SELinux is the devil

I always use CentOS in the cloud because it’s stable and awesome for server-grade applications (web server, webdav, samba…etc)  I use Ubuntu or a Debian derivative on the desktop because the packages are more up to date and I don’t mind living on the edge at home.  (Plus – interacting with  CentOS and Ubuntu both on a daily basis keeps me sharp!)

So I tweeted this recently:

Spent two hours troubleshooting strange Apache behavior on a new VM before discovering SELinux was enforcing. Fuuuuuucccccckkkkkk! I gotta stop disabling SELinux and learn to set it up properly

TL;DR: …because I forgot to disable SELinux on the new VPS. 

There’s nothing more frustrating that performing rote operations that have worked 100 times before only to be stopped cold for no obvious reason.

I have another VPS set up almost the same (same OS – CentOS 7) and I kept comparing directory structures and installed packages wondering why everything was working on the old machine but not the new one.

After an entirely unacceptable amount of time (unacceptable to me – I expected this to be easy!) I turned to Google and started throwing random phrases at the search engine:

  • “apache no write permissions”
  • “apachectl doesn’t display”
  • “apachectl -S not working”

Not until I stumbled across this link, did I even THINK about SELinux (that’s how long it’s been since I set up a new CentOS machine)

Now I know the proper thing to do is to spend some time wrapping my head around SELinux and understanding how it works.  Then I could set it up so it enhances my security instead of making me feel stupid and frustrated.  But instead I usually opt to just turn it off.

So – long story short – if you see this line in your apache logs:

PHP Warning:  blah blah blah: failed to open stream: Permission denied in blah blah blah /var/www/html/blah.php

and you KNOW your permissions are correct…

Turn off SELinux.  That evil beast.

Leave a Reply

Your email address will not be published. Required fields are marked *