Move your httpd / apache files on CentOs 7

CentOS 7 have selinux activated, so when you decide to change your default httpd directories you have to give the right selinux permission to these directories otherwize the https server will not be able to access the files.

SeLinux

SeLinux is a way to isolate process / directories depending on an execution context. Your can see the context of each file by using ls -Z option.

SeLinux can be deactivated by using setenforce command:

# setenforce 0  <-- deactivate selinux
# setenforce 1  <-- activate selinux

This is a way to verify if your problem comes from SeLinux or not

The command chcon allow you to change the security context – (take a look to comment as chcon could not be the best choice )

Log files

The log files & directories must have the httpd_log_t permission. Imagine your log dierctory is /httpd/logs you can gives the permission by using :

# chcon -Rv --type=httpd_log_t /httpd/logs

Html files

The html & php files must have httpd_sys_content_t permission ; the command looks like

# chcon -Rv --type=httpd_sys_content_t /httpd/htdocs

For the directory where you want apache to be able to write you must set a httpd_sys_rw_content_t permission

# chcon -Rv --type=httpd_sys_rw_content_t /httpd/htdocs/upload

The Apache configuration files and SSL certificates should have the following rights

# chcon -Rv --type=httpd_config_t /...

Allow to have internal connection (proxy)

When the nginx server want to reach a local springboot application exposed on a different port:

# setsebool -P httpd_can_network_connect 1

Allow to send mail

SeLinux is also protecting against sending mail from apache if not authorized. So if you need to send mail you need to authorize it

# setsebool -P httpd_can_sendmail=on

To see all the possible flag you can activate / disable with setsebool, check the command

# sestatus -b

You will see all existing flags and current status.

ALLOW TO ACCESS the database

# setsebool -P httpd_can_network_connect_db=on

2 thoughts on “Move your httpd / apache files on CentOs 7

  1. Hi,

    You shouldn’t use the chcon command because all the context assignments will be lost in some cases (after a reboot, the system can decide to relabel all the files).
    You need to use the ‘semanage fcontext’ command followed by the restorecon command.
    In your example, you should apply the commands as follows:
    # yum install setroubleshoot-server
    # semanage fcontext -a -t httpd_log_t “/httpd/logs(/.*)?”
    # semanage fcontext -a -t httpd_sys_content_t “/httpd/htdocs(/.*)?”
    # semanage fcontext -a -t httpd_sys_rw_content_t “/httpd/htdocs/upload(/.*)?”
    # restorecon -R /httpd

    The “/httpd/logs(/.*)?” expression means all the files in the /httpd/logs directory and the directory itself.

    Finally, you need to apply the -P option when using the setsebool command otherwise your change will be lost after reboot:
    # setsebool -P httpd_can_sendmail on

    Regards.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.