Write Permission Problems with Apache? Check for SELinux…

While trying to install MediaWiki on my CentOS 4.5 box, PHP could not write the Wiki configuration file.  So, I conducted the standard checklist:

  • Figure out what user and group Apache was using (apache/apache),
  • Ensure that the path to the configuration file was navigable by the apache user, and
  • Ensure that the directory and file was writable by the apache user,

but it still wouldn’t work!

Even more interesting, I found a number of forum threads where people were able to run PHP scripts manually as the apache user and have them write to files, but have the same scripts fail when run through httpd.

As it turned out Security-Enhanced Linux (SELinux) was to blame.  SELinux is an updated Linux kernel and set of utilities released by the NSA that allows fine-grained security control of specific processes.  On our CentOS 4.4 boxes, it was off by default, but for our Centos 4.5 box, it was enabled.  This kept the httpd process from being able to write to the file system, even when the user and file permissions were set correctly.  By setting SELINUX=disabled in /etc/selinux/config and rebooting, suddenly it worked.

Restricting permissions on particular processes is a brilliant idea since it allows blanket protection for unforeseen security holes.  However, like iptables (a software firewall), SELinux can have infuriating side effects until you realize that it is the source of the odd behavior.