Tell Selinux to Give Apache Execute Access to PHP Files Outside Document Root

Tell SELinux to Give Apache Execute Access to PHP Files Outside Document Root

I found the solution with these two commands:

semanage fcontext -a -t httpd_sys_script_exec_t '/whatever/scripts(/.*)?'
 

restorecon -R -v /whatever/scripts/

That allows Apache to execute PHP scripts in that directory, and persists after a reboot, or system-wide relabeling.

Configure SELinux access so that Apache can access mounted directories

Rather than simply provide a link, but not completely rip off the content of that link, here's the run down.

Install policycoreutils-python that contains SEMANAGE, to allow policy to be set up that will allow Apache to read, or read/write area outside of the DocumentRoot.

yum install -y policycoreutils-python

The article also mentioned a trouble shooting package, but my machine could not locate it.

Create policy for read only areas that are a part of your application, outside of the DocumentRoot

semanage fcontext -a -t httpd_sys_content_t "/webapps(/.*)?"

Create policy for logging directories

semanage fcontext -a -t httpd_log_t "/webapps/logs(/.*)?"

Create policy for cache directories

semanage fcontext -a -t httpd_cache_t "/webapps/cache(/.*)?"

Create policy for read/write areas that are outside of the DocumentRoot

semanage fcontext -a -t httpd_sys_rw_content_t "/webapps/app1/public_html/uploads(/.*)?"

Apply the policy with the restorecon command

restorecon -Rv /webapps

Verify policy has been applied

ls -lZ /webapps

That's it in a nutshell. The original article is nicer to read, however.

RHEL + PHP : writing files outside /var/www/html?

As written in the httpd_selinux(8) man page, you must give files and directories specific file contexts if you want to be able to read from or write to them. See the man page for details, keeping in mind that PHP scripts run as the daemon unless you have specifically set up PHP to run as CGI.

Trying to get selinux to allow apache to run an executable that uses a port

Solved using https://wiki.centos.org/HowTos/SELinux#head-faa96b3fdd922004cdb988c1989e56191c257c01

created policy specific to access requirements - Step 7 in the documentation

How can I allow PHP to use the at command in exec() calls when SELinux is enabled?

did you ever come up with a solution to this problem? if so, i would like to know.

i came across the same situation, so i will post my solution here.

after configuring selinux to allow apache to execute the at command, i too came across a problem where no errors were found, but the at command not executing.

so i changed apache's shell config to /bin/sh (from /usr/sbin/nologin) and logged into a shell as user apache.

then executed atq to find out that the at command was properly executed from the apache process.

$ atq
46  Fri Nov 21 17:23:00 2014 a apache

but it was spooled forever and never executed. so i tried to execute an at job from the shell, and that worked no problem. and also to find out that the job that was spooled from apache had started to run also

$ atq
46  Fri Nov 21 17:23:00 2014 = apache

so i added a cron task that just keeps spooling empty at jobs (as user apache)

$ crontab -l
*/1 * * * * echo echo|/usr/bin/at now

it will cause a maximum 1 minute delay, but now at commands run from apache(php) exec.

i don't know the reason or the logic to this result, but it is a working solution for me.

CentOS 7.0.1406, Apache/2.4.6, PHP 5.4.16, Kernel 3.10.0-123.9.3.el7.x86_64

EDIT:
i found out a simpler solution. this allows immediate at command execution.

# chcon -t unconfined_exec_t /sbin/httpd

see detailed document here

probably not a good idea if the server is shared by untrustful users

Apache able to execute file outside web server root directory

The main Apache process is run as root- the other processes are run as nobody. The only processes that handle requests are those that are run as nobody, so that if anyone tries to access a file that nobody can't access, they'll get an error (whereas root would be able to access the file).

If you need to execute the file, you can do a few things:

1. Have nobody own the file. This will give nobody full read/write/execute access to the file, while preventing other users from writing or executing the file.
2. Add nobody to a group, and give that group execute access on the file. Anyone who is in the group would be able to execute the file, but only the owner would be able to write to it (which would not be nobody).
3. Allow anyone to execute the file. This is probably not a good idea, as any user would be able to execute the contents at varying permission levels. It'd probably be best to use one of the above two.

How to include file outside document root?

You can not accomplish this if open_basedir is in effect, which prevents PHP from traversing out of the home directory.

What you can do is make sure that docroot1 and docroot2 are owned by users in the same group, set group permissions accordingly and use a symbolic link from docroot2 to docroot1 to read the other web root.

Or, re-build PHP and let it just follow typical *nix permissions like every other process :)

PHP file_put_contents returning 'Permission Denied' (Due to SELinux setting)

I resolved this issue by simply running chcon -Rt httpd_sys_content_rw_t on the directory where my troubled PHP script lived in.

The chcon command changes the SELinux context for files. However, changes made with the chcon command are not persistent across file-system relabels, or the execution of the restorecon command.

-Rt are to change the type of the directory and its contents, httpd_sys_content_rw_t is to give apache write access

source: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-working_with_selinux-selinux_contexts_labeling_files

Additional note

ls -alZ *

The -Z switch will work with most utilities to show SELinux security contexts

---

Related Topics