[CentOS] Forbidden: can't access *.html files in /var/www/html

Wed Sep 29 17:21:49 UTC 2010
Simon Billis <simon at houxou.com>

Alexander Farber sent a missive on 2010-09-29:

> On Wed, Sep 29, 2010 at 5:29 PM, Simon Billis <simon at houxou.com> wrote:
>> Can you show the output of ls -laZ please? This will show the
>> selinux context information for the files - the error is usually to
>> do with the context of the files.
> 
> Hello and thanks for your reply. The SELinux stuff is new for me.
> 
> Yes I have moved that Alex.html from my home dir and (the 1st one fails):
> 
> # ls -laZ /var/www/html/Alex.html -r--r--r--  root root
> system_u:object_r:user_home_t /var/www/html/Alex.html

You can see here that the context is incorrect for the file to be served by
apache. You can change it using:

"chcon user_u:object_r:httpd_sys_content_t /var/www/html/Alex.html" with no
quotes.

This will change the file to the specific context needed. You can also use
restorecon -R as others have mentioned



> 
> # ls -laZ /var/www/html/test/Alex.html -r--r--r--  root root
> user_u:object_r:httpd_sys_content_t /var/www/html/test/Alex.html
> 
> # ls -laZ /var/www/html/index.php -rw-r--r--  root root
> user_u:object_r:httpd_sys_content_t /var/www/html/index.php
> 
> # ls -laZ /var/www/html/hello-world.php -rw-r--r--  afarber afarber
> user_u:object_r:httpd_sys_content_t /var/www/html/hello-world.php
> 
> I'm using http, not https. And /usr/sbin/getenforce prints "Enforcing".

You can use "setenforce 0" without the quotes to disable selinux from the
command line till next reboot or until you issue "setenforce 1" - this is
useful for testing as is looking at /var/log/audit/audit.log and also using
commands such as audit2why and audit2allow (I strongly recommend reading at
least the man pages and also such websites as
http://www.nsa.gov/research/selinux/docs.shtml (google selinux))


> 
> I didn't know that there were additional attributes for the files.
> And I don't know how to stop/start SELinux (it is not a service in
> /etc/init.d, right?) but I'd like to keep SELinux running, since all
> other programs I've listed seem to cope okay with it.

I recommend that you keep selinux running and enforcing and that you spend
some time learning it. It is very useful. The config files are located here:
/etc/selinux and you can set selinux to be disabled or if you want
permissive i.e. it will not stop you or others doing things but will report
on the violations.

Have fun

S.