Apache file write permission – SELinux

Not an expert on this, but just want to document something after spending hours figuring out why a 777 permission file is not writable in MyWebSql PHP website run by apache user in httpd, when trying to run a database backup. My Linux system version in Centos 7. You can find out some information on SELinux from http://wiki.centos.org/HowTos/SELinux.

Below is an example of default SELinux permission.

[root@jingyusoft mywebsql]# pwd
/var/www/html/mywebsql
[root@jingyusoft mywebsql]# ls -Z
drwxrwxrwx. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 backups
-rw-r--r--. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 cache.php
drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 config
drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 Docs
-rw-r--r--. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 favicon.ico
drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 img
-rw-r--r--. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 index.php
-rw-r--r--. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 install.php
drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 js
drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 lang
drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 lib
drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 modules
-rw-r--r--. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 phpinfo.php
-rw-r--r--. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 README.md
-rw-r--r--. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 status.php
drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 themes
drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 tmp

As httpd process is running under SELinux policy, besides setting permission using chmod, if we need to grant write permission to a folder, we need to run the following:
chcon -u unconfined_u -r object_r -t httpd_sys_rw_content_t -R /var/www/html/mywebsql/backups

This will set the backups folder to writable when a process is running under SELinux.

[root@jingyusoft mywebsql]# ls -Z | grep backups
drwxrwxrwx. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 backups

Leave a Reply

Your email address will not be published. Required fields are marked *