wigblog ramblings of a philomathic polymath

17Nov/0413

Apache (httpd) 403 errors & SELinux in FC3

Quick fix:

chcon -R -t httpd_sys_content_t <path to web files>

Now for the meat:

So in Fedora Core 3 we now have SELinux enabled by default in the installation. I decided to leave it enabled because security is a "Good Thing" (right?) and I knew I was going to have to get familiar with it at some point. So this was all fine and good until I ran into the first piece of the system I wanted to work with that was affected by the default policy that's called "targeted".

The "targeted" policy confines certain network daemons to run in their own specific "security domain". These daemons include dhcpd, httpd (apache), named, nscd, ntpd, portmap, snmpd, squid, and syslogd.

When I setup apache on a system where it wil be utilized, I have a habit of not using /var/www/html as my starting point for document roots, but rather create a dir at /home/websites and place my document roots in there. In the good ol' days of Discretionary Access Controls (DAC) just making sure that apache had the perms it needed to read the documents in there was enough (using chmod, chown, and the like).

Not so with SELinux enabled. In addition to the regular DAC we're all used to, we now have Mandatory Access Controls (MAC) that define security contexts for files/directories etc. Turns out it looks like by default, apache only has access to /var/www/html when it's fired up.... I'm guessing that and probably /var/log/httpd (which is exactly as it should be). To enable apache to view my files in /home/websites, I had to apply a new security context to these files. The answer to this is the chcon command. To be brief, the full command I executed was:

chcon -R -t httpd_sys_content_t /home/websites

After executing this, apache could read my files.

Important links I found in troubleshooting:

http://fedora.redhat.com/docs/selinux-apache-fc3
http://fedora.redhat.com/docs/selinux-faq-fc3/

http://lwn.net/Articles/105409/

I like where this SELinux thing is going. Permissions done right, for sure. This doesn't come with out growing pains though. It's complex (or so it seems to me after only working with it for a couple days) and will take some time to learn. I'm prepared for some frustration....

Now many of you are probably asking yourself why would anyone (let alone me) want to bother with this? Well I think a simple example of one of the cool things is that even though something like /etc/passwd has DAC octal perms of 644 (rw-r--r--), apache still can't read it because that file is not with in apache's security context. So any users on your system can't write a little script that reads your /etc/passwd file and basically posts it on a web page for the world to see (giving potential crackers a list of valid user accounts on the system).

UPDATE: Thanks for the updated link Bob.

Comments (13) Trackbacks (0)
  1. Thank you sooo very much for getting this information out on the net..I have been waiting for this fix..I like you have had similar problems and the guy that I normally call for the big howto questions was totally useless ;) nice to know there are still some real ubergeeks out there.

    ta ta 4 now :)

    -Dean

  2. I get the error :
    chcon: can’t apply partial context to unlabeled file /home/server/

  3. Thanks for the valuables.
    BTW, Just find the first link is not accessible.

  4. chcon: can’t apply partial context to unlabeled file public_html
    i get this error can anyone help please ??

  5. dude, u+info above+apache+linux+selinux+fc+whole damn osi=rule!

  6. excelent info!, I have installed FC6 today and had the same problem.. you saved me from installing apache again.

  7. I should note that this problem still affects Fedora 7, not just FC3 as you mentioned in the article! I finally found this solution after hours of searching – thanks again for your simplified explanation and solution to this issue!

  8. Thanks a million!

  9. really , Thanks a millions

    you guys are great!

  10. Thanks!!!!! I have been working on this for a long time and I finally got it to work!!!

  11. This isn’t working for me… I have a clean install of Fedora 15 with virtual hosts configured. Everything is working just fine when SELinux is set to permissive but as soon as I enable it, I get “Forbidden – You don’t have permission to access / on this server” but only on the virtual host located under my home folder (the standard /var/www/html works fine).

    I have tried what you suggested but still get the same problem… “ls -Z” for the htdocs folder yields:

    drwxr-xr-x. administrator administrator system_u:object_r:httpd_sys_content_t:s0 htdocs

    Any help would be very much appreciated as I am pulling my hair out on this one… This machine is Internet facing and I really don’t want to disable SELinux if I can avoid it.

    Thanks…

  12. Thank you very much, you saved my day.


Leave a comment

No trackbacks yet.