Hello,
I'm using the latest CentOS with phpBB 3.0.x + postgreSQL + sendmail (relayed through gmail.com) - all those programs working fine, with no big modifications of the CentOS defaults (i.e. SELinux is on).
Now I'm struggling with the seemingly simple problem, that when I put an .html file into /var/www/html/ then Apache won't serve it.
In the browser I see:
"Forbidden
You don't have permission to access /Alex.html on this server. Apache/2.2.3 (CentOS) Server at XXXX Port 80"
In the /var/log/httpd/error_log (I've set "LogLevel debug") I only see:
"[error] [client 10.216.40.68] (13)Permission denied: access to /Alex.html denied [error] [client 10.216.40.68] (13)Permission denied: access to /Alex.html denied"
The other filetypes like crossdomain.xml and index.php or hello-world.php are served just fine. Also, if I move my *.html files under /var/www/html/test/ - then they are served ok.
The permissions are ok in my book:
# ls -al Alex.html index.php hello-world.php -r--r--r-- 1 root root 599 Sep 29 15:49 Alex.html -rw-r--r-- 1 afarber afarber 33 Jul 29 11:32 hello-world.php -rw-r--r-- 1 root root 5631 Jun 27 09:38 index.php
# ls -ald / /var /var/www /var/www/html drwxr-xr-x 23 root root 4096 Sep 29 15:54 / drwxr-xr-x 22 root root 4096 Jun 22 15:25 /var drwxr-xr-x 8 root root 4096 Sep 29 11:45 /var/www drwxr-xr-x 16 root root 4096 Sep 29 15:59 /var/www/html
# cat /var/www/html/.htaccess (installed by phpBB) <Files "config.php"> Order Allow,Deny Deny from All </Files>
<Files "common.php"> Order Allow,Deny Deny from All </Files>
# /usr/sbin/getsebool -a | grep http allow_httpd_anon_write --> off allow_httpd_bugzilla_script_anon_write --> off allow_httpd_cvs_script_anon_write --> off allow_httpd_mod_auth_pam --> off allow_httpd_nagios_script_anon_write --> off allow_httpd_prewikka_script_anon_write --> off allow_httpd_squid_script_anon_write --> off allow_httpd_sys_script_anon_write --> off httpd_builtin_scripting --> on httpd_can_network_connect --> off httpd_can_network_connect_db --> off httpd_can_network_relay --> off httpd_can_sendmail --> on httpd_disable_trans --> off httpd_enable_cgi --> on httpd_enable_ftp_server --> off httpd_enable_homedirs --> on httpd_read_user_content --> off httpd_rotatelogs_disable_trans --> off httpd_ssi_exec --> off httpd_suexec_disable_trans --> off httpd_tty_comm --> on httpd_unified --> on httpd_use_cifs --> off httpd_use_nfs --> off
I've looked into /etc/httpd/conf/httpd.conf and conf.d/ files...
Does anybody know what is wrong, how to find out?
Regards Alex
Now I'm struggling with the seemingly simple problem
Sometimes simple problems have simple solutions!
For example:
# ls -al Alex.html index.php hello-world.php -r--r--r-- 1 root root 599 Sep 29 15:49 Alex.html -rw-r--r-- 1 afarber afarber 33 Jul 29 11:32 hello-world.php -rw-r--r-- 1 root root 5631 Jun 27 09:38 index.php
Why is Alex.html only readable and the php files readable *and* writable? Did you try making the php files *only readable* and see what happens?
This may not be relevant to the problem, but I have observed in Ubuntu that the apache server by default likes to make files it serves executable. Not sure why, just a simple observation.
Hope this helps, Rob
Nope this doesn't help. I've tried both 444 and 644 for Alex.html and vice versa: 444 and 644 for the .php and .xml files.
On Wed, Sep 29, 2010 at 4:52 PM, Rob Del Vecchio rob.delvecchio@gmail.com wrote:
# ls -al Alex.html index.php hello-world.php -r--r--r-- 1 root root 599 Sep 29 15:49 Alex.html -rw-r--r-- 1 afarber afarber 33 Jul 29 11:32 hello-world.php -rw-r--r-- 1 root root 5631 Jun 27 09:38 index.php
Why is Alex.html only readable and the php files readable *and* writable? Did you try making the php files *only readable* and see what happens?
Alexander Farber wrote:
Nope this doesn't help. I've tried both 444 and 644 for Alex.html and vice versa: 444 and 644 for the .php and .xml files.
On Wed, Sep 29, 2010 at 4:52 PM, Rob Del Vecchio rob.delvecchio@gmail.com wrote:
# ls -al Alex.html index.php hello-world.php -r--r--r-- 1 root root 599 Sep 29 15:49 Alex.html -rw-r--r-- 1 afarber afarber 33 Jul 29 11:32 hello-world.php -rw-r--r-- 1 root root 5631 Jun 27 09:38 index.php
Why is Alex.html only readable and the php files readable *and* writable? Did you try making the php files *only readable* and see what happens?
