Permission Denied on index.html

pushback · #1 28th December 2008, 07:25 AM

Putting up a brand new server and will be virtual hosting several domains. I am getting the following error in my error_log file when I try to access index.html for a virtual server:

==> error_log <==
[Sat Dec 27 23:12:51 2008] [error] [client 64.81.53.147] (13)Permission denied: access to /index.html denied

Permissions on the index.html are currently 755:

ls -l
total 4
-rwxrwxrwx 1 apache apache 15 2008-12-27 21:06 index.html

and the directory is 755

Here's the part of httpd.conf that I changed:

#
# Use name-based virtual hosting.
#
NameVirtualHost *:80
#
# NOTE: NameVirtualHost cannot be used without a port specifier
# (e.g. :80) if mod_ssl is being used, due to the nature of the
# SSL protocol.
#

#
# VirtualHost example:
# Almost any Apache directive may go into a VirtualHost container.
# The first VirtualHost section is used for requests without a known
# server name.
#
#<VirtualHost *:80>
# ServerAdmin webmaster@dummy-host.example.com
# DocumentRoot /www/docs/dummy-host.example.com
# ServerName dummy-host.example.com
# ErrorLog logs/dummy-host.example.com-error_log
# CustomLog logs/dummy-host.example.com-access_log common
#</VirtualHost>

<VirtualHost *:80>
# ServerAdmin webmaster@dummy-host.example.com
DocumentRoot /home/jek/www/fred
ServerName fred.com:80
ServerAlias www.fred.com
ErrorLog /var/log/httpd/error_fred_log
CustomLog /var/log/httpd/access_fred_log common
</VirtualHost>

marcrblevins · #2 28th December 2008, 10:00 AM

Code:

su -
chmod 711 /home/jek
chmod 755 /home/jek/www
setsebool -P httpd_enable_homedirs 1
chcon -R -t httpd_sys_content_t /home/jek/www
service httpd restart

pushback · #3 29th December 2008, 12:12 AM

Quote:

Originally Posted by marcrblevins

Code:

su -
chmod 711 /home/jek
chmod 755 /home/jek/www
setsebool -P httpd_enable_homedirs 1
chcon -R -t httpd_sys_content_t /home/jek/www
service httpd restart

I don't recall having to do setsebool or chcon on my older servers, but hey--it worked. Thanks for the help.

JohnVV · #4 29th December 2008, 01:49 AM

fedora 9 and 10 that is needed to be done .Fedora 8 ,7 the setbool and chcon was not needed to get it working .

zackf · #5 30th December 2008, 01:28 AM

What do setbool and chcon do?

JohnVV · #6 30th December 2008, 03:28 AM

read

Code:

man setsebool
-- and --
man chcon

zackf · #7 30th December 2008, 04:53 AM

pf thx, man pages aren't really very helpful unless you already know what commands do.

neogranas · #8 30th December 2008, 03:25 PM

They are commands for SELinux to allow those files or folders to be permitted to be viewed externally. SELinux can cause a lot of headaches, so I recommend either putting it on the list of things to check when something goes wrong, or if you do feel like turning it off and using IPTables or Fail2Ban instead. I do the latter.

marcrblevins · #9 2nd January 2009, 06:48 PM

Try:

Code:

su -
getsebool -a | grep httpd

Those that are 'off' is helping you to prevent. The 'on' part is the one you let Selinux pass thru.

pushback · #10 3rd January 2009, 11:36 PM

Quote:

Originally Posted by marcrblevins

Try:

Code:

su -
getsebool -a | grep httpd

Those that are 'off' is helping you to prevent. The 'on' part is the one you let Selinux pass thru.

Say, which one of these puppies do I turn on if I need an application to write to a file. In this case I am trying to get httpd to write to a gallery (http://gallery.menalto.com/) file. Which one of these to I change and how do I change it?

Thanks!

getsebool -a |grep http
allow_httpd_anon_write --> off
allow_httpd_dbus_avahi --> off
allow_httpd_mod_auth_ntlm_winbind --> off
allow_httpd_mod_auth_pam --> off
allow_httpd_sys_script_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_network_connect --> off
httpd_can_network_connect_db --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> off
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> on
httpd_ssi_exec --> off
httpd_tty_comm --> on
httpd_unified --> on
httpd_use_cifs --> off
httpd_use_nfs --> off

marcrblevins · #11 11th January 2009, 09:42 AM

Quote:

Say, which one of these puppies do I turn on if I need an application to write to a file. In this case I am trying to get httpd to write to a gallery (http://gallery.menalto.com/) file. Which one of these to I change and how do I change it?

What was the location of the file you wanted to change? Was it in /var/www/html?
I believe chcon is what you need.

Look at:

Code:

man httpd_selinux

JohnVV · #12 11th January 2009, 06:37 PM

Quote:

Say, which one of these puppies do I turn on if I need an application to write to a file. In this case I am trying to get httpd to write to a gallery...

and you have read the doc page ?
http://codex.gallery2.org/Gallery2:I...SELinux_Server

domg472 · #13 11th January 2009, 06:52 PM

Can you shows us AVC denials of the event?

ausearch -m avc -ts today

httpd_sys_content_rw_t is a type that one can assign to a location that httpd_t needs to be able to write to.