From Fedora core the yum is replaced by dnf (DaNiFied Yum) partly due python
support.
To setup LAMP Linux Apache MySQL PHP combination pkg,
https://computingforgeeks.com/how-to-install-lamp-stack-on-fedora/
dnf -y update
dnf -y install vim bash-completion curl wget telnet
dnf -y install httpd mod_ssl
systemctl enable httpd
systemctl start httpd
firewall-cmd --add-service={http,https} --permanent
firewall-cmd --reload
dnf -y install php php-cli php-php-gettext php-mbstring php-mcrypt php-mysqlnd php-pear php-curl php-gd php-xml php-bcmath php-zip
dnf install phpmyadmin
dnf install mariadb-server
systemctl start mariadb
systemctl enable mariadb
mysql_secure_installation
dnf install httpd php mariadb mariadb-server
dnf install php-pecl-apcu php-cli php-pear php-pdo php-mysqlnd php-pgsql php-pecl-mongodb php-pecl-memcache php-pecl-memcached php-gd php-mbstring php-mcrypt php-xml
dnf install phpmyadmin curl curl-devel
dnf install perl mod_perl perl-DBD-mysql nmap
dnf install mod_ssl openssl
systemctl enable sshd.service
systemctl start sshd.service
# starting fc29 sshd is not turned on by default
systemctl enable httpd.service
systemctl start httpd.service
[Secure connection failed]
If the browser show "Secure connection failed" error, it is possible that the apapache is not set up to use newer
edit /ect/httpd/conf.d/ssl.conf
Add the followingline after line 76
SSLProtocol all -TLSv1.3
Then restart httpd with
systemctl restart httpd
Enable firewall to allow httpd
If you install with fedora workstation version (not the sever) the zone is not
public as before in early version. We should use FedoraWorkstation as zone
name. You can also use
#firewall-cmd --get-active-zones
FedoraWorkstation
interfaces: ens32
to find out the zone associated
with the interface. The fens32c29 assign the ethernet card with ens32 (strange
name).
firewall-cmd --permanent --zone=FedoraWorkstation --add-service http
firewall-cmd --permanent --zone=FedoraWorkstation --add-service https
firewall-cmd --reload
Test your web server with
http://fc30.csnet.uccs.edu/ and https://fc30.csnet.uccs.edu/ to see it is runnoing. replace fc30.csnet.uccs.edu with your designated ip address or dns name created for you.
We use --reload so that these services and added to the current firewall.
To test if php works, create the following test.php on /var/www/html
[root@fc30 ~]# echo "" > /var/www/html/info.php
[Allow individual web sites]
Allow individual user to have their own web site in ~/public_html
The block directory no long in
/etc/httpd/conf/httpd.conf
enable individual public_html access by
cd /etc/httpd/conf.d/
edit userdir.conf
comment out line 17
UserDir disabled
uncomment line 24
#UserDir public_html
in fc25, we need to add additonal Options +Indexes for directory browsing to
work.
AllowOverride FileInfo AuthConfig Limit Indexes
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
Require method GET POST OPTIONS
Make it as
AllowOverride FileInfo AuthConfig Limit Indexes
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
Options +Indexes
Require method GET POST OPTIONS
Recent Fedora Core OS turns on the SELinux for better protection.
As a result, we need to set HTTPD_ENABLE_HOMEDIRS SELinux boolean flag to allow individual web sites to be accsssed.
For infomration related to SEBoolean visit
https://docs.fedoraproject.org/en-US/Fedora/12/html/Managing_Confined_Services/sect-Managing_Confined_Services-The_Apache_HTTP_Server-Booleans.html
setsebool -P httpd_enable_homedirs on
run "systemctl restart httpd.service
test the access on individual web page
http://fc30.csnet.uccs.edu/~csnet/csnet.html
You will see forbidden error msg.
t@fc30 csnet]# cd public_html/
[root@fc30 public_html]# ls -al
total 12
drwxr-xr-x. 2 csnet csnet 4096 Aug 23 15:04 .
drwx------. 15 csnet csnet 4096 Aug 23 15:03 ..
It reveals that /home/csnet is by default set to 700 and not allow others include apache web server to look inside.
