0

I've setup a CentOS 6.3 box with lighttpd, php-fpm and I can server both static files and PHP files with SELinux enabled if I leave the lighttpd home directory set to the default (/var/www/lighttpd).

However if I change the home directory to anything else, I get 403 forbidden errors when I try and access the server (if I have SELinux enabled).

If I disable SELinux an alternative home directory works fine - but I'd prefer not to have to disable SELinux.

I've read that I should run "chcon -R -h -t httpd_sys_content_t /my_new_docroot" and that should make SELinux happy but unfortunately when I do that I get the following errors:

changing security context of /mnt/smbshare/files' chcon: failed to get security context offiles': Operation not supported

I suspect this is because I'm trying to use chcon on an SMB share which is mounted using fstab.

So I'm wondering how else I can solve this issue (besides flat out turning off SELinux) - any gurus out there have any suggestions for me?

Thanks Brad

Brad
  • 589
  • 1
  • 9
  • 26

1 Answers1

3

You appear to be using a Samba share to store your web content. If you want SELinux to allow your web server to read files on Samba shares, you need to set the appropriate boolean. For instance:

setsebool -P httpd_use_cifs 1
Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
  • Well that seemed to help. Although now I'm getting the following error: User error: Failed to connect to memcache server: memcache1.ourdomain.com:11211 in dmemcache_object() (line 415 of /mnt/share/sites/all/modules/memcache/dmemcache.inc). PDOException: SQLSTATE[HY000] [2003] Can't connect to MySQL server on 'db1.ourserver.com' (13) in lock_may_be_available() (line 167 of /mnt/share/includes/lock.inc). Are there similar directives I need to set for mysql and memcache with selinx enabled? – Brad Mar 20 '13 at 15:26
  • I was able to get memcache to work by using setsebool -P httpd_can_network_memcache 1 – Brad Mar 20 '13 at 15:42
  • However mysql is still failing - PDOException: SQLSTATE[HY000] [2003] Can't connect to MySQL server on 'db1.ourdomain.com' (13) in lock_may_be_available() (line 167 of /mnt/share/includes/lock.inc). – Brad Mar 20 '13 at 15:43
  • I've tried setsebool -P allow_user_mysql_connect 1 and setsebool -P mysql_connect_any 1 – Brad Mar 20 '13 at 15:44
  • Those are completely separate questions. Though you will find a boolean called `httpd_can_network_connect_db` if you look hard enough. – Michael Hampton Mar 20 '13 at 15:45
  • Yes - I just downloaded audit2why and that told me exactly what you just said. Thanks! – Brad Mar 20 '13 at 15:51