<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<br>
<div class="moz-cite-prefix">On 02/03/2017 09:05 AM, Gordan Bobic
wrote:<br>
</div>
<blockquote
cite="mid:CAMx4oe0d9yJz4LFFytzFQMS5exMauUjwe9dUAkhvBxnG-ptY8w@mail.gmail.com"
type="cite">
<div dir="ltr">On Fri, Feb 3, 2017 at 1:58 PM, Robert Moskowitz <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:rgm@htt-consult.com" target="_blank">rgm@htt-consult.com</a>></span>
wrote:<br>
<div class="gmail_quote">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> Gordon,<br>
<br>
One would think that, but there is something off
with at least the CubieTruck build. I will check
that all those rpms are installed (pretty sure they
are), but when I set up a web server with personal
directories, i got permission errors on listing the
files, but no problem displaying individual files.
Plus there are all these SELinux warnings I am
getting that seem to indicate something is amiss.<br>
<br>
I am reaching the point of focusing on Fedora server
for now. I had hopes of pushing Centos7-arm in a
couple of business venues.<br>
</div>
</blockquote>
<div><br>
<br>
<br>
</div>
<div>Are you certain it is an SELinux problem, and if
so, are parent directory labels correct?<br>
The symptoms you are describing seem more typically
indicative of an Apache configuration problem.<br>
Do tail -f on /var/log/audit/audit.log and see what
appears there. If there is a SELinux violation, it
will show up in there.<br>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
OK. Here goes. I attached my web server drive to my CubieTruck; I
had left this drive all ready to go into production. SELinux
enforced and all that. When I started up the tail, a bunch of
messages were sent to the console. I then attempted to access one
of my directories: <br>
<br>
<a class="moz-txt-link-freetext" href="http://medon.htt-consult.com/~rgm/cubieboard/">http://medon.htt-consult.com/~rgm/cubieboard/</a><br>
<br>
Note, that this is a public server, and you too could try this. For
as long as I have the server running on this address.<br>
<br>
I got:<br>
<br>
Forbidden<br>
<br>
You don't have permission to access /~rgm/cubieboard/ on this
server.<br>
<br>
and all of the tail messages are:<br>
<br>
# tail -f on /var/log/audit/audit.log<br>
tail: cannot open 'on' for reading: No such file or directory<br>
==> /var/log/audit/audit.log <==<br>
type=SERVICE_STOP msg=audit(69.095:94): pid=1 uid=0 auid=4294967295
ses=4294967295 subj=system_u:system_r:init_t:s0
msg='unit=systemd-readahead-done comm="systemd"
exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
res=success'<br>
type=USER_ACCT msg=audit(1486134062.358:95): pid=1760 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:accounting
grantors=pam_access,pam_unix acct="root" exe="/usr/sbin/crond"
hostname=? addr=? terminal=cron res=success'<br>
type=CRED_ACQ msg=audit(1486134062.363:96): pid=1760 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred
grantors=pam_env,pam_unix acct="root" exe="/usr/sbin/crond"
hostname=? addr=? terminal=cron res=success'<br>
type=LOGIN msg=audit(1486134062.363:97): pid=1760 uid=0
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 old-auid=4294967295
auid=0 old-ses=4294967295 ses=2 res=1<br>
type=USER_START msg=audit(1486134062.513:98): pid=1760 uid=0 auid=0
ses=2 subj=system_u:system_r:crond_t:s0-s0:c0.c1023
msg='op=PAM:session_open
grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="root"
exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'<br>
type=CRED_REFR msg=audit(1486134062.528:99): pid=1760 uid=0 auid=0
ses=2 subj=system_u:system_r:crond_t:s0-s0:c0.c1023
msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root"
exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'<br>
type=CRED_DISP msg=audit(1486134062.773:100): pid=1760 uid=0 auid=0
ses=2 subj=system_u:system_r:crond_t:s0-s0:c0.c1023
msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root"
exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'<br>
type=USER_END msg=audit(1486134062.783:101): pid=1760 uid=0 auid=0
ses=2 subj=system_u:system_r:crond_t:s0-s0:c0.c1023
msg='op=PAM:session_close
grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="root"
exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'<br>
type=SERVICE_START msg=audit(1486134482.523:102): pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
msg='unit=systemd-tmpfiles-clean comm="systemd"
exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
res=success'<br>
type=SERVICE_STOP msg=audit(1486134482.528:103): pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
msg='unit=systemd-tmpfiles-clean comm="systemd"
exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
res=success'<br>
type=AVC msg=audit(1486137172.395:104): avc: denied { read } for
pid=1866 comm="httpd" name="cubieboard" dev="sda3" ino=262190
scontext=system_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:httpd_user_content_t:s0 tclass=dir
permissive=0<br>
type=SYSCALL msg=audit(1486137172.395:104): arch=40000028
syscall=322 per=800000 success=no exit=-13 a0=ffffff9c a1=7f844440
a2=a4800 a3=0 items=0 ppid=624 pid=1866 auid=4294967295 uid=48
gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none)
ses=4294967295 comm="httpd" exe="/usr/sbin/httpd"
subj=system_u:system_r:httpd_t:s0 key=(null)<br>
type=PROCTITLE msg=audit(1486137172.395:104):
proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44<br>
<br>
<br>
I know from earlier testing, if I interactively change SELinux to
permissive, the directory display works.<br>
<br>
So what is next to try?<br>
<br>
Bob<br>
<br>
</body>
</html>