Using SQLite through PHP without completely disabling SELinux

Pipupnipup asked:

I’m trying to access an SQLite file on a CentOS7 box using PHP and the PDO library. I was getting read-only errors just like this question – https://stackoverflow.com/questions/3319112/sqlite-read-only-database

And per that question, the answer was to disable SELinux. That’s fine for development, but for a production system I’d like to keep SELinux enabled.

How do I leave SELinux enabled, without getting read-only errors on the SQLite file?

(Note: The answers in that question that relate to it don’t seem to be CentOS 7 compatible).

My answer:


By default PHP (which runs under the httpd_t domain) is not allowed to write files in most locations on the system, other than temporary directories.

You can set a specific file to be writable by changing its context to httpd_sys_rw_content_t. For example, to change the context temporarily:

chcon -t httpd_sys_rw_content_t /var/lib/myapp/database.sqlite

To make this permanent, you need to set a permanent file context matching the file, so that it will always be labeled this way. You do this with semanage fcontext.

semanage fcontext -a -t httpd_sys_rw_content_t /var/lib/myapp/database.sqlite

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.