Laravel and Selinux

The Issue

Selinux is a huge pain in the backside and would normally be something that I would disable (or at the very least change to permissive mode). You may sometimes encounter times that you need to keep this enabled for compliance reasons set out by the client and if that’s the case, then you’re in the right place!

I struggled to find a comprehensive guide covering Laravel with Selinux, so thought I would share this to save some others the pain in the future.

The Solution

Variables in this guide

$deployment_path -- The location that the codebase is deployed (e.g. /var/www/html/)

$web_user -- The user that the web process is running as (e.g. www-user/apache/nginx)

Apply permissions

Apply permissions to the codebase as you normally would:

find $deployment_path -type f -exec chmod 640 {} \;
find $deployment_path -type d -exec chmod 750 {} \;
chown -R $web_user:$web_user $deployment_path

Allow web process to write to the filesystem

We need to provide a context for existing selinux rules and we can do that with:

semanage fcontext -a -t httpd_sys_content_t "$deployment_path(/.*)?"
semanage fcontext -a -t httpd_sys_rw_content_t "$deployment_path/storage(/.*)?"
semanage fcontext -a -t httpd_sys_rw_content_t "$deployment_path/bootstrap/cache(/.*)?"
semanage fcontext -a -t httpd_sys_rw_content_t "$deployment_path/vendor(/.*)?"
restorecon -Rv $deployment_path

The first 4 commands are adding context to the rules with the final command applying that context.

Allow web process to communicate with the databse

We need to explicitly allow the web process to communicate with the databse over the network:

setsebool -P httpd_can_network_connect_db=1

Allow web process to communicate with other services

We need to explicitly allow the web process to communicate over the network (even if that’s localhost!), this is needed for services such as Redis:

setsebool -P httpd_can_network_connect=1