0

LAMP stack running CentOS Linux release 7.2.1511 (Core).

I'm new to debugging SELinux but I'm currently experiencing an issue where once I switch it to run in enforcing mode and reboot, Apache then proceeds to serve contents from the webrooot (/var/www/html) but there are numerous 404s showing on the frontend. When SELinux is running in permissive mode or just off then everything works as it should.

Example: js/file.js gets served from domain.com/var/www/html/js/file.js instead of domain.com/js/file.js but the directory index (index.php) still loads.

It seems to be honoring the site configuration because it's still loading files from the document root but assets are getting rendered with that full path.

I was curious if maybe SELinux is causing the .htaccess file in /var/www/html to not be honored or maybe conflicting with AllowOverride in server configuration.

How might I go about debugging this? Thanks.

Additional Background: Not sure it matters but running Magento (PHP ecommerce platform) at webroot.

Audit Log from a single page load:

type=AVC msg=audit(1478193720.600:379): avc: denied { write } for pid=3487 comm="httpd" name="var" dev="sda1" ino=675393 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir

type=SYSCALL msg=audit(1478193720.600:379): arch=c000003e syscall=21 success=no exit=-13 a0=7f6c5c032bc8 a1=2 a2=0 a3=7f6c4b2f4c40 items=0 ppid=1021 pid=3487 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1478193720.990:380): avc: denied { write } for pid=3487 comm="httpd" name="css_secure" dev="sda1" ino=1042518 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir

type=SYSCALL msg=audit(1478193720.990:380): arch=c000003e syscall=21 success=no exit=-13 a0=7f6c5d2769c8 a1=2 a2=0 a3=7f6c4b2f4c40 items=0 ppid=1021 pid=3487 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1478193720.990:381): avc: denied { write } for pid=3487 comm="httpd" name="css_secure" dev="sda1" ino=1042518 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir

type=SYSCALL msg=audit(1478193720.990:381): arch=c000003e syscall=21 success=no exit=-13 a0=7f6c5d2769c8 a1=2 a2=0 a3=7f6c4b2f4c40 items=0 ppid=1021 pid=3487 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1478193721.002:382): avc: denied { write } for pid=3487 comm="httpd" name="js" dev="sda1" ino=67640391 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir

type=SYSCALL msg=audit(1478193721.002:382): arch=c000003e syscall=21 success=no exit=-13 a0=7f6c5d277138 a1=2 a2=0 a3=7f6c4b2f4c40 items=0 ppid=1021 pid=3487 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1478193721.003:383): avc: denied { write } for pid=3487 comm="httpd" name="css_secure" dev="sda1" ino=1042518 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir

type=SYSCALL msg=audit(1478193721.003:383): arch=c000003e syscall=21 success=no exit=-13 a0=7f6c5d2770f8 a1=2 a2=0 a3=7f6c4b2f4c40 items=0 ppid=1021 pid=3487 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)

sparecycle
  • 459
  • 1
  • 6
  • 19
  • 1
    The first thing you do is to look at the audit log. See also the [documentation](https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/SELinux_Users_and_Administrators_Guide/chap-Security-Enhanced_Linux-Troubleshooting.html). – Michael Hampton Nov 03 '16 at 17:19
  • Thank you, posting audit log for single page load and reading troubleshooting docs. – sparecycle Nov 03 '16 at 17:22
  • SELinux doesn't permit writing to arbitrary files in the document root. See the linked Q&A. – Michael Hampton Nov 03 '16 at 17:54

0 Answers0