I dont want to disable Selinux but I am having problems with it. I am using FFMPEG (located in /var/www/tester/ffmpeg and owned by apache)
[root@betaX tester]# ls -Z /var/www/html/tester/ffmpeg/
-rwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 ffmpeg
-rwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 ffmpeg-10bit
-rwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 ffprobe
-rwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 ffserver
drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 manpages
drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 model
-rwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 qt-faststart
But everytime I try to run ffmpeg
{ffmpeg-cmd} -i {input} -vcodec libx264 -s {ffmpeg-vsize} -threads 16 -movflags faststart {output}.mp4
I am getting permission denied error.
[root@betaX tester]# tail -f /var/log/httpd/error_log
sh: /var/www/html/tester/ffmpeg/ffmpeg: Permission denied
I want to disable Selinux only for Apache since it will cost me a lot of time, is there any method doing that on Centos 7.x? I found a solution in Fedora but I dont have any folder or file called /etc/selinux/targeted/booleans
.
Any clue or suggestions?
Current settings
[root@betaX tester]# /usr/sbin/getsebool -a | grep httpd
httpd_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_check_spam --> off
httpd_can_connect_ftp --> off
httpd_can_connect_ldap --> off
httpd_can_connect_mythtv --> off
httpd_can_connect_zabbix --> off
httpd_can_network_connect --> off
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> off
httpd_can_network_memcache --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> off
httpd_dbus_avahi --> off
httpd_dbus_sssd --> off
httpd_dontaudit_search_dirs --> off
httpd_enable_cgi --> off
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> off
httpd_execmem --> on
httpd_graceful_shutdown --> on
httpd_manage_ipa --> off
httpd_mod_auth_ntlm_winbind --> off
httpd_mod_auth_pam --> off
httpd_read_user_content --> off
httpd_run_ipa --> off
httpd_run_preupgrade --> off
httpd_run_stickshift --> off
httpd_serve_cobbler_files --> off
httpd_setrlimit --> off
httpd_ssi_exec --> on
httpd_sys_script_anon_write --> off
httpd_tmp_exec --> off
httpd_tty_comm --> off
httpd_unified --> off
httpd_use_cifs --> off
httpd_use_fusefs --> off
httpd_use_gpg --> off
httpd_use_nfs --> off
httpd_use_openstack --> off
httpd_use_sasl --> off
httpd_verify_dns --> off
Best Answer
Your issue is caused by incorrectly labeled executables.
Relabel them to
http_sys_script_exec_t
(see semanage fcontext and restorecon):For completeness sake, here's how to just disable SELinux for apache (using semanage permissive):