Directory ⁄var⁄www⁄hosts⁄web1 / is not writable AND Security-Enhanced_Linux
I have been trying to solve this problem for several weeks but cannot find a solution. I would like to host several websites (vhosts) but have always the same problem: the CMS (z.B. Joomla, Typo3…) cannot access the directory "/var/www/vhosts/web1“. From the link below I have read that SELinux interrupts the directory, but I do not understand how I could set the approvals for a FTP user to „user_webmaster“ or how I could release specific folders (for example "/var/www/gosts/web1/tmp"). I do not want to grant a general access that sets the approvals to 0777.
Responses
Active Contributor
220 points
Hi info-42 please refer to following documentation about selinx: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/SELinux_Users_and_Administrators_Guide/index.html
In general you need to set selinux labels for your directories/files and selinux booleans so that httpd can for example access user directories.
Until you get comfortable with selinux you can set selinux from enforcing to permissive in non-productional environments. setenforce 0 to only change it during runtime, to make changes persistent, just edit /etc/sysconfig/selinux an change SELINUX=enforcing to SELINUX=permissive. After everything is setup and working you can turn on selinux again. If things do not work afterwards take a look in /var/log/audit/audit.log (sealert -a /var/log/audit/audit.log) and debug the selinux "issues".
Note that SELinux and traditional Unix file permissions (and optionally POSIX ACLs) are two separate systems. For SELinux, it will be easiest to think it as a per-service access limiter. It can be much more, but as far as I know, this will be the easiest to set up with the RedHat standard SELinux policy. If the CMS is PHP-based (e.g. Joomla), then its write operations are started by the child processes of httpd, so the SELinux type you need for it will probably be httpd_sys_rw_content_t.
In RedHat, all the system services have a _selinux man page, which describes the relevant SELinux types and booleans. In your case, you'll want to read "man httpd_selinux" and "man ftpd_selinux". These man pages are in the selinux-policy-devel RPM package.
To allow httpd and its child processes (and no other system service!) write access to /var/www/vhosts/web1:
# semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/vhosts/web1(/.*)?'
# restorecon -R /var/www/vhosts/web1
If you want the files to be writable by both HTTP and FTP services, then you'll need to use the public_content_rw_t SELinux type instead of httpd_sys_rw_content_t, and enable two SELinux booleans:
# setsebool -P httpd_anon_write=1
# setsebool -P ftpd_anon_write=1
Now SELinux will allow writes, but the traditional Unix file permissions still need to be addressed. To allow access to /var/www/vhosts/web1 by both the CMS and the webmaster user, you'll want to identify the user the CMS processes are run as. For a PHP-based CMS, it will probably be user that runs the httpd service, i.e. "apache".
Create a group, and add both the webmaster and the httpd service users to that group:
# groupadd vh_web1
# usermod -a -G vh_web1 apache
# usermod -a -G vh_web1 <webmaster_username>
Set the group ownership of the files in the directory tree to that group:
# chgrp -R vh_web1 /var/www/vhosts/web1
Grant group write permissions for all the files and sub-directories in it:
# chmod -R g+rw /var/www/vhosts/web1
Grant setgid permission to all the directories and sub-directories in the tree, so that the group vh_web1 membership will be propagated automatically to all new files and directories in the tree:
# find /var/www/vhosts/web1 -type d -exec chmod g+s {} \+
That's it. If you are using the RedHat default umask value of 0002 for regular users, the webmaster user should not need to do anything special: any files or directories s/he copies or creates under /var/www/vhosts/web1 should automatically get the right permissions and SELinux labels.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.