Apache2 directory listing problem F16

David Quigley selinux at davequigley.com
Fri Jul 27 17:22:14 UTC 2012 

On 07/27/2012 12:46, Tim wrote:
> On Fri, 2012-07-27 at 11:55 -0400, Mark Haney wrote:
>> The problem is, no matter what I do, I get an access denied error.  
>> By
>> default apache2 has INDEXES enabled for DOCROOT, but to be on the 
>> safe
>> side I added a new directory directive for <DOCROOT/pics> and set
>> INDEXES.  Still nothing.
>
> Is your access denied error just for trying to view an index, or does 
> it
> happen when trying to view anything?
>
> Did you set that directive /after/ any opposing rules, were set?  And 
> is
> your filepath inside the usual docroot, or outside of it?  (It goes
> inside <Directory> clauses.)
>
> The files, and all the directories back to the Linux /, all need to 
> be
> world-readable, and the directories also need to be world executable.
>
> e.g. /var/
>      /var/www/
>      /var/www/html/
>      /var/www/html/whatever-else/
>
> All need to have at least -------r-x directory permissions, and
> -------r-- file permissions.
>
> Likewise, if you're serving from /home/your-username/public_html/
>
> If SELinux is enforcing, then there needs to be a "httpd_sys_content" 
> or
> "httpd_user_content" context to the file and directories, too.  
> That'll
> be set, by default, if you create or copy files in the usual web 
> serving
> filepaths; but not if you created them elsewhere, and moved them 
> over.
>
> If you're serving from an unusual filepath, then you'll need to 
> manually
> apply file contexts.  And you'll need to re-apply them anytime 
> there's a
> relabelling of the file system, or, you'd create a rule for your 
> serving
> filespace, so it gets labelled automatically.
>
> You may also need to tick some options on inside a SELinux 
> configurator,
> regarding local webserving, too.
>
> --
> [tim at localhost ~]$ uname -r
> 2.6.27.25-78.2.56.fc9.i686
>
> Don't send private replies to my address, the mailbox is ignored.  I
> read messages from the public lists.

If he is serving from an unusual path he should use the semanage 
fcontext command to add the proper labeling and then just relabel that 
location. That way he doesn't have to worry about relabeling operations.

Dave

More information about the users mailing list