Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Tell SELinux to Give Apache Execute Access to PHP Files Outside Document Root

Tags:

php

apache

selinux

I have a directory where shared PHP scripts are kept (the name is arbitrary, but it isn't /var/, /usr/, or anything that SELinux would have specific settings for):
/whatever/scripts/

These scripts can get executed by cronjobs, or may get executed by Apache or Tomcat so the output can be included in a web page.

SELinux is denying permission:

type=AVC msg=audit(1363205612.276:476923): avc: denied { execute } for pid=6855 comm="sh" name="script.php" dev=sda3 ino=4325828 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=file

type=SYSCALL msg=audit(1363205612.276:476923): arch=c000003e syscall=59 success=no exit=-13 a0=2431d10 a1=2431d70 a2=24301e0 a3=50 items=0 ppid=23100 pid=6855 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="sh" exe="/bin/bash" subj=system_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1363205612.277:476924): avc: denied { execute } for pid=6855 comm="sh" name="script.php" dev=sda3 ino=4325828 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=file

type=SYSCALL msg=audit(1363205612.277:476924): arch=c000003e syscall=21 success=no exit=-13 a0=2431d10 a1=1 a2=0 a3=50 items=0 ppid=23100 pid=6855 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="sh" exe="/bin/bash" subj=system_u:system_r:httpd_t:s0 key=(null)

I know there is a command I can use to tell SELinux to allow this, but it's eluding me.

Even making the directory and script owner and group apache doesn't work, so it isn't a classic permissions problem, but SELinux specific.

The system is CentOS 6.3.

like image 400
user1517922 Avatar asked Mar 13 '13 20:03

user1517922

2 Answers

I found the solution with these two commands:

semanage fcontext -a -t httpd_sys_script_exec_t '/whatever/scripts(/.*)?'
 
restorecon -R -v /whatever/scripts/

That allows Apache to execute PHP scripts in that directory, and persists after a reboot, or system-wide relabeling.

like image 74
user1517922 Avatar answered Sep 21 '22 00:09

user1517922

I use this with the executable programs I need to run from my PHP scripts and Apache 

sudo chcon -v -t httpd_sys_script_exec_t my-executable
like image 31
Accountant م Avatar answered Sep 20 '22 00:09

Accountant م
Sign in to Comment

Related questions

How can I create a favicon locally with a script?
Remove duplicates from an array, then remove nulls, then restructure
PHP Inotify Non-blocking way
php with special characters like ñ
Field Validation and displaying error in wordpress custom post type
how can i upload a file using PHP
PHP Filter text for banned words
Laravel 4 syntax error out-of-the-box
Array to string conversion error with choice form type
Static Standards error after updating to php 5.4.9
What can I do in my code today, to prevent the unix time stamp running out in 2038?
Unable to access validation errors in view
Output buffering vs. storing content into variable in PHP
Wordpress get current post term parent by child ID
Store URL in mysql
How to kill a running php script in windows
Allow only capital and small letters
Symfony 2 / Doctrine 2 : get changes to PersistentCollection
Associative array - change position
Resize image with background fill for vertical and horizontal images

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!