SELinux prevents httpd from writing in certain directories

[altiris]

I never had this problem before on CentOS 6, anyway the issue is that I am setting up Roundcube (I know roundcube doesnt come with centos 7 but you guys are nice and will maybe offer some help) and I get to the part in the installer that says "/var/www/html/roundcube/logs: NOT OK Not writable". WIth SELinux on, I try setting the logs folder to be owned by root:root root:apache apache:apache as well as with 755 and 775 permissions for all three listed just before and I get "NOT OK". I disable SELinux with "setenforce 0" and I get an OK response when the logs folder is written by apache:apache and has chmod permissions of 755 or 775. I have tried using the command "setsebool -P httpd_can_network_connect=1" which I used on CentOS 6 to be able to log into roundcube but this seems to be related to something else.


-Off Topic/Rant-
I understand CentOS 7 is still new and needs to mature, but SELinux on CentOS 7 has just been rather annoying. There needs to be very simple procedures for fixing these issues, otherwise many people will just start to disable SELinux because there wll be no other way for them to get whatever services they need working. Sometimes I wonder if the RHEL devs run rhel with SELinux turned off, I am almost sure one of them would try and install Roundcube...
Also, the owncloud installer does not work with SELinux enabled, there is a centos 6 repo that owncloud supports which I am currently trying on centos 7.'

[SOLVED]
See my last post.

[TrevorH]

Don't put logs under /var/www put them under /var/log/httpd/

[altiris]

Don't put logs under /var/www put them under /var/log/httpd/

Hmm, how could I make roundcube do this though? Something with a system link? I think Roundcube requires its logs, as well as the folder "temp" to be in your document root, followed by the roundcube folder so examples could be /var/www/html/roundcube/temp (or logs folder) or /var/www/mydomain.com/roundcube/logs (or temp folder).

[wb303]

Document root does not need to be in /var/www, though it will be helpful later if you have to a recursive restorecon.

I had a similar issue with JBoss mod_cluster that I was unable to resolve. The problem was caused by the additional http modules that mod_cluster uses not being defined in the selinux policy that shipped with rhel 6. I think the route the JBoss folks mentioned is correct: basically you would need to write an selinux policy that permits httpd to write in some unusual subdir of /var/log/httpd, compile it and enable it like a Boolean.

I'm not particularly skilled at writing selinux policies so I was only able to get to the point where I could have the server start, but was unable to get it to cleanly shut down, but maybe this can point you in the right direction -> https://community.jboss.org/thread/241540. Due to time constraints I still have it running in permissive mode.

[altiris]

Document root does not need to be in /var/www, though it will be helpful later if you have to a recursive restorecon.

I had a similar issue with JBoss mod_cluster that I was unable to resolve. The problem was caused by the additional http modules that mod_cluster uses not being defined in the selinux policy that shipped with rhel 6. I think the route the JBoss folks mentioned is correct: basically you would need to write an selinux policy that permits httpd to write in some unusual subdir of /var/log/httpd, compile it and enable it like a Boolean.

I'm not particularly skilled at writing selinux policies so I was only able to get to the point where I could have the server start, but was unable to get it to cleanly shut down, but maybe this can point you in the right direction -> https://community.jboss.org/thread/241540. Due to time constraints I still have it running in permissive mode.

I just thought that would be the best place to put it, as that is the default location and I didnt want to mess with selinux or permissions. This is really just aggravating. I did have to install a few more php modules, some a viable from centos and some from epel maybe that's why?

[TrevorH]

The roundcube logs location has to be a parameter surely!

[altiris]

The roundcube logs location has to be a parameter surely!

Not sure what you mean, this is what I get on the roundcube installer

Code: Select all

/var/www/data4.net/roundcube/temp/:  NOT OK(not writeable for the webserver)
/var/www/data4.net/roundcube/logs/:  NOT OK(not writeable for the webserver)

Id prefer to keep SELinux enabled but its preventing me from continuing this installation.

[gerald_clark]

Roundcube is available from epel.
I suggest you un-install what you have done and do a yum install from the epel repo.

[TrevorH]

Adn repoquery -l roundcubemail shows that it has its logs placed in /var/log/roundcubemail which seems like a sensible place for them.

[altiris]

Adn repoquery -l roundcubemail shows that it has its logs placed in /var/log/roundcubemail which seems like a sensible place for them.

Yes, but those two folders that I listed above still need to be write able I think in order for roundcubemail to work correctly. I am sorry I am just not understanding what you want me to do, I am confused I am sorrry.

Roundcube is available from epel.
I suggest you un-install what you have done and do a yum install from the epel repo.

I forgot that it was available from the EPEL, I remember now I tried it on CentOS 6, I can't remember if I got it working or not but I will give it a shot on CentOS 7.