What's the entry in /etc/httpd/conf/httpd.conf for /var/www/html? You say that this stuff is in /var/www/html/test/ - is apache configured to let it be seen? The error message you give sounds like apache configuration.
Oh, right - are you using http, or https?
mark
Alexander Farber sent a missive on 2010-09-29:
Nope this doesn't help. I've tried both 444 and 644 for Alex.html and vice versa: 444 and 644 for the .php and .xml files.
On Wed, Sep 29, 2010 at 4:52 PM, Rob Del Vecchio rob.delvecchio@gmail.com wrote:
# ls -al Alex.html index.php hello-world.php -r--r--r-- 1 root root 599 Sep 29 15:49 Alex.html -rw-r--r-- 1 afarber afarber 33 Jul 29 11:32 hello-world.php -rw-r--r-- 1 root root 5631 Jun 27 09:38 index.php
Why is Alex.html only readable and the php files readable *and* writable? Did you try making the php files *only readable* and see what
happens? _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Hi.
Can you show the output of ls -laZ please? This will show the selinux context information for the files - the error is usually to do with the context of the files.
Rgds
S.
On Wed, Sep 29, 2010 at 5:29 PM, Simon Billis simon@houxou.com wrote:
Can you show the output of ls -laZ please? This will show the selinux context information for the files - the error is usually to do with the context of the files.
Hello and thanks for your reply. The SELinux stuff is new for me.
Yes I have moved that Alex.html from my home dir and (the 1st one fails):
# ls -laZ /var/www/html/Alex.html -r--r--r-- root root system_u:object_r:user_home_t /var/www/html/Alex.html
# ls -laZ /var/www/html/test/Alex.html -r--r--r-- root root user_u:object_r:httpd_sys_content_t /var/www/html/test/Alex.html
# ls -laZ /var/www/html/index.php -rw-r--r-- root root user_u:object_r:httpd_sys_content_t /var/www/html/index.php
# ls -laZ /var/www/html/hello-world.php -rw-r--r-- afarber afarber user_u:object_r:httpd_sys_content_t /var/www/html/hello-world.php
I'm using http, not https. And /usr/sbin/getenforce prints "Enforcing".
I didn't know that there were additional attributes for the files. And I don't know how to stop/start SELinux (it is not a service in /etc/init.d, right?) but I'd like to keep SELinux running, since all other programs I've listed seem to cope okay with it.
Regards Alex
Alexander Farber sent a missive on 2010-09-29:
On Wed, Sep 29, 2010 at 5:29 PM, Simon Billis simon@houxou.com wrote:
Can you show the output of ls -laZ please? This will show the selinux context information for the files - the error is usually to do with the context of the files.
Hello and thanks for your reply. The SELinux stuff is new for me.
Yes I have moved that Alex.html from my home dir and (the 1st one fails):
# ls -laZ /var/www/html/Alex.html -r--r--r-- root root system_u:object_r:user_home_t /var/www/html/Alex.html
You can see here that the context is incorrect for the file to be served by apache. You can change it using:
"chcon user_u:object_r:httpd_sys_content_t /var/www/html/Alex.html" with no quotes.
This will change the file to the specific context needed. You can also use restorecon -R as others have mentioned
# ls -laZ /var/www/html/test/Alex.html -r--r--r-- root root user_u:object_r:httpd_sys_content_t /var/www/html/test/Alex.html
# ls -laZ /var/www/html/index.php -rw-r--r-- root root user_u:object_r:httpd_sys_content_t /var/www/html/index.php
# ls -laZ /var/www/html/hello-world.php -rw-r--r-- afarber afarber user_u:object_r:httpd_sys_content_t /var/www/html/hello-world.php
I'm using http, not https. And /usr/sbin/getenforce prints "Enforcing".
You can use "setenforce 0" without the quotes to disable selinux from the command line till next reboot or until you issue "setenforce 1" - this is useful for testing as is looking at /var/log/audit/audit.log and also using commands such as audit2why and audit2allow (I strongly recommend reading at least the man pages and also such websites as http://www.nsa.gov/research/selinux/docs.shtml (google selinux))
I didn't know that there were additional attributes for the files. And I don't know how to stop/start SELinux (it is not a service in /etc/init.d, right?) but I'd like to keep SELinux running, since all other programs I've listed seem to cope okay with it.
I recommend that you keep selinux running and enforcing and that you spend some time learning it. It is very useful. The config files are located here: /etc/selinux and you can set selinux to be disabled or if you want permissive i.e. it will not stop you or others doing things but will report on the violations.
Have fun
S.
