Installation on redhat 8 (RHEL8)

I used grav on Debian (and it works great). Institution, however, forces us to use RedHat 8 Enterprise.

The installation was quite painful, but I eventually found the magical incantation to give access to the files to apache and it mostly works. Except for the problem shown in the image below:

I get these red errors pretty much everywhere. There is not even an error code in the message, so it’s not easy (for me) to track down. I think I installed all the required php modules. Note that the Notification Pane on the Dashboard has a “spinning circle” that never stops spinning. Again, none of this was happening with Debian.

Any hint on what might be setup wrong would be great.

PS/ I followed: https://learn.getgrav.org/16/troubleshooting/permissions and used the command:

chcon -Rv system_u:object_r:httpd_sys_rw_content_t:s0 ./

in the grav folder (/var/www/html/grav) to appease redhat. That allowed me to get this far, but no further.

One more note: I also turned off the allow_url_fopen in php.ini and restarted httpd. Now the error shows a code 0:

Error while trying to download (code: 0): https://getgrav.org/blog.atom Message: Couldn't connect to server

Running curl on the url https://getgrav.org/blog.atom at the command line on the server works just fine. Still lost.

Do you have apache:apache permission on your grav setup?

CLI

sudo chown -vR apache:apache /directory_of_your_gav_installation/

su -c "chown -vR apache:apache /directory_of_your_gav_installation/"

It’s necessary set this user:group permissions in /cache directory of it does not work well.

Note: Debian does not offer SELinux AVC security context to prevent malicius software execute in your server :wink:

Yes, I did. I followed the direction to figure out the user that httpd was running under and chown’d the files.

[root@ipp html]# ps aux | grep -v root | grep apache | cut -d\  -f1 | sort | uniq
apache@+

I then chowned to that accordingly. I have grav in /var/www/html and I repeated your command:

[root@ipp html]# pwd
/var/www/html
[root@ipp html]# sudo chown -vR apache:apache grav

Here is what it says:

... (lots of lines removed)
ownership of 'grav/webserver-configs/web.config' retained as apache@implicit_files:apache@implicit_files
ownership of 'grav/webserver-configs' retained as apache@implicit_files:apache@implicit_files
ownership of 'grav/.htaccess' retained as apache@implicit_files:apache@implicit_files
ownership of 'grav/.github/FUNDING.yml' retained as apache@implicit_files:apache@implicit_files
ownership of 'grav/.github' retained as apache@implicit_files:apache@implicit_files
ownership of 'grav' retained as apache@implicit_files:apache@implicit_files

So nobody knows what the issue might be?

One thing I noticed: If I click on “add plugin”, I get the following error:

The connection to the GPM cannot be established

I thought that this might be helpful, googled and this page came back: https://learn.getgrav.org/16/troubleshooting/common-problems#cannot-connect-to-the-gpm

So I ran bin/gpm index at the command line and that command works perfectly fine (as root).

I’m not behind a proxy either. That page again mentions permissions, but I did run the magical incantation for that and those should be fine (as far as I can tell).

Could it be the SELinux stuff into redhat that is causing all the trouble ? How can I disable SELinux to at least try and debug this?

Mmm… It’s freaky, I don’t have more technical skills in Grav yet, but yes. You can disable SELinux to identify if you have connection problems from Apache -> to -> Website from your Grav installation.

For do that you can run this to disable tmp SELinux:
# setenforce 0

Good luck!

Dear all,

An update: turning OFF SELinux fixed all the problems without fixing anything else. So the culprit is indeed SELinux. What tipped me off is that it claimed gmp was unreachable even though it ran fine at the command line. So I suspected that the SELinux policies were blocking some of the binaries that grav uses from running.

I’m now all set and running :wink:

It might be good for grav to understand what SELinux is doing that breaks it and find a solution (a bunch of policies I suspect!).

Thanks to all!


Laurent

I think the solucion is changing the access permissions on root folder.
How-to install grav

Apologies for reopening a long dormant thread but I stumbled here attempting to install Grav on cent8 and this pointed me in the right direction.

This problem was not caused by file-permission issues or not having curl or openssl. It was (as stated above) created by SELinux. It is a bad idea to simply disable SELinux and so I wanted to provide the proper answer.

The (Hopefully) Simple Fix:
For me to fix my installation I needed to execute these four commands to allow httpd access to the system:
sudo setsebool -P httpd_can_network_connect 1
sudo setsebool -P httpd_graceful_shutdown 1
sudo setsebool -P httpd_can_network_relay 1
sudo setsebool -P nis_enabled 1
That probably will fix most people using RHEL8/CENT8 but I’ll explain how I got there below for if anyone needs to find their way.

How to Find the Problem (SELinux Diagnostics):

  1. Make sure you’ve got setroubleshoot installed
    sudo dnf -y install setroubleshoot
  2. I recommend you just wipe your SELinux audit log and reboot your system to find your problem.
    sudo mv /var/log/audit/audit.log /var/log/audit/audit.log.old
    sudo reboot
  3. Go ahead and check your audit log and try to find the error, it should be Type=AVC
    sudo nano /var/log/audit/audit.log
  4. You can use Ctrl+W to find Type=AVC, a line should look like this

type=AVC msg=audit(1611165511.516:53): avc: denied { name_connect } for pid=812 comm=“php-fpm” dest=443 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket permissive=0

You’ll know the error is possibly from Grav because of the comm or pid

  1. Copy the audit number Ex: 1611165511.516:53
  2. Using SETroubleshoot we’ll get it to tell us what’s configured wrong, input your audit number in place of mine below
    sudo grep 1611165511.516:53 /var/log/audit/audit.log | audit2why

This will output something like this:
`type=AVC msg=audit(1611165511.516:53): avc: denied { name_connect } for pid=812 comm=“php-fpm” dest=443 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket permissive=0

Was caused by:
One of the following booleans was set incorrectly.
Description:
Allow httpd to can network connect

Allow access by executing:
# setsebool -P httpd_can_network_connect 1
Description:
Allow httpd to graceful shutdown

Allow access by executing:
# setsebool -P httpd_graceful_shutdown 1
Description:
Allow httpd to can network relay

Allow access by executing:
# setsebool -P httpd_can_network_relay 1
Description:
Allow nis to enabled

Allow access by executing:
# setsebool -P nis_enabled 1`

And that gives you the commands to fix it with. Sometimes it’s a little more vague on its fixes but usually you can google for help.

I hope this gets anyone else who stumbles here out of the situation.