SELinux influences "failed to open stream: Permission denied” PHP error

Question

Yesterday I've spent 5 hours straight discovering a seemingly unreasonable error "failed to open stream. permission denied", which was occuring after any operations of writing to file system: fopen (with "w" and "a" flags), move_uploaded_file, file_put_contents.

I've rechecked many times directories owner (user and group - chown, chgrp), have change folder attributes to unsecure 777 (rwx with chmod), but it has no effect. I even reinstalled an Apache and PHP, but still was facing the same error.

As it is appeared after hours of reading various documentation the origin of error was SELinux restrictions automatically applied for Apache service httpd. I've simply turned off the SELinux by editing /etc/selinux/config file on my Fedora (release 20) via changing line:

SELINUX=enforcing

to

SELINUX=disabled

I restarted my computer and that annoying error had finally dissapeared.

I have to notice that all the questions at Stack Overflow regarding the issue of "permission denied" on LAMP environment were touching only the folder permission concerns which was not the case in my case.

1. (practical) How can I grant Apache httpd service write-delete-update permissions on directory without totally disabling SELinux?

2. (theoretical) What is the SELinux? What it is intended for? Why (for what reason) it was created? Why should I use it? Is there a reason to keep SElinux enabled on local dev machine?

solely to moderators of the resource: I know that this issue covers more administrating than actual programming, but I'm sure it affects developers in much more severe way than say novice administrators, so choosing between SuperUser and StackOverflow I took the latter. However it is up to you whether to move the question at SuperUser or keep at this place.

Answer 1

I am not expert but have had a few issues with SELinux myself. I read a few articles and from what I can gather SELinux is another layer of Security for your server and really should be left on, rather than switched off due to ignorance (that was the quote I read, not my words). I found this site helpful and also comical and it will probably give you more info than I ever could.

http://stopdisablingselinux.com/

A few things I have encountered that I will share are:

You can check the current SELinux permissions with the following command:

ls -lZ

You can set SELinux permissions with the following command:

chcon unconfined_u:object_r:httpd_user_content_t:s0

You can use a wildcard to change all files in a directory like so:

chcon unconfined_u:object_r:httpd_user_content_t:s0 *

You can set permissions to all files and directories recursively using this (this is the command that will likely fix your permission issue, you should avoid 777 like then plague):

chcon -R unconfined_u:object_r:httpd_user_content_t:s0 *

If you wish to use home directories to serve sites or applications, you need to issue this command:

setsebool -P httpd_enable_homedirs=1

I have had issues with fsockopen on centos with Selinux and I had to use the following (the -P makes this change permanent, you will liekly need this command also):

setsebool -P httpd_can_network_connect 1

You can see what flags are set on HTTPD with:

sestatus

I think the final thing, is that I had an issue with public/private key authentication on a server and needed to run this command to fix it (this is a known bug I believe):

restorecon -R -v /home

Hopefully some of these snippets and info will be of some use to you and these are not simply the ramblings of a mad man.