4

I'm trying to open a file for read/write. I've been developing on Ubuntu, and have had no problems whatsoever. Now it's time to deploy to the RHEL server, and I discover there seems to be some kind of restriction on the location of a file to be written.

On RHEL, I can't open the file unless it's under /var/www/html. I can't figure out how to allow other locations. I need to manipulate files on a different volume, for disk space management reasons.

The following is the bit of code that works fine on Ubuntu no matter what, but breaks on RHEL if the file is outside the web root:

$repometa = fopen( "/path/to/file/it/does/exist/and/has/good/perms", "r+b");

The actual error is as follows, which is weird, because the permissions are just fine (owned by the "apache" user, with 0644 perms on file, 755 on dirs).

fopen(<thefile>): failed to open stream: Permission denied

Can someone point me to the documents that describe how to un-break RHEL's Apache/PHP config to allow writing to alternate locations on the file system?

Thanks, ~ Paul

PaulProgrammer
  • 16,175
  • 4
  • 39
  • 56

3 Answers3

3

To add some specifics to the accepted answer, I also had this exact problem and this command fixed it for me.

chcon -R -t httpd_sys_content_t /path/to/file/it/does/exist/and/has/good/perms
casaram
  • 474
  • 3
  • 10
3

As written in the httpd_selinux(8) man page, you must give files and directories specific file contexts if you want to be able to read from or write to them. See the man page for details, keeping in mind that PHP scripts run as the daemon unless you have specifically set up PHP to run as CGI.

Ignacio Vazquez-Abrams
  • 776,304
  • 153
  • 1,341
  • 1,358
  • You're probably right -- but I can't make heads or tails of the man pages to understand what allows read/write access to the apache user. Any pointers to a good tutorial? – PaulProgrammer Jan 25 '12 at 06:50
  • 2
    *Nothing* can give access to the apache *user*. You must give access to the daemon running in the domain. This is done with the file contexts listed in the man page. – Ignacio Vazquez-Abrams Jan 25 '12 at 06:52
  • Fine. I still don't understand what the contexts in the man page _mean_. Is there any context about the contexts? – PaulProgrammer Jan 25 '12 at 06:54
  • I made an edit to the possible answer (above this one,) if that helps... :) – summea Jan 25 '12 at 06:57
  • @user1168588: They're just a "tag" on the filesystem object that SELinux looks at as part of its big rules engine for determining if the requested access is allowed. – Ignacio Vazquez-Abrams Jan 25 '12 at 07:15
  • I understand the mechanics, but the specifics of how the rules engine is configured and what it looks at under what conditions is mysterious. – PaulProgrammer Jan 25 '12 at 07:22
  • Mysterious doesn't begin to touch it. Welcome to SELinux. You'll want to keep an eye on `/var/log/audit/audit.log` and check out the [`audit2allow`](http://linux.die.net/man/1/audit2allow) tool. The `--why` option can provide a great deal of reasonably researchable information, but it's always going to be a case-by-case thing. I haven't seen an all-in-one comprehensive guide to not making SELinux a pain in the rear end for PHP developers that need to work with the filesystem. – Charles Jan 25 '12 at 07:27
  • The reason why there isn't a comprehensive guide is that SELinux keeps changing as it improves. That aside, a generic guide to everything a PHP developer *really* needs to know about getting SELinux working would fit on a tri-fold pamphlet. – Ignacio Vazquez-Abrams Jan 25 '12 at 07:45
  • So what happens if SELinux is disabled? How does this answer solve the OP's question if the problem still exists with SELinux disabled? – Mike Kormendy Jan 29 '17 at 08:32
1

Sounds like a user and/or group permission issue. The file itself may be writeable... (as you mentioned in your nice path name,) but maybe the apache user (or however it is titled,) is not allowed to make any file changes outside of the default /var/www/html directory?

Any way to make a change to a file inside /var/www/html and then have another shell script (and/or user,) take it from there and move it to your desired directory?

Interesting that it would work on Ubuntu and not RHEL; maybe RHEL is more strict as far as users and groups go?

As an aside: in general, it might be safer not to have PHP write to files outside of the www directories... :)

EDIT

On @Ignacio's hint(1), maybe something like this might work: http://us2.php.net/manual/en/function.fopen.php#56551

If it's something you will need all the time, you might want to try typing this on the command line:

/usr/sbin/setsebool -P httpd_can_network_connect=1

I still would be careful about PHP file manipulation outside of the www folder... but, hope that helps...!

(1) http://linux.die.net/man/8/httpd_selinux

summea
  • 7,390
  • 4
  • 32
  • 48
  • I'm pretty sure the user permissions on the directory and file are correct -- apache user and group own both the file and the path, and have 644/755 respectively. – PaulProgrammer Jan 25 '12 at 06:37
  • 1
    This is one reason why I dislike RHEL -- it's configured to be "safe" for people who don't think about security, but restrictive for folks who need a little flexibility. – PaulProgrammer Jan 25 '12 at 06:39
  • 1
    I know what you mean; it looks kind of similar to what happened for this user, as well: http://stackoverflow.com/questions/3882244/php-fopen-permission-denied – summea Jan 25 '12 at 06:42
  • BEST of BEST answer was given by @summea above and can be fond at the link he/she provided: https://stackoverflow.com/questions/3882244/php-fopen-permission-denied – MMEL Mar 24 '22 at 10:04