Tell SELinux to Give Apache Execute Access to PHP Files Outside Document Root
I found the solution with these two commands:
semanage fcontext -a -t httpd_sys_script_exec_t '/whatever/scripts(/.*)?'
restorecon -R -v /whatever/scripts/
That allows Apache to execute PHP scripts in that directory, and persists after a reboot, or system-wide relabeling.
Configure SELinux access so that Apache can access mounted directories
Rather than simply provide a link, but not completely rip off the content of that link, here's the run down.
Install policycoreutils-python that contains SEMANAGE, to allow policy to be set up that will allow Apache to read, or read/write area outside of the DocumentRoot.
yum install -y policycoreutils-python
The article also mentioned a trouble shooting package, but my machine could not locate it.
Create policy for read only areas that are a part of your application, outside of the DocumentRoot
semanage fcontext -a -t httpd_sys_content_t "/webapps(/.*)?"
Create policy for logging directories
semanage fcontext -a -t httpd_log_t "/webapps/logs(/.*)?"
Create policy for cache directories
semanage fcontext -a -t httpd_cache_t "/webapps/cache(/.*)?"
Create policy for read/write areas that are outside of the DocumentRoot
semanage fcontext -a -t httpd_sys_rw_content_t "/webapps/app1/public_html/uploads(/.*)?"
Apply the policy with the restorecon command
restorecon -Rv /webapps
Verify policy has been applied
ls -lZ /webapps
That's it in a nutshell. The original article is nicer to read, however.
RHEL + PHP : writing files outside /var/www/html?
As written in the httpd_selinux(8)
man page, you must give files and directories specific file contexts if you want to be able to read from or write to them. See the man page for details, keeping in mind that PHP scripts run as the daemon unless you have specifically set up PHP to run as CGI.
Trying to get selinux to allow apache to run an executable that uses a port
Solved using https://wiki.centos.org/HowTos/SELinux#head-faa96b3fdd922004cdb988c1989e56191c257c01
created policy specific to access requirements - Step 7 in the documentation
How can I allow PHP to use the at command in exec() calls when SELinux is enabled?
did you ever come up with a solution to this problem? if so, i would like to know.
i came across the same situation, so i will post my solution here.
after configuring selinux to allow apache to execute the at command, i too came across a problem where no errors were found, but the at command not executing.
so i changed apache's shell config to /bin/sh (from /usr/sbin/nologin) and logged into a shell as user apache.
then executed atq to find out that the at command was properly executed from the apache process.
$ atq
46 Fri Nov 21 17:23:00 2014 a apache
but it was spooled forever and never executed. so i tried to execute an at job from the shell, and that worked no problem. and also to find out that the job that was spooled from apache had started to run also
$ atq
46 Fri Nov 21 17:23:00 2014 = apache
so i added a cron task that just keeps spooling empty at jobs (as user apache)
$ crontab -l
*/1 * * * * echo echo|/usr/bin/at now
it will cause a maximum 1 minute delay, but now at commands run from apache(php) exec.
i don't know the reason or the logic to this result, but it is a working solution for me.
CentOS 7.0.1406, Apache/2.4.6, PHP 5.4.16, Kernel 3.10.0-123.9.3.el7.x86_64
EDIT:
i found out a simpler solution. this allows immediate at command execution.
# chcon -t unconfined_exec_t /sbin/httpd
see detailed document here
probably not a good idea if the server is shared by untrustful users
Apache able to execute file outside web server root directory
The main Apache process is run as root- the other processes are run as nobody. The only processes that handle requests are those that are run as nobody, so that if anyone tries to access a file that nobody can't access, they'll get an error (whereas root would be able to access the file).
If you need to execute the file, you can do a few things:
- Have nobody own the file. This will give nobody full read/write/execute access to the file, while preventing other users from writing or executing the file.
- Add nobody to a group, and give that group execute access on the file. Anyone who is in the group would be able to execute the file, but only the owner would be able to write to it (which would not be nobody).
- Allow anyone to execute the file. This is probably not a good idea, as any user would be able to execute the contents at varying permission levels. It'd probably be best to use one of the above two.
How to include file outside document root?
You can not accomplish this if open_basedir
is in effect, which prevents PHP from traversing out of the home directory.
What you can do is make sure that docroot1 and docroot2 are owned by users in the same group, set group permissions accordingly and use a symbolic link from docroot2 to docroot1 to read the other web root.
Or, re-build PHP and let it just follow typical *nix permissions like every other process :)
PHP file_put_contents returning 'Permission Denied' (Due to SELinux setting)
I resolved this issue by simply running chcon -Rt httpd_sys_content_rw_t
on the directory where my troubled PHP script lived in.
The
chcon
command changes the SELinux context for files. However, changes made with thechcon
command are not persistent across file-system relabels, or the execution of therestorecon
command.
-Rt
are to change the type of the directory and its contents, httpd_sys_content_rw_t
is to give apache write access
source: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-working_with_selinux-selinux_contexts_labeling_files
Additional note
ls -alZ *
The -Z switch will work with most utilities to show SELinux security contexts
Related Topics
Yii2 Global Filter/Behavior to Force User to Authenticate First
How Is MVC Supposed to Work in Codeigniter
PHP - a Db Abstraction Layer Use Static Class VS Singleton Object
Passing Value from PHP Script to Python Script
How to Load Return Array from a PHP File
How to Receive a File via Http Put with PHP
How to Send Laravel Error Responses as JSON
How to Implement "Maintenance Mode" on Already Established Website
Converting Named HTML Entities to Numeric HTML Entities
Pass PHP Variable to Bootstrap Modal
Using Regular Expressions to Extract the First Image Source from HTML Codes
Write Utf-8 Characters to File with Fputcsv in PHP
How to Save and Retrieve Contenteditable Data
How to Create a Random Hash/String
PHP Filter_Validate_Email Does Not Work Correctly
Read in Text File Line by Line PHP - Newline Not Being Detected