Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Tell SELinux to Give Apache Execute Access to PHP Files Outside Document Root

I have a directory where shared PHP scripts are kept (the name is arbitrary, but it isn't /var/, /usr/, or anything that SELinux would have specific settings for):
/whatever/scripts/

These scripts can get executed by cronjobs, or may get executed by Apache or Tomcat so the output can be included in a web page.

SELinux is denying permission:

type=AVC msg=audit(1363205612.276:476923): avc: denied { execute } for pid=6855 comm="sh" name="script.php" dev=sda3 ino=4325828 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=file

type=SYSCALL msg=audit(1363205612.276:476923): arch=c000003e syscall=59 success=no exit=-13 a0=2431d10 a1=2431d70 a2=24301e0 a3=50 items=0 ppid=23100 pid=6855 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="sh" exe="/bin/bash" subj=system_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1363205612.277:476924): avc: denied { execute } for pid=6855 comm="sh" name="script.php" dev=sda3 ino=4325828 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=file

type=SYSCALL msg=audit(1363205612.277:476924): arch=c000003e syscall=21 success=no exit=-13 a0=2431d10 a1=1 a2=0 a3=50 items=0 ppid=23100 pid=6855 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="sh" exe="/bin/bash" subj=system_u:system_r:httpd_t:s0 key=(null)

I know there is a command I can use to tell SELinux to allow this, but it's eluding me.

Even making the directory and script owner and group apache doesn't work, so it isn't a classic permissions problem, but SELinux specific.

The system is CentOS 6.3.

like image 400
user1517922 Avatar asked Mar 13 '13 20:03

user1517922


2 Answers

I found the solution with these two commands:

semanage fcontext -a -t httpd_sys_script_exec_t '/whatever/scripts(/.*)?'
 
restorecon -R -v /whatever/scripts/

That allows Apache to execute PHP scripts in that directory, and persists after a reboot, or system-wide relabeling.

like image 74
user1517922 Avatar answered Sep 21 '22 00:09

user1517922


I use this with the executable programs I need to run from my PHP scripts and Apache

sudo chcon -v -t httpd_sys_script_exec_t my-executable
like image 31
Accountant م Avatar answered Sep 20 '22 00:09

Accountant م