Pulling out what little hair I have here, but stumbled onto a possible problem.
I have a server running C6 apache that is set up with personal directories and no problem showing the files.
You can see it at: medon.htt-consult.com/~rgm/pogo
So I have a C7 apache server I am building. Files I create on the new server are listing fine. Files I have copied (with cp -avr ...) get permission error e.g.:
[Wed Dec 23 12:32:49.359323 2015] [negotiation:error] [pid 3208] (13)Permission denied: [client 192.168.160.20:38708] AH00686: cannot read directory for multi: /home/rgm/public_html/biby/
File permissions are the same. So in frustation I try using stat and it shows a different picture:
$ stat test/testit File: ‘test/testit’ Size: 6 Blocks: 8 IO Block: 4096 regular file Device: 803h/2051d Inode: 524296 Links: 1 Access: (0664/-rw-rw-r--) Uid: ( 1000/ rgm) Gid: ( 1000/ rgm) Context: unconfined_u:object_r:httpd_user_content_t:s0 Access: 2015-12-23 13:53:04.212993088 -0500 Modify: 2015-12-23 13:53:06.313000584 -0500 Change: 2015-12-23 13:53:06.313000584 -0500 Birth: -
$ stat biby/MishnahBerurah-2015-12-18.amr File: ‘biby/MishnahBerurah-2015-12-18.amr’ Size: 2290374 Blocks: 4480 IO Block: 4096 regular file Device: 803h/2051d Inode: 136295 Links: 1 Access: (0664/-rw-rw-r--) Uid: ( 1000/ rgm) Gid: ( 1000/ rgm) Context: system_u:object_r:unlabeled_t:s0 Access: 2015-12-18 06:54:01.000000000 -0500 Modify: 2015-12-18 06:54:01.000000000 -0500 Change: 2015-12-23 13:56:57.273824913 -0500 Birth: -
Notice the difference with Context. Wiaht is this httpd_user_content_t? Why on files I create on this system and not those I cp from a USB drive? And is this the problem or something else?
thanks
On Wed, 23 Dec 2015, Robert Moskowitz wrote:
Pulling out what little hair I have here, but stumbled onto a possible problem.
I have a server running C6 apache that is set up with personal directories and no problem showing the files.
You can see it at: medon.htt-consult.com/~rgm/pogo
So I have a C7 apache server I am building. Files I create on the new server are listing fine. Files I have copied (with cp -avr ...) get permission error e.g.:
[Wed Dec 23 12:32:49.359323 2015] [negotiation:error] [pid 3208] (13)Permission denied: [client 192.168.160.20:38708] AH00686: cannot read directory for multi: /home/rgm/public_html/biby/
If SELinux is working, then do
setsebool -P httpd_enable_homedirs on
On 12/23/2015 02:36 PM, Paul Heinlein wrote:
On Wed, 23 Dec 2015, Robert Moskowitz wrote:
Pulling out what little hair I have here, but stumbled onto a possible problem.
I have a server running C6 apache that is set up with personal directories and no problem showing the files.
You can see it at: medon.htt-consult.com/~rgm/pogo
So I have a C7 apache server I am building. Files I create on the new server are listing fine. Files I have copied (with cp -avr ...) get permission error e.g.:
[Wed Dec 23 12:32:49.359323 2015] [negotiation:error] [pid 3208] (13)Permission denied: [client 192.168.160.20:38708] AH00686: cannot read directory for multi: /home/rgm/public_html/biby/
If SELinux is working, then do
setsebool -P httpd_enable_homedirs on
Did not help.
in messages I see:
Dec 23 14:54:04 medon dbus-daemon: dbus[444]: avc: received policyload notice (seqno=3) Dec 23 14:54:04 medon dbus[444]: avc: received policyload notice (seqno=3) Dec 23 14:54:04 medon dbus-daemon: dbus[444]: [system] Reloaded configuration Dec 23 14:54:04 medon dbus[444]: [system] Reloaded configuration Dec 23 14:54:11 medon setsebool: The httpd_enable_homedirs policy boolean was changed to on by root
BUt still get the access error:
[Wed Dec 23 14:55:26.579402 2015] [negotiation:error] [pid 3212] (13)Permission denied: [client 192.168.160.20:38836] AH00686: cannot read directory for multi: /home/rgm/public_html/biby/
i should say that this system is build with the Centos7-arm build that we are testing out. So this could be a problem with the selinux build for armv7. But I thought this was a general C7/apache issue...
