Configure SELinux for Apache on CentOS
SELinux is a Linux kernel module that provides an additional mechanism to determine folder and file permissions. Sometimes it creates considerable problems when locating site files and logs in non-standard folders.
This rake is especially popular with new admins and developers who do not understand why the site returns a 404 error despite the fact that the user
www-data is the owner of the folder with the site files.
The most popular way to solve the problem is to disable
selinux. Even admins from the second line of popular hosting support use this method of solving the problem.
As a matter of fact selinux determines what and which daemon can do (read files, edit files). It is not related to files’ and folders’ permissions.
It often happens that websites get compromised over vulnerabilities in CMS sites. In this case the attacker gains access to folders and files that the web server has access.
selinux you can even run a web server as
root without having to worry about it. It not recommended.
You can check the status of
CentOS/RedHat with the following command:
To manage the rules, we need additional utilities:
yum install -y policycoreutils-python setroubleshooting
Selinux is similar in configuration structure to
iptables. It has its own file access tables.
In order for selinux to allow the apache process to write to a certain directory you need to include this directory in the
httpd_sys_rw_content_t selinux table, the folder with logs must be added to
The following commands are given as an example or a cheat sheet. In this case, the site folders are in
Allow apache to read files in the
/home/webapps directory and subdirectories (
semanage fcontext -a -t httpd_sys_content_t '/home/webapps(/.*)?'
apache to write logs in a non-standard place (
semanage fcontext -a -t httpd_log_t '/home/webapps/logs(/.*)?'
A separate directive in
selinux is reserved for
mod_cache. If your server needs to use custom cache storage than add it to
semanage fcontext -a -t httpd_cache_t '/home/webapps/cache(/.*)?'
In order to allow write access add the path to the folder into
semanage fcontext -a -t httpd_sys_rw_content_t '/home/webapps/\*/public_html/uploads(/.\*)?'
To apply the changes, run the following command:
restorecon -Rv /home/webapps
At this point apache can work with the directories of all sites that will be created in
/home/webapps/ and write files to the uploads directories of each site.