15

SELinux is preventing the apache user from writing to a log file which it owns. When I do setenforce 0 it works. Otherwise it shows this error

IOError: [Errno 13] Permission denied: '/var/www/webapp/k/site/k.log'

The security context of the file:

$ ll -Z k.log 
-rw-r--r--. apache apache system_u:object_r:httpd_sys_content_t:s0 k.log

The file was created when the SELinux mode was set to permissive.

How to set the security context so the apache user can write in that directory? I did set that directory security context using chcon but I can't find a suitable file type.

From audit.log:

type=AVC msg=audit(1409945481.163:1561): avc:  denied  { append } for  pid=16862 comm="httpd" name="k.log" dev="dm-1" ino=201614333 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file
type=SYSCALL msg=audit(1409945481.163:1561): arch=c000003e syscall=2 success=no exit=-13 a0=7fa8080847a0 a1=441 a2=1b6 a3=3 items=0 ppid=15256 pid=16862 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
Clodoaldo
  • 395
  • 2
  • 3
  • 9

3 Answers3

22

As already stated, you should instruct SELINUX to allow writing to that file. The right thing to do is to mark /var/www/webapp/k/site/ as of type httpd_sys_rw_content_t

To permanently mark that directory as httpd_sys_rw_content_t, you can use the command semanage fcontext -a -t httpd_sys_rw_content_t /var/www/webapp/k/site(/.*)?; restorecon -RF /var/www/webapp/k/site/ This will survive SELINUX binary policy updates and filesystem relabeling.

shodanshok
  • 44,038
  • 6
  • 98
  • 162
11

For files you want Apache to be able to write to, the type must be set to httpd_sys_rw_content_t.

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
7

This will change the permissions:

chcon --type httpd_sys_rw_content_t /var/www/webapp/k/site/k.log
Andrew Schulman
  • 8,561
  • 21
  • 31
  • 47
t0k3n1z3r
  • 81
  • 1
  • 2