We need to change the permission to allow others to look into the public_html directory but not other files/directory in /home/csnet
Let use set the /home/csnet or whatever the user direcgtory to 751
[root@fc30 public_html]# chmod 750 /home/csnet
now you access public_html and csnet.html file there over the web.
[Allow individual php scripting]
Allow individual users to run php scripts in their directories and assume the uuser_id for better isolation and protection!
We install suphp
dnf install mod_suphp
edit /etc/httpd/conf.d/mod_suphp.conf
Add the folowing directive at the top
and wrap up with so that suphp onlys applies to the individual
directory and not that on /var/www/cgi-bin or html otherwise those php script
in system directories will not work.
Substitute #suPHP_AddHandler php5-script with suPHP_AddHandler x-httpd-php
(rename php5-script with x-httpd-php)
AddHandler x-httpd-php .php
### Uncomment to activate mod_suphp
suPHP_AddHandler x-httpd-php
# make sure no typo: x-httpd-php instead of x-http-php missing a 'd' cause grief
# This option tells mod_suphp if a PHP-script requested on this server (or
# VirtualHost) should be run with the PHP-interpreter or returned to the
# browser "as it is".
suPHP_Engine on
# This option tells mod_suphp which path to pass on to the PHP-interpreter
# (by setting the PHPRC environment variable).
# Do *NOT* refer to a file but to the directory the file resists in.
#
# E.g.: If you want to use "/path/to/server/config/php.ini", use "suPHP_Config
# /path/to/server/config".
#
# If you don't use this option, PHP will use its compiled in default path.
suPHP_ConfigPath /etc
edit /etc/httpd/conf.d/php.conf
Add the following line after line 11 so that php in /var/www/html/ will use starndard php interpret without using added suphp function.
AddHandler php5-script .php
make sure Line 26 is comment out. normal php is handled by application/php5-script
# SetHandler application/x-httpd-php
edit /etc/suphp.conf
hange the log file directory to consolidate in /var/log/httpd not /var/log
logfile=/var/log/httpd/suphp_log
; Security Option Change to the following settings
allow_file_group_writeable=true
allow_file_others_writeable=false
allow_directory_group_writeable=true
allow_directory_others_writeable=falseet
check_vhost_docroot=false
set umask to 0022 instead of 0077 so that apache can navigate there in the
newly create directories.
comment out handle_userdir; It is deprecated
;handle_userdir=true
change hander for php-scripts from php5-script to x-httpd-php as follows:
Note that the value is wrapped with ".
[handlers]
;Handler for php-scripts
;application/x-httpd-php="php:/usr/bin/php-cgi"
x-httpd-php="php:/usr/bin/php-cgi"
;Handler for CGI-scripts
x-suphp-cgi="execute:!self"
after editing the file, restart httpd
systemctl restart httpd.service
Test with
http:///~cs3110/php/whoami.php
Assume whoami.php is
The web server should return cs3110 as the user (not apache) that runs the php script.
!!! note that in suphp.conf file, mod_suphp uses ; as comment character.
; use # will caurse an error for httpd operation!!! What a convention!
make sure unmask 0022 instead of 0077 so that the directory can be read
by apache (even though it is created by the local user).
When upload.php gets "open grade.txt failed!", it could be the raster file was
copied to the home directory and inherit the "user_home_t" type instead of
httpd_user_content_t
[root@viva cs526]# ls -Z CS526S2014Grade.txt
-rwx------. cs526 cs526 unconfined_u:object_r:user_home_t:s0
CS526S2014Grade.txt
We can change the type with
chcon -R -t httpd_user_content_t /home/cs526/CS526S2014Grade.txt
When the upload.php gets "Possible file upload attack" or cannot create
directory on /home/gsc/public_html/pub/ directory, it could be
caused by SELINUX or /etc/php.ini upload_max_filesize = 2M line 811 was set to
only 2MB default size. You need to increase that upload size. You can change the context. Same for post_max_size.
chcon -R -t public_content_rw_t /home/gsc/public_html/pub/
setsebool -P allow_httpd_anon_write 1
setsebool allow_httpd_anon_write 1
# may need to reboot with -P for it to take effect
Also the public_html directory where the scripts resides cannot have group
writable, change it to 711.
