httpd permission problem
Miroslav Grepl
mgrepl at redhat.com
Mon Feb 25 09:49:44 UTC 2013
On 02/18/2013 03:07 PM, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 02/16/2013 12:37 PM, Dominick Grift wrote:
>> On Sat, 2013-02-16 at 17:12 +0100, Gergely Buday wrote:
>>> Hi there,
>>>
>>> I got the advice on the Apache mailing list that this might be an selinux
>>> problem.
>>>
>>> I have a directory under my home dir, and I would like that Apache served
>>> that. It says 403 Forbidden. I have created a web group that includes my
>>> user and apache. It is set in the httpd.conf file. After using chcon, ls
>>> -Z tells me
>>>
>>> drwxr-x---. gergoe web system_u:object_r:httpd_sys_content_t:s0
>>> wordpress
>>>
>>> and the same for all the files under. Still, I cannot access the content
>>> in that dir.
>>>
>>> What else should I set?
>>>
>> Does it work if you test it in permissive mode?:
>>
>> setenforce 0 getenforce ! do test setenforce 1 getenforce
>>
>> if it works in permissive mode but not in enforcing mode than it is likely
>> selinux blocking
>>
>> if it does not work in permissive mode either then its likely not an
>> selinux related issue
>>
>>
>>> - Gergely -- selinux mailing list selinux at lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>
>> -- selinux mailing list selinux at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>
> getsebool httpd_enable_homedirs
>
> This boolean has to be turned on for this to work.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.13 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iEYEARECAAYFAlEiNaUACgkQrlYvE4MpobPNXwCdEHa8LIYOBsCCIpGC1ZboEGZe
> QUMAnR1CzNvW1k9GP2vfaxNhQ3YOPB9t
> =KJ5J
> -----END PGP SIGNATURE-----
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
Also audit2allow could help you. For example
# ausearch -m avc -ts recent |audit2allow
#!!!! This avc can be allowed using one of the these booleans:
# httpd_read_user_content, httpd_enable_homedirs
allow httpd_t user_home_dir_t:dir { read getattr open };
More information about the selinux
mailing list