SELinux interfering with Apache / PHP

Question

On my installation of CentOS 7, SELinux is enabled by default. This is preventing Apache from properly reading PHP files in the standard /var/www/html document root (the browser is blank when displaying web pages containing PHP script). When I disable SELinux the pages display normally.

Is there some way of setting SELinux to allow Apache to access PHP files from the document root? I would rather not disable SELinux entirely given that CentOS clearly believes it is a desirable security addition.

Run `audit2allow < /var/log/audit/audit.log` and inspect the output. — Michael Hampton, Nov 06 '14 at 00:29
Michael, I get a 'command not found', is some sort of package required? — Grant_Bailey, Nov 06 '14 at 00:33
It's the `policycoreutils-python` package. Have you had a chance to read [the documentation](https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/SELinux_Users_and_Administrators_Guide/index.html)? You should do that soon. — Michael Hampton, Nov 06 '14 at 00:41
Michael, the material you linked was valuable and provided me with the solution which I will post as an answer. Thanks again. — Grant_Bailey, Nov 06 '14 at 08:43
Though it doesn't deal with PHP directly, this answer might help as it surveys a number things related to apache and SELinux : https://serverfault.com/a/551801/101931 — kbulgrien, Jul 20 '18 at 19:40

score 3 · Accepted Answer · edited Apr 13 '17 at 12:14

3

I don't do much SELinux, but you can try

semanage fcontext -a -t httpd_sys_script_exec_t '/var/www/html(/.*)?'

restorecon -R -v /var/www/html/

That allows Apache to execute PHP scripts in that directory, and persists after a reboot.

If you use MySQL, you may have to do the same for that. SELinux: Letting Apache talk to MySQL on CentOS may help

edited Apr 13 '17 at 12:14

Community

1

answered Nov 06 '14 at 00:16

bhavicp

344
2
8

2

http://stackoverflow.com/questions/15395845/tell-selinux-to-give-apache-execute-access-to-php-files-outside-document-root – 030 Nov 06 '14 at 00:18
Yes I saw that but it refers to files outside the document root. I would have expected a less complex procedure for files within the document root. – Grant_Bailey Nov 06 '14 at 00:25

Grant_Bailey · Answer 2 · 2014-11-07T08:13:51.487

1

Running audit2allow < /var/log/audit/audit.log confirmed that httpd was being blocked by SELinux (see this link). The solution was to create and apply a policy module using the following steps:

As root, run the command audit2allow -a -M my_httpd (replace 'my_httpd' with whatever name you prefer).
Again as root, run the command semodule -i my_httpd.pp to install the module.

After I followed these steps Apache was able to run PHP scripts on my server without difficulty. Restart of the server does not destroy the changes.

Content of module file (my_httpd.te):

module my_httpd 1.0;
require {
    type admin_home_t;
    type httpd_t;
    class file { read getattr open };
}
#============= httpd_t ==============
allow httpd_t admin_home_t:file { read getattr open };

edited Nov 07 '14 at 08:13

answered Nov 06 '14 at 09:07

Grant_Bailey

53
1
2
10

Out of curiosity, are you able to share the contents of the module you created? It seems unusual that you would need to build a custom module for php files in the default docroot. Maybe the files were moved into the directory and don't have the proper context, in which case the `restorecon` command from bhavicp's answer might resolve the issue. – mvermaes Nov 06 '14 at 12:09
Yes, it seems very unlikely that you would have needed a custom policy module. More likely a simple boolean, or your files simply had the wrong contexts to begin with. – Michael Hampton Nov 06 '14 at 13:15
Yes, the module consists of the two files my_httpd.pp (binary file) and my_httpd.te, the contents of which I will have to post separately. – Grant_Bailey Nov 07 '14 at 08:07
... sorry, module contents appear in my answer which has been edited. – Grant_Bailey Nov 07 '14 at 08:14
You're doing development as root ? – user9517 Nov 07 '14 at 08:28
Nope, you didn't need this policy at all. Your file contexts were just wrong and you needed to run `restorecon`. – Michael Hampton Nov 07 '14 at 16:47
Michael, are you able to suggest a way of reversing what I did before (audit2allow / semodule commands) so that I may run the process bhavicp suggested. – Grant_Bailey Nov 09 '14 at 02:20
In case it's still of use: You can unload the custom module with `semodule -r my_httpd`. audit2allow created the custom module's files, which you can delete (my_httpd.te and my_httpd.pp). Then run `restorecon -R -v /var/www/html/` – mvermaes Nov 26 '14 at 07:03

SELinux interfering with Apache / PHP

2 Answers2

Linked