2

On my installation of CentOS 7, SELinux is enabled by default. This is preventing Apache from properly reading PHP files in the standard /var/www/html document root (the browser is blank when displaying web pages containing PHP script). When I disable SELinux the pages display normally.

Is there some way of setting SELinux to allow Apache to access PHP files from the document root? I would rather not disable SELinux entirely given that CentOS clearly believes it is a desirable security addition.

Grant_Bailey
  • 173

2 Answers2

4

I don't do much SELinux, but you can try

semanage fcontext -a -t httpd_sys_script_exec_t '/var/www/html(/.*)?'

restorecon -R -v /var/www/html/

That allows Apache to execute PHP scripts in that directory, and persists after a reboot.

If you use MySQL, you may have to do the same for that. SELinux: Letting Apache talk to MySQL on CentOS may help

Community
  • 1
bhavicp
  • 374
1

Running audit2allow < /var/log/audit/audit.log confirmed that httpd was being blocked by SELinux (see this link). The solution was to create and apply a policy module using the following steps:

  1. As root, run the command audit2allow -a -M my_httpd (replace 'my_httpd' with whatever name you prefer).
  2. Again as root, run the command semodule -i my_httpd.pp to install the module.

After I followed these steps Apache was able to run PHP scripts on my server without difficulty. Restart of the server does not destroy the changes.

Content of module file (my_httpd.te):

module my_httpd 1.0;
require {
    type admin_home_t;
    type httpd_t;
    class file { read getattr open };
}
#============= httpd_t ==============
allow httpd_t admin_home_t:file { read getattr open };
Grant_Bailey
  • 173