[mysql section]
#mysql is now replaced by mariadb (an opensource group from previous founder)
systemctl enable mariadb.service
systemctl start mariadb.service
It is important to setup root password and configured for secure operation.
Run the following command
mysql_secure_installation
See detail in
http://www.howtoforge.com/installing-apache2-with-php5-and-mysql-support-on-fedora-19-lamp
[root@cs591 data]# mysql_secure_installation
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!
In order to log into MariaDB to secure it, we'll need the current
password for the root user. If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.
Enter current password for root (enter for none):
OK, successfully used password, moving on...
Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.
Set root password? [Y/n] Y
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
... Success!
By default, a MariaDB installation has an anonymous user, allowing
anyone
to log into MariaDB without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.
Remove anonymous users? [Y/n] Y
... Success!
Normally, root should only be allowed to connect from 'localhost'.
This
ensures that someone cannot guess at the root password from the
network.
Disallow root login remotely? [Y/n] Y
... Success!
By default, MariaDB comes with a database named 'test' that anyone
can
access. This is also intended only for testing, and should be
removed
before moving into a production environment.
Remove test database and access to it? [Y/n] Y
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!
Reloading the privilege tables will ensure that all changes made
so far
will take effect immediately.
Reload privilege tables now? [Y/n] Y
... Success!
Cleaning up...
All done! If you've completed all of the above steps, your
MariaDB
installation should now be secure.
Thanks for using MariaDB!
set mysql root password
shell> mysql -u root mysql
mysql> UPDATE user SET Password=PASSWORD('new_mysqlrootpassword')
WHERE user='root';
mysql> FLUSH PRIVILEGES;
Try not to use password with # or $ as passowrd. They often interfere with the
mysql command and result in root password not accepted by mariadb later on!!
If you got locked out due to mysql root password incorrect.
Try to follow the instruction in
http://www.rackspace.com/knowledge_center/article/mysql-resetting-a-lost-mysql-root-password
by stopping the mariadb, then issue
sudo mysqld_safe --skip-grant-tables &
mysql -uroot (without password).
use mysq;
Then use
update user set password=PASSWORD("mynewpassword") where User='root';
flush privileges;
to change the root password.
create cs3110 mysql account for php-mysql script showUserDB.php demo
cd /home/cs3110/public_html/mysql
./cmysql.pl cs3110 cs3110db
get a copy of mysql from an old fedora core server using mysqldump
[root@walrus wiki]# mysqldump -u root -p --all-databases >
walrusdb.sql
Copy .sql file to the new machine
[root@walrus wiki]# scp walrusdb.sql root@viva.uccs.edu:.
Run mysql command to import the databases.
[root@viva ~]# mysql -u root -p < walrusdb.sql
[Email]
Fedora offers two primary MTAs: Postfix and Sendmail.
Postfix is configured as the default MTA and
Sendmail is considered deprecated.
dnf install postfix
with selinux if we would like to send email through the Mail::sendmail
we need to setsebool in two places:
setsebool -P httpd_can_network_connect 1
setsebool -P httpd_can_sendmail 1
Take a while to debug this.
Especailly the first one.
getsebool -a |grep httpd
Restart the postfix service after changing any options in the configuration
files under the /etc/postfix directory in order for those changes to take
effect. To do so, run the following command as root:
~]# systemctl restart postfix
10.3.1.2. Basic Postfix Configuration
By default, Postfix does not accept network connections from any host other
than the local host. Perform the following steps as root to enable mail
delivery for other hosts on the network:
Edit the /etc/postfix/main.cf file with a text editor, such as vi.
Uncomment the mydomain line by removing the hash sign (#), and replace
domain.tld with the domain the mail server is servicing, such as example.com.
Uncomment the myorigin = $mydomain line.
Uncomment the myhostname line, and replace host.domain.tld with the host
name for the machine.
Uncomment the mydestination = $myhostname, localhost.$mydomain line.
Uncomment the mynetworks line, and replace 168.100.189.0/28 with a valid
network setting for hosts that can connect to the server.
Uncomment the inet_interfaces = all line.
Comment the inet_interfaces = localhost line.
