PDA

View Full Version : [SOLVED] Selinux problem accessing page on my server



lightman47
18th May 2014, 05:32 PM
I have files in my public_html directory on my server. I got all the permissions right and access through Apache was just fine. I then turned Selinux back to enforcing and now I now longer have permission to access these files with my browser. In the meantime, I've set Selinux back to permissive to get access again until I learn the permanent fix.

This is the first time I've ever attempted to keep selinux enforcing, and would like to know how to fix this issue with my (and also other users) public_html content in Selinux. I kind of understand what selinux is trying to do, but know so very little about using it.

Thank you.

Skull One
18th May 2014, 06:06 PM
You first need to allow the web server to access your home directory:


setsebool -P httpd_enable_homedirs=1

The web content, if correctly labelled, will then be available. By default, it is only the ~/public_html directory and its content.
See 'man httpd_selinux' for more details.

lightman47
18th May 2014, 06:32 PM
Thank you - AND for the location of the info as well.
--------------------------------------------
edit - K - didn't solve it (executed as SU, then enabled Selinux and reboot).

Got some reading/deciphering to do ...

Skull One
18th May 2014, 08:05 PM
Please post the denials to see the problems:


grep httpd /var/log/audit/audit.log

lightman47
18th May 2014, 08:21 PM
1. public_html is a link/shortcut to each user page on a data drive

2. requested info:

type=AVC msg=audit(1400335538.325:6): avc: denied { search } for pid=2360 comm="httpd" name="candace" dev=dm-3 ino=19267585 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=SYSCALL msg=audit(1400335538.325:6): arch=c000003e syscall=4 success=no exit=-2 a0=7f1358f53128 a1=7fff76cdf0d0 a2=7fff76cdf0d0 a3=1999999999999999 items=0 ppid=2354 pid=2360 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1400335538.357:7): avc: denied { read } for pid=2360 comm="httpd" name="public_html" dev=dm-3 ino=37748750 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=lnk_file
type=AVC msg=audit(1400335538.357:7): avc: denied { search } for pid=2360 comm="httpd" name="www" dev=sdf ino=28311553 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1400335538.357:7): avc: denied { getattr } for pid=2360 comm="httpd" path="/mnt/4tb1/www/joe" dev=sdf ino=35402504 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:file_t:s0 tclass=dir
type=SYSCALL msg=audit(1400335538.357:7): arch=c000003e syscall=4 success=yes exit=0 a0=7f1358f53128 a1=7fff76cdf0d0 a2=7fff76cdf0d0 a3=1999999999999999 items=0 ppid=2354 pid=2360 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1400335538.530:8): avc: denied { read } for pid=2360 comm="httpd" name="public_html" dev=dm-3 ino=30539786 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=lnk_file
type=AVC msg=audit(1400335538.530:8): avc: denied { search } for pid=2360 comm="httpd" name="www" dev=sdf ino=28311553 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1400335538.530:8): avc: denied { getattr } for pid=2360 comm="httpd" path="/mnt/4tb1/www/mary" dev=sdf ino=35402506 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:file_t:s0 tclass=dir
type=SYSCALL msg=audit(1400335538.530:8): arch=c000003e syscall=4 success=yes exit=0 a0=7f1358f53128 a1=7fff76cdf0d0 a2=7fff76cdf0d0 a3=1999999999999999 items=0 ppid=2354 pid=2360 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1400335538.769:9): avc: denied { search } for pid=2360 comm="httpd" name="mary" dev=dm-3 ino=30539777 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=SYSCALL msg=audit(1400335538.769:9): arch=c000003e syscall=21 success=yes exit=0 a0=7f1358f53128 a1=1 a2=3ecb8 a3=1999999999999999 items=0 ppid=2354 pid=2360 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1400335538.978:10): avc: denied { search } for pid=2360 comm="httpd" name="fourni" dev=dm-3 ino=10092545 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1400335538.978:10): avc: denied { read } for pid=2360 comm="httpd" name="public_html" dev=dm-3 ino=10092554 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=lnk_file
type=AVC msg=audit(1400335538.978:10): avc: denied { search } for pid=2360 comm="httpd" name="www" dev=sdf ino=28311553 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1400335538.978:10): avc: denied { getattr } for pid=2360 comm="httpd" path="/mnt/4tb1/www/fourni" dev=sdf ino=35402500 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:file_t:s0 tclass=dir
type=SYSCALL msg=audit(1400335538.978:10): arch=c000003e syscall=4 success=yes exit=0 a0=7f1358f53128 a1=7fff76cdf0d0 a2=7fff76cdf0d0 a3=1999999999999999 items=0 ppid=2354 pid=2360 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1400335539.461:11): avc: denied { search } for pid=2360 comm="httpd" name="owenk" dev=dm-3 ino=11665409 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=SYSCALL msg=audit(1400335539.461:11): arch=c000003e syscall=4 success=no exit=-2 a0=7f1358f53128 a1=7fff76cdf0d0 a2=7fff76cdf0d0 a3=1999999999999999 items=0 ppid=2354 pid=2360 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1400335539.574:12): avc: denied { read } for pid=2360 comm="httpd" name="public_html" dev=dm-3 ino=19923069 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=lnk_file
type=AVC msg=audit(1400335539.574:12): avc: denied { search } for pid=2360 comm="httpd" name="www" dev=sdf ino=28311553 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:file_t:s0 tclass=dir
type=AVC msg=audit(1400335539.574:12): avc: denied { getattr } for pid=2360 comm="httpd" path="/mnt/4tb1/www/eganj" dev=sdf ino=35402497 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:file_t:s0 tclass=dir
type=SYSCALL msg=audit(1400335539.574:12): arch=c000003e syscall=4 success=yes exit=0 a0=7f1358f53128 a1=7fff76cdf0d0 a2=7fff76cdf0d0 a3=1999999999999999 items=0 ppid=2354 pid=2360 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)

Skull One
18th May 2014, 08:35 PM
Two points:
1. Check if the previous boolean is on. The log indicates a problem, but it probably the messages from before you activate it.


getsebool httpd_enable_homedirs

2. The content must have the correct label. Here, it looks like a mounted filesystem that is not labeled (file_t context).
Try as a temporary fix:


chcon -R -t httpd_user_content_t /mnt/4tb1/www

This label is for read only content. Use httpd_user_rw_content_t if you want rw permissions.


By the way, use 'echo > /var/log/audit/audit.log' to clear the log and get rid of the error messages already corrected.

lightman47
18th May 2014, 09:13 PM
1. indicated it was on/enabled

2. seemed to fix my problem!!!!

Thank you!!

P.S. Did the 'echo'.