SELinux denies apache home directories ...

whpsh · #1 7th February 2010, 12:47 AM

With F12 SELinux on, I get this avc:

type=SYSCALL msg=audit (1265502537.599:24666) arch=c000003e syscall=6 success=no exit=-13 a0=7f35384107d8 a1=7fff909dcb90 a2=7fff909dcb90 a3=0 items=0 ppid=27623 auid=500 uid=48 gid=489 euid=48 suid=48 fsuid=48 egid=489 sgid=489 fsgid=489 tty=(none) ses=11 comm="httpd" exe="/user/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit (1265502804.573:24667): avc: denied {search } for pid=27630 comm="httpd" name="/" dev=sda5 ino=2 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:samba_share_t:s0 tclass=dir

ls -lZ /home/uzr
drwxr-xr-x. uzr uzr unconfined_u:object_r:httpd_sys_content_t:s0 public_html

I'm an ubern00b with linux, but I've followed all the other posts about similar problems. I've run all the chmod commands, configured httpd, run all the setsebool commands I could find that were related (obviously I'm missing one), but with SELinux enforced, I get a 403. Without it, I can get to the pages just fine.

getsebool -a | grep httpd
allow_httpd_anon_write --> off
allow_httpd_mod_auth_ntlm_winbind --> off
allow_httpd_mod_auth_pam --> off
allow_httpd_sys_script_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_network_connect --> off
httpd_can_network_connect_db --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> off
httpd_dbus_avahi --> on
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> on
httpd_execmem --> off
httpd_read_user_content --> off
httpd _ssi_exec --> off
httpd_tmp_exec --> off
httpd_tty_comm --> on
httpd_unified --> on
httpd_use_cifs --> off
httpd_use_nfs --> off

Any suggestions would be much appreciated.

pete_1967 · #2 7th February 2010, 12:59 AM

First make sure that Apache has read rights to your home dir (from /home) downwards. Then check the SELinux context for your home html directory with 'ls -Z'.

whpsh · #3 7th February 2010, 01:05 AM

ls -lZ /home/uzr
drwxr-xr-x. uzr uzr unconfined_u:object_r:httpd_sys_content_t:s0 public_html

with SELinux enforced, I get a 403. Without it, I can get to the pages just fine.

aleph · #4 7th February 2010, 05:09 AM

Just follow pete's post. You have to ensure that Apache can SEARCH (the "x" bit) into your home directory. Check if the "x" bit is on:
ls -ld $HOME
if not, use the command chmod o+x $HOME

After that, check the permissions on the public_html directory inside your homedir. Apache must be able to READ and SEARCH as well, recursively. If not, chmod o+rx $HOME/public_html

After that, check the SELinux context on the public_html directory. It should be of context type httpd_user_content_t.
If not, chcon -R -t httpd_user_content_t

whpsh · #5 7th February 2010, 04:09 PM

Double checked everything in the previous post, again.

I'm still getting a 403 Forbidden

---------- Post added at 10:09 AM CST ---------- Previous post was at 10:01 AM CST ----------

So, just using chcon -R -t httpd_user_content_t public_html isn't enough. SELinux is apparently denying rights before you even get that far into the tree. In order to get it to work for home/uzer/public_html, I had to:

chcon -R -t httpd_user_content_t public_html
chcon -R -t httpd_user_content_t uzer
chcon -R -t httpd_user_content_t home

That begs the question what else I've opened the directory up to, but at least its working.

aleph · #6 7th February 2010, 04:27 PM

Quote:

Originally Posted by whpsh

Double checked everything in the previous post, again.

I'm still getting a 403 Forbidden

---------- Post added at 10:09 AM CST ---------- Previous post was at 10:01 AM CST ----------

So, just using chcon -R -t httpd_user_content_t public_html isn't enough. SELinux is apparently denying rights before you even get that far into the tree. In order to get it to work for home/uzer/public_html, I had to:

chcon -R -t httpd_user_content_t public_html
chcon -R -t httpd_user_content_t uzer
chcon -R -t httpd_user_content_t home

That begs the question what else I've opened the directory up to, but at least its working.

Changing the type of your $HOME and/or any of its parent directories may have undesirable effects. The type of a home directory must be user_home_dir_t, and the /home directory home_root_t.

I've been running Apache with SELinux settings given in my previous post without problems. If there's a problem it could be caused by incorrect labelling on /home or $HOME but your current setting is definitely *not* correct, and redundantly incorrect, for the -R option of chcon means "recursive".

And have you enabled the corresponding sebool flag?

Code:

# setsebool -P httpd_enable_homedirs 1

#7 7th February 2010, 04:47 PM

Just a thought,

Code:

setsebool -P http_enable_cgi=1 allow_httpd_anon_write=1 \ httpd_can_network_connect=1 httpd_can_network_connect_db=1 \ allow_httpd_sys_script_anon_write=1 httpd_enable_homedirs=1 \ httpd_enable_ftp_server=1 httpd_builtin_scripting=1 httpd_disable_trans=1 \ httpd_suexec_disable_trans=1 httpd_unified=1 httpd_tty_comm=1

is the standard booleans that are needed for Apache

Make sure the booleans are being turned on with the "getsebool" command. To check your homedirs:

Code:

getsebool httpd_enable_homedirs

Hope this helps

Ky

marcrblevins · #8 7th February 2010, 10:27 PM

My notes:

Code:

chmod 711 /home/marc
chmod 755 /home/marc/public_html
setsebool -P httpd_enable_homedirs 1
chcon -R -t httpd_sys_content_t /home/marc/public_html
service httpd restart

whpsh · #9 8th February 2010, 07:02 PM

So I re-installed everything.

Made all the necessary changes to httpd.conf to look in /home

Followed Marc Blevins instructions and it worked perfectly.

I'm convinced that in the process of setting up a samba share, some errant directions changed permissions/ownership in the /home directory that was causing my problems with apache.

Thanks Marc.

Now, I don't suppose you know a Samba configuration that works with Win7?

---------- Post added at 12:34 PM CST ---------- Previous post was at 12:00 PM CST ----------

I was right ...

I went through the Samba GUI to create a share and it worked perfectly.
However, doing so immediately stopped serving pages from /home/uzr/public_html

discouraging ...

---------- Post added at 01:02 PM CST ---------- Previous post was at 12:34 PM CST ----------

Even more discouraging ... the samba share isn't accessible until someone logs into the server ... weird

pepe_boy · #10 24th March 2010, 11:38 PM

Quote:

Originally Posted by marcrblevins

My notes:

Code:

chmod 711 /home/marc
chmod 755 /home/marc/public_html
setsebool -P httpd_enable_homedirs 1
chcon -R -t httpd_sys_content_t /home/marc/public_html
service httpd restart

This solution works perfectly! Finally I have this working in FC11 too.
Thanks for ur notes

odalcet · #11 23rd August 2012, 08:40 PM

With PHP, this command

Code:

$handle = @fopen( "bm_out02.sql", "r" );

produces this SELinux message in Fedora 17

Code:

SELinux is preventing /usr/sbin/httpd from read access on the file bm_out02.sql.

Problem solved with this command (as root)

Code:

setsebool -P httpd_read_user_content 1