Allow httpd ( apache ) to write to files and folders with SELINUX

You may have read my previous post about configuring apache for public_html with selinux. Now today we look at extending this a little with enabling write permissions on special folders with SELinux enabled. There is sweet little help on this available on google so I thought I would throw in my two cents.

In summary the file context needs to be changed for folders where the httpd daemon needs write access. These would folders that contain cache, images, logs and other things...

To recap:
Step 2 - Ensure that selinux is enabled for user_dir
#> setsebool httpd_enable_homedirs true

Step 3 - Ensure the correct access permissions are set on the home directory
As normal user in home directory
~> chmod a+x ~
Step 5 - Create the public_html directory
~> mkdir public_html
Step 6 - Set the selinux type label for public_html
~> chcon -t httpd_sys_content_t public_html


Now your installer script for modx ( say for example ) tells you that it can not install because the cache folder is not writeable. You scratch your head and wonder why... You need to make a change to the file context for the cache folder ( and any folders you wish httpd to be able to write to ).

Setp 7 - Turn on the boolean switch for allowing httpd access to files.
#> setsebool allow_httpd_anon_write true

Step 8 - Set the selinux type lable for public_html/assets/cache
~> chcon -t chcon -t public_content_rw_t ~/public_html/assets/cache
Step 9 - Set file permissions to everyone ( I have yet to work this out properly. ) It may be better to provide ownership to the apache user and group to the home directory... I just do a chmod 777 to give all permissions to all users on the public files.
~> chmod 777 -R ~/public_html_assets/cache


So that should about cover it then. Apply to all folders or specific files if you want httpd to have write access.

Comments

David Latham said…
Michael Chester from http://www.chesterproductions.net.nz/blogs/it/ had this to say:

"""
And the easy way...

cat /var/log/audit/audit.log | audit2allow -m local > local.te && checkmodule -M -m -o local.mod local.te && semodule_package -o local.pp -m local.mod && semodule -i local.pp

"""
Suhada said…
Gr8 post... Thanks....

Popular posts from this blog

Automatically mount NVME volumes in AWS EC2 on Windows with Cloudformation and Powershell Userdata

Extending the AD Schema on Samba4 - Part 2

Python + inotify = Pyinotify [ how to watch folders for file activity ]