Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
my SELinux isn't great, but I think you can reset the context of this new directoty you created. if you do an "ls -lZ /var/www/html" ls will show you the SELinux contexts of the directories, and I would think that your opencart one is wrong. If that's the case you can use chcon to change the context of the relevant things, or restorecon of the whole /var/www/html location whcih will set contexts based on a atandard database of common paths.
There may be other specific apache tuning issues in SELinux though, feel free to post the actual vioaltions in the logs.
and from var/log/messages :
Mar 14 19:07:48 dosa setroubleshoot: SELinux is preventing /usr/sbin/httpd from write access on the directory logs. For complete SELinux messages. run sealert -l 11dc8f16-155f-455a-9856-3cb0853ad7b6
Mar 14 19:07:48 dosa setroubleshoot: SELinux is preventing /usr/sbin/httpd from write access on the directory cache. For complete SELinux messages. run sealert -l 11dc8f16-155f-455a-9856-3cb0853ad7b6
Mar 14 19:07:48 dosa setroubleshoot: SELinux is preventing /usr/sbin/httpd from write access on the directory logs. For complete SELinux messages. run sealert -l 11dc8f16-155f-455a-9856-3cb0853ad7b6
Distribution: Red Hat, Scientific Linux, CentOS, and Ubuntu
Posts: 27
Rep:
It would indeed be a shame to throw away SELinux because of a configuration issue, and its definitely worth spending some time figuring it out.
Did you run sealert as the log messages indicated?
You could also try something like this:
Code:
sealert -a /var/log/audit/audit.log
That command will scan your audit log for SELinux messages and should propose some policy changes that you can make to allow the disallowed actions.
Instead of disabling SELinux completely, you can set it to run in permissive mode. That way, the violations will still be logged and you'll be able to work out the required policy changes. If you disable it completely, you won't get any logs to work from. On a Red Hat system, you can find the settings in /etc/selinux/config. You can also switch a running system from permissive to enforcing and vice-versa with the "setenforce" command, like this:
Code:
# set selinux in permissive mode (log violations, but don't enforce)
setenforce 0
# set selinux in enforcing mode (log and enforce)
setenforce 1
You can see the current enforcing mode with the "getenforce" command:
Suggestion: work within the world-view advocated by SELinux, instead of working against it.
"Apache," after all, "is just another ordinary user." The web-service, Apache, is "somebody (apache)" therefore with some associated set of credentials. It shouldn't be given a blank check: like every other "ordinary user," it should be restricted to: "what it needs to do, and not one whit more."
The "Unix permissions mask" model really will not apply here: you're dealing with Access Control Lists (ACLs) or their SELinux equivalent from the very start. The "permissions mask" is vastly too simplistic, and it need not apply. You've never been limited to that, anyway . . .
Last edited by sundialsvcs; 03-14-2013 at 09:24 PM.
Distribution: Red Hat, Scientific Linux, CentOS, and Ubuntu
Posts: 27
Rep:
sundialsvcs has it right.
I normally try to avoid responding to questions with "You don't want to do that", but in this case, do you really want Apache writing to a config file? Normally, I'd set Apache up to be able to write to data files in specific data directories, its own log files, tmp files, session cookies, and any DB's required for the webapps. Allowing Apache to write configs or code, create dirs, download files, etc. is asking for trouble.
So really, it sounds like SELinux is doing exactly what its supposed to do, and if you follow my advice from above without understanding what you're doing and why, you're going to lose a lot of the protection SELinux offers.
The table isn't quite complete. The entries listed are for those files owned by apache...
User files (normally accessed via the public html directive) have a different label that users can make use of:
httpd_user_content_t for read only access
httpd_user_rw_content_t for read/write access
Directories that are to receive uploads/data file creation operations must have the "rw" forms. Data files must have the "rw" if they are to be written to.
In addition to the mandatory labels, the files must be readable (or read/write) by the apache user.
Created files will always be owned by the apache user.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
bject_r:httpd_sys_content_t:s0 opencart
