SELinux 影响“无法打开流:权限被拒绝"PHP 错误

2022-01-04 00:00:00 fedora permissions php selinux lamp

昨天我连续花了 5 个小时发现一个看似不合理的错误无法打开流.权限被拒绝",这是在写入文件系统的任何操作之后发生的:fopen(带有w"和a"标志), move_uploaded_file, file_put_contents.

Yesterday I've spent 5 hours straight discovering a seemingly unreasonable error "failed to open stream. permission denied", which was occuring after any operations of writing to file system: fopen (with "w" and "a" flags), move_uploaded_file, file_put_contents.

我已经多次重新检查目录所有者(用户和组 - chown、chgrp),将文件夹属性更改为不安全的 777(rwx with chmod),但没有效果.我什至重新安装了 Apache 和 PHP,但仍然面临同样的错误.

I've rechecked many times directories owner (user and group - chown, chgrp), have change folder attributes to unsecure 777 (rwx with chmod), but it has no effect. I even reinstalled an Apache and PHP, but still was facing the same error.

在阅读各种文档数小时后发现错误的根源是 SELinux 限制自动应用于 Apache 服务 httpd.我只是通过更改行编辑 Fedora(第 20 版)上的 /etc/selinux/config 文件来关闭 SELinux:

As it is appeared after hours of reading various documentation the origin of error was SELinux restrictions automatically applied for Apache service httpd. I've simply turned off the SELinux by editing /etc/selinux/config file on my Fedora (release 20) via changing line:

SELINUX=enforcing

SELINUX=disabled

我重新启动了我的电脑,那个烦人的错误终于消失了.

I restarted my computer and that annoying error had finally dissapeared.

我必须注意到 Stack Overflow 上关于 LAMP 环境中权限被拒绝"问题的所有问题都只涉及文件夹权限问题,而我的情况并非如此.

I have to notice that all the questions at Stack Overflow regarding the issue of "permission denied" on LAMP environment were touching only the folder permission concerns which was not the case in my case.

  1. (实用)如何在不完全禁用 SELinux 的情况下授予 Apache httpd 服务对目录的写入-删除-更新权限?

  1. (practical) How can I grant Apache httpd service write-delete-update permissions on directory without totally disabling SELinux?

(理论) 什么是 SELinux?它的用途是什么?为什么(出于什么原因)它被创建?我为什么要使用它?是否有理由在本地开发机器上启用 SElinux?

(theoretical) What is the SELinux? What it is intended for? Why (for what reason) it was created? Why should I use it? Is there a reason to keep SElinux enabled on local dev machine?

仅供资源的版主:我知道这个问题涉及的管理比实际编程更多,但我确信它对开发人员的影响比新手管理员严重得多,所以在 SuperUser 和 StackOverflow 之间进行选择我拿了后者.但是,是将问题移到 SuperUser 还是保留在此处取决于您.

推荐答案

我不是专家,但我自己也遇到过一些 SELinux 问题.我读了几篇文章,从我可以收集到的信息中,SELinux 是您服务器的另一层安全性,确实应该保持打开状态,而不是因无知而关闭(这是我读到的引用,而不是我的话).我发现这个网站很有帮助,也很有趣,它可能会为您提供比以往更多的信息.

I am not expert but have had a few issues with SELinux myself. I read a few articles and from what I can gather SELinux is another layer of Security for your server and really should be left on, rather than switched off due to ignorance (that was the quote I read, not my words). I found this site helpful and also comical and it will probably give you more info than I ever could.

http://stopdisablingselinux.com/

我将分享的一些我遇到的事情是:

A few things I have encountered that I will share are:

您可以使用以下命令检查当前的 SELinux 权限:

You can check the current SELinux permissions with the following command:

ls -lZ

您可以使用以下命令设置 SELinux 权限:

You can set SELinux permissions with the following command:

chcon unconfined_u:object_r:httpd_user_content_t:s0

您可以使用通配符更改目录中的所有文件,如下所示:

You can use a wildcard to change all files in a directory like so:

chcon unconfined_u:object_r:httpd_user_content_t:s0 *

您可以使用此递归设置所有文件和目录的权限(这是可能会解决您的权限问题的命令,您应该避免像瘟疫一样的 777):

You can set permissions to all files and directories recursively using this (this is the command that will likely fix your permission issue, you should avoid 777 like then plague):

chcon -R unconfined_u:object_r:httpd_user_content_t:s0 *

如果您希望使用主目录来为站点或应用程序提供服务,您需要发出以下命令:

If you wish to use home directories to serve sites or applications, you need to issue this command:

setsebool -P httpd_enable_homedirs=1

我在使用 Selinux 的 centos 上遇到 fsockopen 问题,我不得不使用以下命令(-P 使此更改永久化,您可能也需要此命令):

I have had issues with fsockopen on centos with Selinux and I had to use the following (the -P makes this change permanent, you will liekly need this command also):

setsebool -P httpd_can_network_connect 1

您可以使用以下命令查看 HTTPD 上设置的标志:

You can see what flags are set on HTTPD with:

sestatus

我认为最后一件事是我在服务器上遇到了公钥/私钥身份验证问题,需要运行此命令来修复它(我认为这是一个已知错误):

I think the final thing, is that I had an issue with public/private key authentication on a server and needed to run this command to fix it (this is a known bug I believe):

restorecon -R -v /home

希望其中一些片段和信息对您有用,而这些不仅仅是疯子的胡言乱语.

Hopefully some of these snippets and info will be of some use to you and these are not simply the ramblings of a mad man.

相关文章