Recently, like a couple hours ago I migrated my blog after being down for a couple months to a AWS LAMP stack which was great and easy until Apache just wasn’t loading the site. It’s a blog so it runs WordPress and and a simple LAMP stack where everything is running should just be pretty much a out of the box solution.
However this time around once I pushed the DNS over html was serving but PHP just would not execute due to permission issues as shown below:
[Mon Jun 22 17:42:47.530605 2015] [core:error] [pid 9461] (13)Permission denied: [client 24.28.94.42:57301] AH00035: access to /index.php denied (filesystem path '/var/www/mattharris.org/index.php') because search permissions are missing on a component of the path
[Mon Jun 22 17:42:48.475473 2015] [core:error] [pid 9461] (13)Permission denied: [client 24.28.94.42:57301] AH00035: access to /index.php denied (filesystem path '/var/www/mattharris.org/index.php') because search permissions are missing on a component of the path
So the culprit after a lot of going up the tree and checking all of the permissions and ownership ended up being SELinux. Apparently in Red Hat 7 and CentOS 7 this is enabled by default and you have to manually disable the policies on pretty much everything or manually go through the audit log and enable each filter. So here is a quick dirty fix:
[root@ip-172-31-41-252 ~]# getenforce
Enforcing
[root@ip-172-31-41-252 ~]# setenforce 0
[root@ip-172-31-41-252 ~]# getenforce
Permissive
This will put SELINUX into a Permissive mode. Since this server only houses an open source blog security isn’t my number one priority. That and its on AWS so its a bit more secure than say a shared hosting account.
Now with this – the permissions will not persist upon reboot; so if we want to set this to persist we need to edit the following file: /etc/sysconfig/selinux
from
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
# SELINUX=enforcing
to
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=permissive
Keep in mind that normally you would just want to allow the specific rule being triggered; if interested in doing this review: https://wiki.centos.org/HowTos/SELinux