CentOS 7 and WebTrees 1.7x

So I finally started getting the new web server up and running with CentOS 7. First step once running was to install a LAMP configuration (php7.1) and to get WebTrees running. Rather than hang WebTrees directly off /var/www/html/webtrees or similar, I chose to place it at /var/www/wt. I basically unzipped it into a working directory in my home folder so I could examine it and then copied the entire folder to my target location.

I ran into three large issues that prevented running the application:

  1. Needed to configure the system properly inside apache’s configuration files to ensure the directory is accessible to the webserver process, and also to create an alias that points to the folder.
  2. Once that part was complete, the web process couldn’t write to /var/www/wt/data folder; apache (httpd) runs with a user/group of apache rather than www-data as found on many other debian-based distros.
  3. Even when correct user/group had been applied to all files, still couldn’t write. Finally dawned on me that SELinux is used on CentOS (and many other distros) and requires some additional permissions to be set. I highly recommend that you do not follow the WebTrees setup wizard advice of assigning 777 (world-read/write) permissions as this bypasses many security things. Also, it won’t work anyway without disabling SELinux, which is an even greater security breach. Read on, do some additional research (not specific to WebTrees) and you’ll see it’s not really that hard. I’ll describe as best I can what the various components mean.

1 – Configure folder access (since it’s not located under /var/www/html)

I normally add this right after the last <Directory> tag found in /etc/httpd/conf/httpd.conf, which for a default installation will probably be your normal /var/www/html access. Please note that this currently does not add SSL as I have the system limited to my local home network. Later, I’ll try to detail how to make this an SSL (https) access instead for additional security.

The Alias directive tells the system that the files found at /var/www/wt should be considered to off /wt on the web server (http://servername/wt). The following Directory entry simply controls whether the files in the directory can be listed, etc.

Alias "/wt" "/var/www/wt"
<Directory "/var/www/wt">
   Options None
   AllowOverride None
   Require all granted
</Directory>

2 – Set correct user/group ownership

This is a relatively simple fix; both 2 and 3 must be done before any noticeable change will occur.

If you use

ls -l /var/www

You’ll see that the default user:group for the wt folder is www-data:www-data. Use the following command to change it to the correct webserver process apache:apache. -R changes everything in the folder not just the folder itself.

sudo chmod -R apache:apache /var/www/wt

3 – Edit SELinux policies to permit proper access control

(Please note that I am definitely not an SELinux expert and have adapted these steps from the description provided by Shane Rainville’s Overview located on http://www.serverlab.ca/tutorials/linux/web-servers-linux/configuring-selinux-policies-for-apache-web-servers/. I highly recommend reviewing this information yourself as I have summarized it to the steps I utilized only.)

I normally login to my web server as a normal user and then use sudo for any commands that require root/admin access. There are many flame wars about what is best for isolated systems, YMMV. If you login as a normal user, prefix all commands with sudo.

Install the core policy utilities:

yum install -y policycoreutils-python

Also install the SELinux troubleshooting (there is a typo on Shane’s list, should be setroubleshoot, not setroubleshooting):

yum install -y setroubleshoot

The two above steps allow you to manage the SELinux policies, view them, etc. Shane’s page illustrates how to list existing policies in place, which is probably handy when combined with grep, but my system printed more than enough to fill up the scroll-back buffer. Knowing how to do it comes in handy later, though, for troubleshooting your typos, etc.

Shane illustrates the need to create several types of process accesses, including content, logs, and cache. However, for WebTrees all that I currently need is the content access. Therefore, I issued the command:

semanage fcontext -a -t http_sys_content_t "/webapps(/.*)?"

to permit the httpd process to access content within the entire /var/www/wt folder and derivatives. Note that the last bit on the end of the command above makes sure all subfolders, files, etc., are covered within that context. Note that double quotes, forward slashes, etc., are all critical to the command.

Next, you need to permit read/write access to the /var/www/wt/data folder and files in order to get past the server check on the setup wizard. In reality, this permits the system to store multimedia files, etc., within the data structure properly. (Note that there was a typo here and the -t was left off Shane’s page, I’ve added it here)

semanage fcontext -a -t httpd_sys_rw_content_t "/webapps/app1/public_html/uploads(/.*)?"

At this point, you should be able to run the setup wizard successfully and get to the MySQL/MariaDB configuration portion to setup the database itself.

One point to make here is that WebTrees places its configuration file (config.inc.php) within the data directory so a command to allow read/write to that file is not required as it is already covered by the previous command. As Shane points out, though, it could be necessary if setting up an application that stores that file in a more traditional location (which could be anywhere, tradition be damned).

Have fun. No guarantees, warranty, etc.