Restart the postfix service.
mail program was not installed by default.
we will install mailx pkg
dnf install mailx
Test by sending email "mail -s 'test' cchow@uccs.edu"
Setting up SSH without password
On client:
1. run ssh-keygen (it generates public key and private key)
2. run ssh-copy-id -i ~/.ssh/id_rsa.pub remote-host
3. ssh remote-host (or scrp or rsync)
[phpMyAdmin setup]
We would like to access phpmyadmin web app from any uccs machine.
Edit /etc/httpd/conf.d/phpMyAdmin.conf
Replace Line 17:
Require ip 127.0.0.1
with
Require ip 128.198
same for Line 34.
systemctl restart httpd.service
1. Make sure to edit the config.inc.php file and specified the blowfish_secret
for cookie authentication.
The default key there is too big.
[Sun Sep 22 15:02:31.823524 2013] [:error] [pid 10072] [client
128.198.16.135:49645] PHP Warning: mcrypt_encrypt(): Size of key is too
large for this algorithm in
/var/www/html/phpmyadmin/libraries/mcrypt.lib.php on line 71, referer:
http://walrus.uccs.edu/phpmyadmin/
Change the following
$cfg['blowfish_secret'] = 'directives are explained in Documentation.html
and on phpMyAdmi';
to
$cfg['blowfish_secret'] = 'my devoted servant walrus'; # pick on that is
decent size but not too long.
2. copy /usr/share/phpMyAdmin to /var/www/html/phpMyAdmin
may need to change SELinux type so httpd can read it
chcon -R -t httpd_sys_content_t phpMyAdmin/
3. edit /etc/httpd/conf.d/phpMyAdmin.conf
change /usr/share to /var/www/html
[Protect individual web directory with .htaccess]
Within the directory covers under document root, creaet a .htaccess file with content similar to the following four lines:
AuthType Basic
AuthName "chow.csnet.uccs.edu secure web site"
AuthUserFile /var/www/data/apacheticket
REQUIRE VALID-USER
Then create/update an entry in the password file /var/www/data/apacheticket with htpasswd command provided by apache httpd package.
[ropt@fc30 admin]# htpasswd -B /var/www/data/apacheticket csnet
New password:
Re-type new password:
Updating password for user csnet
[root@fc30 admin]#
Note that if the password file is not yet existing, you need to add -c option to create it.
where -B option usee bcrypt encryption for passwords. This is currently
consided to be very secure.
Finally we need to turn on the apache AllowOverride directive in the directory we will allow .htaccess control to ask for user password.
Here let us edit line 154 of /etc/httpd/conf/httpd.conf and replace with
AllowOverride All
#AllowOverride None
Then restart httpd with systemctl restart httpd
For example in fc30.csnet.uccs.edu, we have an admin directory in /var/www/html that has .htaccess protection. You can see the .htaccess control in action by entering http://fc30.csnet.uccs.edu/admin/ You will a popup window that ask for login and password.
[mod_auth_mysql]
mod_auth_mysql is an Apache module to authenticate users and authorize access
through a MySQL database. It is flexible and support several encryption
methods. The module will work on both Apache 1.x and Apache 2.x.
This package allows to use .htaccess file to guard a web directory
with credential from mysql database.
http://modauthmysql.sourceforge.net/README
Download the mod_auth_mysql-3.0.0.tar.gz from
http://sourceforge.net/projects/modauthmysql/files/modauthmysql/3.0.0/
To compile with apxs you need to install mysql-devel package for include file
and library.
dnf install mysql-devel
(actually it is mariadb-devel)
Also the original source code is for apache 1. To work with 2.4, you need
apply a patch from
http://sourceforge.net/p/modauthmysql/patches/13/attachment/mod_auth_mysql_3.0.0_patch_apache2.4.diff
(cited in http://sourceforge.net/p/modauthmysql/patches/13/)
In the mod_auth_mysql-3.0.0 directory apply the following command:
patch < mod_auth_mysql_3.0.0_patch_apache2.4.diff
Then apply the compile command in http://modauthmysql.sourceforge.net/BUILD
apxs -c -L/usr/lib64/mysql -I/usr/include/mysql -lmysqlclient -lm -lz mod_auth_mysql.c
If it runs into error cannot find the libmysqlclient.so file, it could be the
library in different directory. By running
repoquery -q -l --plugins mariadb-devel
we find the libary path is
/usr/lib64/mysql now.
now successful.