On 12/23/2015 12:05 PM, Robert Moskowitz wrote:
If SELinux is working, then do
setsebool -P httpd_enable_homedirs on
Did not help.
in messages I see:
Dec 23 14:54:04 medon dbus-daemon: dbus[444]: avc: received policyload notice (seqno=3) Dec 23 14:54:04 medon dbus[444]: avc: received policyload notice (seqno=3) Dec 23 14:54:04 medon dbus-daemon: dbus[444]: [system] Reloaded configuration Dec 23 14:54:04 medon dbus[444]: [system] Reloaded configuration Dec 23 14:54:11 medon setsebool: The httpd_enable_homedirs policy boolean was changed to on by root
BUt still get the access error:
[Wed Dec 23 14:55:26.579402 2015] [negotiation:error] [pid 3212] (13)Permission denied: [client 192.168.160.20:38836] AH00686: cannot read directory for multi: /home/rgm/public_html/biby/
i should say that this system is build with the Centos7-arm build that we are testing out. So this could be a problem with the selinux build for armv7. But I thought this was a general C7/apache issue...
did you verify it /is/ selinux by running with `setenforce permissive` ?
On 12/23/2015 03:26 PM, John R Pierce wrote:
On 12/23/2015 12:05 PM, Robert Moskowitz wrote:
If SELinux is working, then do
setsebool -P httpd_enable_homedirs on
Did not help.
in messages I see:
Dec 23 14:54:04 medon dbus-daemon: dbus[444]: avc: received policyload notice (seqno=3) Dec 23 14:54:04 medon dbus[444]: avc: received policyload notice (seqno=3) Dec 23 14:54:04 medon dbus-daemon: dbus[444]: [system] Reloaded configuration Dec 23 14:54:04 medon dbus[444]: [system] Reloaded configuration Dec 23 14:54:11 medon setsebool: The httpd_enable_homedirs policy boolean was changed to on by root
BUt still get the access error:
[Wed Dec 23 14:55:26.579402 2015] [negotiation:error] [pid 3212] (13)Permission denied: [client 192.168.160.20:38836] AH00686: cannot read directory for multi: /home/rgm/public_html/biby/
i should say that this system is build with the Centos7-arm build that we are testing out. So this could be a problem with the selinux build for armv7. But I thought this was a general C7/apache issue...
did you verify it /is/ selinux by running with `setenforce permissive` ?
Thank you for that reminder. I did that and the directory was displayed.
switch back to enforcing and get the permissions error.
So what do I try next. My current server is also an ARMv7 that is running the Centos6 port of Redsleeve6. This port does not support selinux which is one of the many reasons I want to move all my ARMv7 servers over to C7-arm as soon as I can. Thus I suspect I am going to be learning (relearning in some cases) a lot about selinux...
thanks
On 12/23/2015 11:15 AM, Robert Moskowitz wrote:
Wiaht is this httpd_user_content_t?
That is an selinux context which httpd is allowed to access. It is defined as the label for files matching the regex /home/[^/]*/((www)|(web)|(public_html))(/.+)? in /etc/selinux/targeted/contexts/files/
"restorecon" can be used to reset contexts to those defined in that directory.
Why on files I create on this system and not those I cp from a USB drive?
Because you used cp -a, which preserves permissions and labels, among other attributes. Normally, files inherit a context from their parent directory.
On 12/24/2015 01:08 AM, Gordon Messmer wrote:
On 12/23/2015 11:15 AM, Robert Moskowitz wrote:
Wiaht is this httpd_user_content_t?
That is an selinux context which httpd is allowed to access. It is defined as the label for files matching the regex /home/[^/]*/((www)|(web)|(public_html))(/.+)? in /etc/selinux/targeted/contexts/files/
"restorecon" can be used to reset contexts to those defined in that directory.
Why on files I create on this system and not those I cp from a USB drive?
Because you used cp -a, which preserves permissions and labels, among other attributes. Normally, files inherit a context from their parent directory.
Ah yes. I was lazy, as 'all' I really wanted was to maintain timestamps on those files. Serves me right...
thanks for the explaination.
New server is more solid than current, so I am going to launch it tomorrow. Then on to BIND testing.
-
Gordon Messmer -
John R Pierce -
Paul Heinlein -
Robert Moskowitz