on those folders, >> that might be helpful too > > > > When I take a look at my audit logs, this is the SELinux error I'm seeing > for this file: > >> . > > type=AVC msg=audit(1425569361.321:11416): avc: *denied* { getattr } for > pid=12404 comm="httpd" path="*/McFrazier/PhpBinaryCql/CqlClient.php*" > dev="vda" ino=1966101 scontext=system_u:system_r:httpd_t:s0 > tcontext=system_u:object_r:default_t:s0 tclass=file > type=AVC msg=audit(1425569168.760:11351): avc: denied { read } for > pid=12406 comm="httpd" name="*CqlClient.php*" dev="vda" ino=1966101 > scontext=system_u:system_r:httpd_t:s0 > tcontext=system_u:object_r:default_t:s0 tclass=file > > This is the selinux permissions on that file: > > [root at web1:~] #ls -Z /McFrazier/PhpBinaryCql/CqlClient.php > -rwxrw-rw-. apache apache system_u:object_r:default_t:s0 > /McFrazier/PhpBinaryCql/CqlClient.php > > So I tried giving apache access to that file using this command: > > [root at web1:~] #semanage fcontext -a -t httpd_sys_content > /McFrazier/PhpBinaryCql/CqlClient.php > ValueError: Type httpd_sys_content is invalid, must be a file or device > type > > Seemed logical enough to me, but it doesn't work. I've been googling > around for a while to figure out how to get this to work. But no luck just > yet. > > If I do a semanage fcontext -l | grep httpd command to see what other > labels might apply I see a lot of different types. But that one seemed to > make the most sense. > > Any thoughts? > > Thanks > Tim > > > > > On Wed, Mar 4, 2015 at 11:12 PM, Jeremy Hoel <jthoel at gmail.com> wrote: > >> An easy way to start troubleshooting these is to look at the audit logs >> and >> see what SELInux is blocking. You have /McFrazier in the email.. if >> that's >> off the root tree than unless you've set permissions to allow httpd to >> look >> at tat folder, I bet that's one problem. >> >> if you run ls -Z you can see the labels that are present on those folders, >> that might be helpful too. >> >> On Wed, Mar 4, 2015 at 8:14 PM, Tim Dunphy <bluethundr at gmail.com> wrote: >> >> > Hey all, >> > >> > There's a website I help run that uses the Cassandra DB as its >> database. I >> > notice that if I run the web server in SELinux permissive mode, the site >> > works fine. But if I put it into enforcing mode, the site goes down with >> > this error: >> > >> > Warning: require_once(/McFrazier/PhpBinaryCql/CqlClient.php): failed to >> > open stream: Permission denied in >> > /var/www/jf-ref/includes/classes/class.CQL.php on line 2 Fatal error: >> > require_once(): Failed opening required >> > '/McFrazier/PhpBinaryCql/CqlClient.php' >> (include_path='.:/php/includes') in >> > /var/www/jf-ref/includes/classes/class.CQL.php on line 2 >> > >> > I've tried performing a chcon -R command on both the /McFrazier and the >> > /var/www/jf-ref directories. But there's no change to the site being up. >> > Can I get some opinions on how to get this working under SELinux? >> > >> > Thanks >> > Tim >> > >> > >> > -- >> > GPG me!! >> > >> > gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B >> > _______________________________________________ >> > CentOS mailing list >> > CentOS at centos.org >> > http://lists.centos.org/mailman/listinfo/centos >> > >> _______________________________________________ >> CentOS mailing list >> CentOS at centos.org >> http://lists.centos.org/mailman/listinfo/centos >> > > > > -- > GPG me!! > > gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B > > -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B