Search code examples
phpapacheselinuxapache2.4centos7

How to read a file with PHP from the home directory (CentOS 7, Apache 2.4, SELinux)

i want to read some file from a home directory where i get pushed files from other servers i can trust.
My index.php is in /var/www/html/index.php
The file i want to read via php file_get_contents is located in /home/user123/subdir/info.txt

The error i am getting: file_get_contents(/home/user123/subdir/info.txt): failed to open stream: Permission denied (2)

aureport --avc shows the denial error
05.09.2014 14:17:16 httpd system_u:system_r:httpd_t:s0 6 dir getattr unconfined_u:object_r:user_home_dir_t:s0 denied 53606

What i tried so far (no success):

chcon -R -t httpd_sys_script_rw_t /home/user123/*
chcon -R -t httpd_user_content_t /home/user123/*

adding the directory to the apache userdir config (/etc/httpd/conf.d/userdir.conf)

<Directory "/home/user123/*">
    AllowOverride None
    Require all granted
</Directory>

What am i missing / what am i doing wrong?

Infos for the System:

Server version: Apache/2.4.6 (CentOS)
PHP version 5.4.16
SELinux enforcing
CentOS 7

UPDATE
grant apache permission to read homedir solved the denial error from selinux
setsebool -P httpd_enable_homedirs on

But the file_get_contents(/home/user123/subdir/info.txt): failed to open stream: Permission denied (2) is stil there...

Solution

  • For this to work correctly with SELinux enforcing, several things need to be properly aligned.

    First, the home directory needs to be traversable by users other than the owner. Typically home directories are 700 but the apache user needs execute:

    chmod o+x /home/user123

    Likewise, the directory inside it where the target file and the file itself need to be readable, and the directory executable (traversable):

    chmod o+x /home/user123/subdir
chmod -R o+r /home/user123/subdir

    As you found, you need to set the SELinux boolean to allow homedirs (-P to persist on reboot)

    setsebool -P httpd_enable_homedirs on

    Finally, the target directory needs the correct SELinux context. For a read-only directory, httpd_user_content_t is probably most appropriate.

    chcon -R -t httpd_user_content_t /home/user123/subdir

    Important to note: Only the directory Apache needs to read should have its SELinux context changed. It isn't necessary to change the context of the home directory itself /home/user123, and doing so would likely have detrimental effects on other things (maybe even on your ability to login!)