Home / server / Questions / 642353
Accepted
Grant_Bailey
Asked: 2014-11-06 16:11:58 +0800 CST

SELinux interfering with Apache / PHP [duplicate]

  • 772

On my installation of CentOS 7, SELinux is enabled by default. This is preventing Apache from properly reading PHP files in the standard /var/www/html document root (the browser is blank when displaying web pages containing PHP script). When I disable SELinux the pages display normally.

Is there some way of setting SELinux to allow Apache to access PHP files from the document root? I would rather not disable SELinux entirely given that CentOS clearly believes it is a desirable security addition.

apache-2.2

2 Answers

  1. Best Answer

    I don't do much SELinux, but you can try

    semanage fcontext -a -t httpd_sys_script_exec_t '/var/www/html(/.*)?'

restorecon -R -v /var/www/html/

    That allows Apache to execute PHP scripts in that directory, and persists after a reboot.

    If you use MySQL, you may have to do the same for that. SELinux: Letting Apache talk to MySQL on CentOS may help

    • 3

  2. Running audit2allow < /var/log/audit/audit.log confirmed that httpd was being blocked by SELinux (see this link). The solution was to create and apply a policy module using the following steps:

    1. As root, run the command audit2allow -a -M my_httpd (replace 'my_httpd' with whatever name you prefer).
    2. Again as root, run the command semodule -i my_httpd.pp to install the module.

    After I followed these steps Apache was able to run PHP scripts on my server without difficulty. Restart of the server does not destroy the changes.

    Content of module file (my_httpd.te):

    module my_httpd 1.0;
require {
    type admin_home_t;
    type httpd_t;
    class file { read getattr open };
}
#============= httpd_t ==============
allow httpd_t admin_home_t:file { read getattr open };
    • 1