Simon Billis wrote:
Alexander Farber sent a missive on 2010-09-29:
On Wed, Sep 29, 2010 at 5:29 PM, Simon Billis simon@houxou.com wrote:
<snip>
You can use "setenforce 0" without the quotes to disable selinux from the command line till next reboot or until you issue "setenforce 1" - this is useful for testing as is looking at /var/log/audit/audit.log and also using commands such as audit2why and audit2allow (I strongly recommend
reading
at least the man pages and also such websites as http://www.nsa.gov/research/selinux/docs.shtml (google selinux))
Yeah, and the sealert messages in /var/log/messages *sometimes* help, and other times are garbage. (Yes, I filed a bug with the sealert team: for some things, it 100% repeatably keeps telling me that I should set httpd_unified to on... when it's been on for months. Obviously, they missed a condition, and fall through to an incorrect default.)
I didn't know that there were additional attributes for the files. And I don't know how to stop/start SELinux (it is not a service in /etc/init.d, right?) but I'd like to keep SELinux running, since all other programs I've listed seem to cope okay with it.
I recommend that you keep selinux running and enforcing and that you spend some time learning it. It is very useful. The config files are located here: /etc/selinux and you can set selinux to be disabled or if you want permissive i.e. it will not stop you or others doing things but will report on the violations.
*bleah* to selinux.
mark
On 30/09/10 3:21 AM, Simon Billis wrote:
You can use "setenforce 0" without the quotes to disable selinux from the command line till next reboot or until you issue "setenforce 1" - this is useful for testing as is looking at /var/log/audit/audit.log and also using commands such as audit2why and audit2allow (I strongly recommend reading at least the man pages and also such websites as http://www.nsa.gov/research/selinux/docs.shtml (google selinux))
In addition to that URL, this document (which I didn't see listed, probably due to the publication date) looks very useful:
http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf
I'd second reading as much as possible on SELinux before diving into it, as there are more than a few gotchas. Especially when enabling and disabling it and knowing when a reboot is necessary when enabling or re-enabling it.
Regards, Ben
At Wed, 29 Sep 2010 17:13:14 +0200 CentOS mailing list centos@centos.org wrote:
Nope this doesn't help. I've tried both 444 and 644 for Alex.html and vice versa: 444 and 644 for the .php and .xml files.
On Wed, Sep 29, 2010 at 4:52 PM, Rob Del Vecchio rob.delvecchio@gmail.com wrote:
# ls -al Alex.html index.php hello-world.php -r--r--r-- 1 root root 599 Sep 29 15:49 Alex.html -rw-r--r-- 1 afarber afarber 33 Jul 29 11:32 hello-world.php -rw-r--r-- 1 root root 5631 Jun 27 09:38 index.php
Why is Alex.html only readable and the php files readable *and* writable? Did you try making the php files *only readable* and see what happens?
What is the mode on the directory? What is the ownership of the directory?
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Alexander Farber wrote:
Hello,
I'm using the latest CentOS with phpBB 3.0.x + postgreSQL + sendmail (relayed through gmail.com) - all those programs working fine, with no big modifications of the CentOS defaults (i.e. SELinux is on).
Now I'm struggling with the seemingly simple problem, that when I put an .html file into /var/www/html/ then Apache won't serve it.
<SNIP>
I've looked into /etc/httpd/conf/httpd.conf and conf.d/ files...
Does anybody know what is wrong, how to find out?
Regards Alex
Did you possibly use mv to put the file in that directory? If so, it will not always set the file context properly. You can tell if you will check to see if SELinux is active (run getenforce and see if it returns "Enforcing") and use the -Z switch to ls to see the file context of the problem files. If the context is not "httpd_sys_content_t" or something similar you need to fix the context.
Fixing it is easy, just run restorecon:
restorecon -rv /var/www/html
This will walk down the directory tree and fix up the file contexts, giving you a message about the files it changes.
Of course, if it isn't an SELinux problem, this won't help.
On Wed, 29 Sep 2010, Jay Leafey wrote:
Fixing it is easy, just run restorecon:
restorecon -rv /var/www/html
Is there any received wisdom about when it is more appropriate to use restorecon directly instead of the fixfiles wrapper? I tend to use fixfiles, but I haven't really thought it through.
On 30/09/10 12:43 AM, Alexander Farber wrote:
Hello,
I'm using the latest CentOS with phpBB 3.0.x + postgreSQL + sendmail (relayed through gmail.com) - all those programs working fine, with no big modifications of the CentOS defaults (i.e. SELinux is on).
[SNIP
Does anybody know what is wrong, how to find out?
Yep, it's SELinux picking up that the files have been moved or copied to that directory. Run this command:
restorecon -R /var/www/html
The pages should load after that.
Regards, Ben
-
Alexander Farber -
Ben McGinnes -
Jay Leafey -
m.roth@5-cent.us -
Paul Heinlein -
Rob Del Vecchio -
Robert Heller -
Simon Billis