I tried my first Flarum install in the last few days on Centos7. The SElinux caused so many trouble. At first, I just set it to permissive and can successfully finish the install. But that might be dangerous.
So I re-enabled it and tried to figure out which part caused the problem. After checking the audit.log,
sudo cat /var/log/audit/audit.log | audit2why
type=AVC msg=audit(1723519767.844:2990): avc: denied { write } for pid=14533 comm="php-fpm" name="sessions" dev="sda2" ino=67242449 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir permissive=0
Was caused by:
The boolean httpd_unified was set incorrectly.
Description:
Allow httpd to unified
Allow access by executing:
#setsebool -P httpd_unified 1
I find that SElinux prevent write and create in the folder "sessions" and other folders under flarum/storage/. As inicated by the aduit.log, I can simply use # setsebool -P httpd_unified 1 to fix the problem.
But it seems that permisson given by # setsebool -P httpd_unified 1 is also too broad. So I used sudo chcon -R -t httpd_sys_rw_content_t /var/www/flarum/storage/ to fix the problem. I was wondering if this is safe enough. Or are there other methods to fix the SElinux problem?
Furthermore, is it safe to set the whole flarum folder as httpd_sys_rw_content_t? I found that for the extension manager to work, it has to be so.
