SELinux influences "failed to open stream: Permission denied” PHP error

Question

Yesterday I\'ve spent 5 hours straight discovering a seemingly unreasonable error \"failed to open stream. permission denied\", which was occuring after any operations of wr

Answer 1

I am not expert but have had a few issues with SELinux myself. I read a few articles and from what I can gather SELinux is another layer of Security for your server and really should be left on, rather than switched off due to ignorance (that was the quote I read, not my words). I found this site helpful and also comical and it will probably give you more info than I ever could.

http://stopdisablingselinux.com/

A few things I have encountered that I will share are:

You can check the current SELinux permissions with the following command:

ls -lZ

You can set SELinux permissions with the following command:

chcon unconfined_u:object_r:httpd_user_content_t:s0

You can use a wildcard to change all files in a directory like so:

chcon unconfined_u:object_r:httpd_user_content_t:s0 *

You can set permissions to all files and directories recursively using this (this is the command that will likely fix your permission issue, you should avoid 777 like then plague):

chcon -R unconfined_u:object_r:httpd_user_content_t:s0 *

If you wish to use home directories to serve sites or applications, you need to issue this command:

setsebool -P httpd_enable_homedirs=1

I have had issues with fsockopen on centos with Selinux and I had to use the following (the -P makes this change permanent, you will liekly need this command also):

setsebool -P httpd_can_network_connect 1

You can see what flags are set on HTTPD with:

sestatus

I think the final thing, is that I had an issue with public/private key authentication on a server and needed to run this command to fix it (this is a known bug I believe):

restorecon -R -v /home

Hopefully some of these snippets and info will be of some use to you and these are not simply the ramblings of a mad man.

Answer 2

In addition to the HumbleRat very useful answer, here is what solved my problem of Apache not allowed to write logs in dedicated directry :

# Allow write only to specific dirs
sudo chcon -t httpd_sys_rw_content_t /data/www/html/sites/mysite/logs -R

Source : https://blog.lysender.com/2015/07/centos-7-selinux-php-apache-cannot-writeaccess-file-no-matter-what/