SELinux is the devil

I spent two hours troubleshooting strange Apache behavior on a new VM before discovering SELinux was enforcing

I always use CentOS in the cloud because it’s stable and awesome for server-grade applications (web server, webdav, samba…etc)  I use Ubuntu or a Debian derivative on the desktop because the packages are more up to date and I don’t mind living on the edge at home.  (Plus – interacting with  CentOS and Ubuntu both on a daily basis keeps me sharp!)

So I tweeted this recently:

https://twitter.com/iamchuckhawley/status/1063256820481957895

There’s nothing more frustrating that performing rote operations that have worked 100 times before only to be stopped cold for no obvious reason.

I have another VPS set up almost the same (same OS – CentOS 7) and I kept comparing directory structures and installed packages wondering why everything was working on the old machine but not the new one.

After an entirely unacceptable amount of time (unacceptable to me – I expected this to be easy!) I turned to Google and started throwing random phrases at the search engine:

  • “apache no write permissions”
  • “apachectl doesn’t display”
  • “apachectl -S not working”

Not until I stumbled across this link, did I even THINK about SELinux (that’s how long it’s been since I set up a new CentOS machine)

Now I know the proper thing to do is to spend some time wrapping my head around SELinux and understanding how it works.  Then I could set it up so it enhances my security instead of making me feel stupid and frustrated.  But instead I usually opt to just turn it off.

So – long story short – if you see this line in your apache logs:

PHP Warning:  blah blah blah: failed to open stream: Permission denied in blah blah blah /var/www/html/blah.php

and you KNOW your permissions are correct…

Turn off SELinux.  That evil beast.

Leave a Comment