We can install the .la file to the /etc/httpd/modules with
apxs -i mod_auth_mysql.la
restart httpd
systemctl restart httpd.service
we can now test mod_auth_mysql on http://cs526rs1.csnet.uccs.edu/sec/
Use the credential in chowdb member1 table.
you can access with http://cs526rs1.csnet.uccs.edu/phpmyadmin/
upload.php
Make sure the studentproj directory token type is changed to writable by apache
chcon -R -t public_content_rw_t studentproj
also set the selinux flag to allow httpd to write
setsebool -P allow_httpd_anon_write 1
Note that for rw directory at /var/www/html or cgi-bin area
you need to use httpd_sys_rw_content_t
public_content_rw_t will not work!!
They are getting pickier.
php upload file size is restricted by two settings in /etc/php.ini
post_max_size and upload_max_filesize
They are set at default of 8M and 2M.
You need to change the settings you would like to upload bigger files.
; Maximum allowed size for uploaded files.
; http://php.net/upload-max-filesize
upload_max_filesize = 200M
; Maximum size of POST data that PHP will accept.
; Its value may be 0 to disable the limit. It is ignored if POST data reading
; is disabled through enable_post_data_reading.
; http://php.net/post-max-size
post_max_size = 200M
Covert ^M dos file to \r unix line feed with vi command
:s/^M/\r/g
use control-v control M to get ^M character
[Using authn_dbd mysql database to verify password access secure web directory]
We used to use AuthMySQL software to implement this. But compiling source code getting difficult and not well supported. It is recommended to use authn_dbd apache module!!
See https://www.experts-exchange.com/articles/3270/Enabling-and-Administering-Apache's-HTTPD-authn-dbd-MySQL-authentication-through-PHP-on-Suse.html
Password Format (we will use SHA1)
https://www.experts-exchange.com/articles/3270/Enabling-and-Administering-Apache's-HTTPD-authn-dbd-MySQL-authentication-through-PHP-on-Suse.html
https://httpd.apache.org/docs/2.4/mod/mod_authn_dbd.html
mysql dbd driver is not included in default apache modules distribution in /etc/httpd/modules directory.
We need to install using
dnf install apr-util-mysql
We then found out where apr_dbd_mysql.so is installed with
[root@fc28 modules]# rpm -ql apr-util-mysql
/usr/lib/.build-id
/usr/lib/.build-id/ee
/usr/lib/.build-id/ee/487227c66facae272998409498ec733fed823a
/usr/lib64/apr-util-1/apr_dbd_mysql-1.so
/usr/lib64/apr-util-1/apr_dbd_mysql.so
Copy the .so file to /etc/httpd/modules with
cp /usr/lib64/apr-util-1/apr_dbd_mysql.so /etc/httpd/modules
We add the following lines to /etc/httpd/conf/httpd.conf at the end before the
# Supplemental configuration!
DBDriver mysql
DBDParams "host=127.0.0.1 dbname=chowdb user=chow pass=#Uc2013lions$"
DBDMin 4
DBDKeep 8
DBDMax 20
DBDExptime 300
# mod_authn_core and mod_auth_basic configuration
# for mod_authn_dbd
AuthType Basic
AuthName "Secure Access Using AuthnDBD"
# To cache credentials, put socache ahead of dbd here
AuthBasicProvider socache dbd
# Also required for caching: tell the cache to cache dbd lookups!
AuthnCacheProvideFor dbd
AuthnCacheContext my-server
# mod_authz_core configuration
Require valid-user
# mod_authn_dbd SQL query to authenticate a user
AuthDBDUserPWQuery "SELECT password FROM member2 WHERE email = %s"
Restart httpd with
systemctl restart httpd.service
We use htpasswd to generate the encrypted password with SHA1 format
[root@fc28 authdbd]# htpasswd -bns cchow@uccs.edu cs00net
cchow@uccs.edu:{SHA}eodYrlFnBZu2DTm79X3g8HmlyMw=
[root@fc28 authdbd]# htpasswd -bns jk@uccs.edu cs00net
jk@uccs.edu:{SHA}eodYrlFnBZu2DTm79X3g8HmlyMw=
We then put {SHA}eodYrlFnBZu2DTm79X3g8HmlyMw= in the password field of
the member2 table.
