Setting SElinux Labels for a magento site on Centos 7

Question

I was hoping someone could kindly help myself. I have a Magento site running on a Centos 7.6 server.

Now, the site is not correctly loading and looking in the messages.log I see numerous entries where SElinux is blocking access. I am able to confirm it is a SElinux issue as setting in permissive mode fixes ("used loosely") the problem.

Running sealert -l 3bedf708-7636-44d4-95f6-c98b8ea16687, I see the following:

SELinux is preventing /usr/sbin/httpd from write access on /var/www/html/MyMagentoSite/var/session/

There is various entries for different files and folders.

Would I be okay in just running chcon -R -t httpd_sys_rw_content_t /var/www/html/magentofoldername/*, or what would be a better solution?

This seems counter intuitive, in that I am giving read and write to all within the magento folder.

score 0 · Answer 1 · answered Sep 11 '19 at 21:51

0

Why not follow your intuition and apply the label to only the session directory (from your error message).

Still, intuition is not the best helper here but you can do some lookups on what are the "expected" labels, using detective skills.

Default PHP session directory is /var/lib/php/session.

If you do a semanage fcontext -l | grep php then you can see this entry:

/var/lib/php(/.*)? all files system_u:object_r:httpd_var_lib_t:s0

So the PHP session directory should, I suppose, be labeled as httpd_var_lib_t.

So:

chcon -R -t httpd_var_lib_t /var/www/html/magentofoldername/var/session

answered Sep 11 '19 at 21:51

Danila Vershinin

4,738
3
16
21

The session folder is the magento folder within {magento_root/var} I am thinking httpd_sys_rw_content_t is a better label – Vaishal Patel Sep 13 '19 at 15:57
It stores *PHP sessions* nonetheless :) – Danila Vershinin Sep 13 '19 at 15:58
Parson the stupidity, would this label allow httpd process to write? – Vaishal Patel Sep 14 '19 at 18:29
Looking at the man page `Set files with the httpd_var_lib_t type, if you want to store the httpd files under the /var/lib directory.`The files within said folder are not stored in this directory – Vaishal Patel Sep 19 '19 at 15:39

score 0 · Answer 2 · answered Sep 12 '19 at 00:52

0

If you use chcon and after you reboot the server, you will have the same issue, use semanage fcontext in this way:

semanage fcontext -a -t httpd_var_lib_t "/var/www/html/magentofoldername/var/session(/.*)?"

Now you can apply the selinux permissions:

restorecon -R -v -F   /var/www/html/magentofoldername/var/session

answered Sep 12 '19 at 00:52

c4f4t0r

5,149
3
28
41

Files aren't under `/var/ib`, thus won't httpd_var_lib_t be the wrong label? I am thinking httpd_sys_rw_content_t – Vaishal Patel Sep 13 '19 at 15:52
check using semanage fcontext -l and check see what kind label php session files has – c4f4t0r Sep 13 '19 at 16:03
Hey is there a way to recursively set for subfolder using semenage fcontext? – Vaishal Patel Mar 18 '20 at 11:50

Setting SElinux Labels for a magento site on Centos 7

2 Answers2