[SOLVED]webserver file permissions? www-data or apache group

[Greg_E]

On Cent 7 with Apache, do I need group permissions to be www-data or Apache group? I'm having issues with Joomla 3.3.1 where it doesn't have permission to create/delete/save files/folders with Apache group having wrx permissions. So I'm thinking it will need to be reset to having something else for group, but what is that something else? With the little bit of Ubuntu 12 and 13 that I've done, this needed to be www-data group to work, is it going to be the same for CentOS 7?

[Greg_E]

I just noticed that I have some SELinux alerts and they are dealing with allowing httpd to create a file (Joomla config) and delete a folder (Joomla installation folder). I did look at the /etc/groups file and didn't see www-data listed, so my file permissions are correct, just need to figure out the SELinux issue. Funny that I never had this issue with 6.5, I wouldn't have thought SELinux would change very much from an updated version of 6.5 to 7.

[gerald_clark]

Did you try 'restorecon /var/www' ?

[Greg_E]

Nope, but I will try it.

Here is what I get from getsebool -a this is just the httpd section, not sure if it will help.

Code: Select all

httpd_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_check_spam --> off
httpd_can_connect_ftp --> off
httpd_can_connect_ldap --> off
httpd_can_connect_mythtv --> off
httpd_can_connect_zabbix --> off
httpd_can_network_connect --> off
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> on
httpd_can_network_memcache --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> off
httpd_dbus_avahi --> off
httpd_dbus_sssd --> off
httpd_dontaudit_search_dirs --> off
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> off
httpd_execmem --> off
httpd_graceful_shutdown --> on
httpd_manage_ipa --> off
httpd_mod_auth_ntlm_winbind --> off
httpd_mod_auth_pam --> off
httpd_read_user_content --> off
httpd_run_stickshift --> off
httpd_serve_cobbler_files --> off
httpd_setrlimit --> off
httpd_ssi_exec --> off
httpd_sys_script_anon_write --> off
httpd_tmp_exec --> off
httpd_tty_comm --> off
httpd_unified --> off
httpd_use_cifs --> off
httpd_use_fusefs --> off
httpd_use_gpg --> off
httpd_use_nfs --> off
httpd_use_openstack --> off
httpd_use_sasl --> off
httpd_verify_dns --> off

[Greg_E]

OK, it is trying to tell me how to fix it in the alert (see attached)

SEalert1.png (124.74 KiB) Viewed 37118 times

SEalert2.png (137.81 KiB) Viewed 37118 times

Why is this different from Cent 6.5?

[Greg_E]

After running the command suggested in the first solution, I still have a problem. Should I try setting the httpd_unified setting in the second solution?

joomla_after.png (108.4 KiB) Viewed 37115 times

SEalert3.png (50.37 KiB) Viewed 37115 times

[Greg_E]

I ran the httpd_unified command and set it to true and everything works.

Code: Select all

setsebool -P httpd_unified 1

But there is a reason it is turned off now. It was default in Cent 6 to be on, and now default to be off in Cent 7.

I did try to find a recursive value on the context command, but there isn't one present. So maybe if I went through and ran it on all the specific folders that required httpd to write I might get somewhere, but that's a lot of folders for just Joomla.

[Greg_E]

I think I may have performed the fix that Gerald started me on and that SELinux alert finished. I just found this article that might shed a little more light on the matter and I'll try out when I get a chance after work tonight. It should allow httpd_unified to be turned back off which would give a more secure system.

http://drupalwatchdog.com/volume-2/issu ... x-together

I'll update if and what fixes things for me. It's becoming clear that one doesn't need to just learn the Linux base, but also the SE Linux policy system as there is a lot going on in there.

[Greg_E]

Before running the commands below, I ran a # setsebool -P httpd_unified 0 to turn off the "fix" from yesterday. Verify with a getsebool -a | grep html and look for the httpd_unified to say it is off, this is the way Cent 7 installs as default.

Code: Select all

semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html(/.*)?'

restorecon -R /var/www/html

Fixed it. I went pretty heavy handed on this and just went back to the base /var/www/html folder, I could have been more granular and gone to the /joomla folder. The key here must have been the single quotes and the additional recursive drill down from the (/.*)? expression at the end. Also the recursive restorecon (-R). The article above has a -v but do you really need 100+ messages to show it drilling down through the folder structure? I did this with the -v verbose flag and that's why I don't have a screen shot of the commands. Joomla now properly installed, saved the config file by itself, and deleted the installation folder when I clicked on the button.

Long way around, but now I know a little more about the SELinux policy system.