Note that .htaccess does not seem to work.
We need to put these directives in section.
In my case [secretDir] is authdbd
[NGINX setup]
Trying to setup running php on individual user php directory. Having a lot of NGINX setup issue. Including interaction of different location directives; order matter. The earlier one overwrite the rest!!
Not well documented. Finally the following setup work.
http://hauweele.net/~gawen/blog/?p=458
Finally the following nginx.conf setup work!!
location ~ ^/~(.+?)(/.*\.php)(.*)$ {
alias /home/$1/public_html/;
#try_files $2 = 404;
#fastcgi_split_path_info ^(.+\.php)(.*)$;
fastcgi_pass unix:/run/php-fpm/$1.sock;
fastcgi_index index.php;
fastcgi_intercept_errors on;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME /home/$1/public_html$2$3;
}
# Here we show the equivalient of .htaccess protection
# It is more efficient in NGINX. Only this directory is checked.
# Same passwords generated by htpasswd can be used.
location /home/cs591/public_html/hw/solution/ {
autoindex on;
auth_basic "cs591 hw solution login";
auth_basic_user_file /home/cs591/apacheticket;
}
location ~ ^/~(.+?)(/.*)?$ {
alias /home/$1/public_html$2;
index index.html index.htm;
autoindex on;
}
include /etc/nginx/default.d/*.conf;
# Chow: This needs to be move down from before the first location
# other the system php will take over the individual php
# result in file path not found!!
location / {
}
However, for each user with account , you need to copy /etc/php_fpm.d/cs3110.conf as .conf and substitute each 3110 text string with
There is a concern on how many socks you can create on a Linux system.
When submitting results to perl midterm.cgi script
find https://bilbo.uccs.edu/cgi-bin/grade/midterm.cgi indicate no response from the cgi.
It turns out the perl is missing the
[root@bilbo grade]# perl midterm.cgi
Can't locate Mail/Sendmail.pm in @INC (you may need to install the Mail::Sendmail module) (@INC contains: /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5) at midterm.cgi line 3.
BEGIN failed--compilation aborted at midterm.cgi line 3.
[root@bilbo grade]# dnf install perl-Mail-Sendmail
Last metadata expiration check: 0:17:30 ago on Sat 15 Jun 2019 12:17:04 AM MDT.
Dependencies resolved.
================================================================================
Package Architecture Version Repository Size
================================================================================
Installing:
perl-Mail-Sendmail noarch 0.80-5.fc30 fedora 36 k
Transaction Summary
================================================================================
Install 1 Package
Total download size: 36 k
Installed size: 65 k
Is this ok [y/N]: y
That resolves the missing response on bilbo.
Note that perl-Mail-Sendmail is the Perl package name for Mail::Sendmail
[VNC server]
To setup vnc-server
first
dnf -y install tigervnc-server
setup vnc password with
vncpasswd
Then
firewall-cmd --permanent --zone=FedoraWorkstation --add-service vnc-server
[Upgrade from FC31 to FC32]
sudo dnf upgrade --refresh
sudo dnf install dnf-plugin-system-upgrade
sudo dnf system-upgrade download --releasever=32
There are about 1883 pkgs to updgrade. Take a while.
[Python changes from python2.7 to python3]
the print statement now require ()
For example the /var/www/cgi-bin/vulfix.py line 33
print htmlHead
need to be changed to
print(f'{htmlHead}')
To allow CS591, CS5970, CS3110 to be writeable by server side script,
we need to allow the director to be writable by apache as Unix tradtional privilege, and set SELinux token type
[root@viva grade]# chcon -R -t httpd_sys_rw_content_t CS591
[root@viva grade]# chcon -R -t httpd_sys_rw_content_t CS3110
[root@viva grade]# chcon -R -t httpd_sys_rw_content_t CS2080