Cannot write into "config" directory! SELinux issue. Help me, please :-(

selinux
8.2.x

#1

Hey,

I've got a running OC server in production running without issues. I need to migrate to a new server where I've installed CentOS 7 with PHP 7 + MariaDB.
I copied (rsync) the entire owncloud directory, and also made a mysql dump which I restored on the new server.
I also modified $ocpath/lib/private/appframework/http/request.php adding this code in order to make it work with php 7:

    public function __isset($name) {
        if (in_array($name, $this->allowedKeys, true)) {
            return true;
        }
        return isset($this->items['parameters'][$name]);
    }

The thing is I cannot access owncloud because of SELinux. When I go to http://domain.com/owncloud/index.php this message appears:

"Cannot write into "config" directory!
This can usually be fixed by giving the webserver write access to the config directory."

This is selinux info for the config directory:

drwxrwxr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 config

And these are the files located into config dir:

-rw-r-----. apache apache system_u:object_r:httpd_sys_content_t:s0 config.php
-rwxr-xr-x. apache apache system_u:object_r:httpd_sys_content_t:s0 config.sample.php

I don't know how to solve this because this is the exact way the files are in the previous (working) instance of ownCloud. The only difference is that the previous server has PHP 5.6.14

When I run disable SELinux (setenforce 0) I can access ownCloud normally.

I would appreciate very much your help!

Regards.

Damon H.

Steps to reproduce
1. Copy owncloud directory from a funcional owncloud instance to a new server
2. Update DB from a DB dump
3. Running owncloud

Expected behaviour
OC should works

Actual behaviour
Cannot write into "config" directory! This can usually be fixed by giving the webserver write access to the config directory.

Server configuration
Operating system: CentOS 7
Web server: apache 2.4.6
Database: mysql Ver 15.1 Distrib 5.5.47-MariaDB
PHP version: PHP v7.0.9
ownCloud version (see ownCloud admin page): 8.2.1.4
Updated from an older ownCloud or fresh install: migrated from a runing instance
ownCloud log (data/owncloud.log, see https://central.owncloud.org/t/how-to-find-webserver-or-oc-logfile-enable-php-logfile/808): empty

Special configuration: SELinux is enforcing


#2

Hello Damon, it sounds like you need to re-label the directories. Here's how I do it on my CentOS 7 server:

semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/owncloud/data'
restorecon '/var/www/html/owncloud/data'
semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/owncloud/config'
restorecon '/var/www/html/owncloud/config'
semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/owncloud/apps'
restorecon '/var/www/html/owncloud/apps'
semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/owncloud/assets'
restorecon '/var/www/html/owncloud/assets'

#3

Hey Argon,
Thank you for your answer but I already did that, these labels are already set. Anyway ownCloud keeps telling that it cannot write to config directory.


#4

Can't SELinux log such events? Consider also asking in the SELinux-community for configuration questions regarding SELinux.


#5

It can:

https://doc.owncloud.org/server/9.1/admin_manual/installation/selinux_configuration.html#troubleshooting

But yes, for help with SELinux its better to ask a community dedicated to the used distribution


#6
  1. You mention the only difference is the PHP version, 5.6 vs. 7. So everything else is 100% identical? CentOS 7, MariaDB, etc. all exact same versions? I thought the "recommended" version of PHP is v5.6, is there a specific reason why you want v7?

  2. How did you rsync the data? Did you use the -a switch for "archive" which preserves all of the file attributes?

  3. Did you do a restorecon on the entire Apache documentroot? Are you using a custom documentroot or is it the default /var/www/html/ ?

I know selinux can be set to "Permissive" mode, whereby it won't block anything, but it will continue to log all of the events. This should allow you to run, while producing a log to help narrow down where the issue is.


#7

tflidd, RealRancor, argon3030,
Thank you very much for your help!!!
I fixed it. I found in log file I had to run:
setsebool -P httpd_unified 1
setsebool -P httpd_execmem 1

I really don't know which one of this commands fix the issue, but now it works.

Regards,

Damon


#8

Glad you got it working. Interestingly, I just checked my system and both of those se bools you mention, httpd_unified and httpd_execmem are both set to OFF on my server

I'm not an selinux expert by any stretch, so I can't say what this means, but everything works great for me no issues. Might be worth keeping an eye on your log files and maybe flipping those bools off again just to see what happens.


#9

Thank you, these also worked for me using CentOS.