SELinux影响“无法打开流:权限被拒绝" PHP错误 [英] SELinux influences "failed to open stream: Permission denied” PHP error

问题描述

昨天我花了5个小时直接发现一个看似不合理的错误无法打开流.权限被拒绝"，该错误是在对文件系统进行任何写操作之后发生的:fopen(带有"w"和"a"标志) ，move_uploaded_file，file_put_contents.

Yesterday I've spent 5 hours straight discovering a seemingly unreasonable error "failed to open stream. permission denied", which was occuring after any operations of writing to file system: fopen (with "w" and "a" flags), move_uploaded_file, file_put_contents.

我已经多次检查目录所有者(用户和组-chown，chgrp)，将文件夹属性更改为不安全的777(带有chmod的rwx)，但是它没有任何效果.我什至重新安装了Apache和PHP，但仍然遇到相同的错误.

I've rechecked many times directories owner (user and group - chown, chgrp), have change folder attributes to unsecure 777 (rwx with chmod), but it has no effect. I even reinstalled an Apache and PHP, but still was facing the same error.

经过数小时的阅读各种文档后发现，错误的根源是SELinux限制自动适用于Apache服务httpd.我只是通过更改行在Fedora(版本20)上编辑/etc/selinux/config文件来关闭SELinux，

As it is appeared after hours of reading various documentation the origin of error was SELinux restrictions automatically applied for Apache service httpd. I've simply turned off the SELinux by editing /etc/selinux/config file on my Fedora (release 20) via changing line:

SELINUX=enforcing

到

SELINUX=disabled

我重新启动计算机，那个烦人的错误终于消失了.

I restarted my computer and that annoying error had finally dissapeared.

我必须注意到，Stack Overflow上有关LAMP环境中权限被拒绝"问题的所有问题都只涉及文件夹权限问题，而我的情况并非如此.

I have to notice that all the questions at Stack Overflow regarding the issue of "permission denied" on LAMP environment were touching only the folder permission concerns which was not the case in my case.

1. (实用)如何在不完全禁用SELinux的情况下授予Apache httpd服务对目录的写-删除-更新权限?

1. (practical) How can I grant Apache httpd service write-delete-update permissions on directory without totally disabling SELinux?

(理论)什么是SELinux?目的是什么?为什么(出于什么原因)创建它?我为什么要使用它?是否有理由在本地开发机器上保持启用SElinux?

(theoretical) What is the SELinux? What it is intended for? Why (for what reason) it was created? Why should I use it? Is there a reason to keep SElinux enabled on local dev machine?

仅面向资源的主持人:我知道这个问题比实际编程涵盖的管理更多，但是我敢肯定，与新手管理员相比，它对开发人员的影响要大得多，因此请在SuperUser和StackOverflow之间进行选择拿了后者.但是，由您决定将问题移至SuperUser还是保留在此位置.

推荐答案

我不是专家，但我自己在SELinux上遇到了一些问题.我阅读了几篇文章，并且从中可以了解到SELinux是服务器安全性的另一层，实际上应该保留它，而不是由于无知而关闭(这是我读到的引言，而不是我的话).我发现此站点很有帮助，而且很可笑，它可能会为您提供比以往更多的信息.

I am not expert but have had a few issues with SELinux myself. I read a few articles and from what I can gather SELinux is another layer of Security for your server and really should be left on, rather than switched off due to ignorance (that was the quote I read, not my words). I found this site helpful and also comical and it will probably give you more info than I ever could.

http://stopdisablingselinux.com/

我将分享的一些内容是:

A few things I have encountered that I will share are:

您可以使用以下命令检查当前的SELinux权限:

You can check the current SELinux permissions with the following command:

ls -lZ

您可以使用以下命令设置SELinux权限:

You can set SELinux permissions with the following command:

chcon unconfined_u:object_r:httpd_user_content_t:s0

您可以使用通配符来更改目录中的所有文件，如下所示:

You can use a wildcard to change all files in a directory like so:

chcon unconfined_u:object_r:httpd_user_content_t:s0 *

您可以使用以下命令递归设置所有文件和目录的权限(这是可能会解决您的权限问题的命令，您应该避免777，然后再瘟疫):

You can set permissions to all files and directories recursively using this (this is the command that will likely fix your permission issue, you should avoid 777 like then plague):

chcon -R unconfined_u:object_r:httpd_user_content_t:s0 *

如果您希望使用主目录来服务站点或应用程序，则需要发出以下命令:

If you wish to use home directories to serve sites or applications, you need to issue this command:

setsebool -P httpd_enable_homedirs=1

我在Selinux的centos上使用fsockopen遇到了问题，我不得不使用以下命令(-P使此更改永久生效，您也很可能需要此命令):

I have had issues with fsockopen on centos with Selinux and I had to use the following (the -P makes this change permanent, you will liekly need this command also):

setsebool -P httpd_can_network_connect 1

您可以使用以下命令查看在HTTPD上设置的标志:

You can see what flags are set on HTTPD with:

sestatus

我认为最后一件事是，我在服务器上的公钥/私钥身份验证遇到问题，需要运行此命令对其进行修复(我相信这是一个已知的错误):

I think the final thing, is that I had an issue with public/private key authentication on a server and needed to run this command to fix it (this is a known bug I believe):

restorecon -R -v /home

希望其中一些摘要和信息对您有所帮助，而不仅仅是疯子的闲逛.

Hopefully some of these snippets and info will be of some use to you and these are not simply the ramblings of a mad man.

这篇关于SELinux影响“无法打开流:权限被拒绝" PHP错误的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！