[CentOS] Help with httpd userdir recovery

Wed Dec 28 20:11:35 UTC 2016
Robert Moskowitz <rgm at htt-consult.com>


On 12/28/2016 01:53 PM, m.roth at 5-cent.us wrote:
> Robert Moskowitz wrote:
>> On 12/28/2016 05:11 AM, Todor Petkov wrote:
>>> On Wed, Dec 28, 2016 at 5:18 AM, Robert Moskowitz <rgm at htt-consult.com>
>>> wrote:
>>>> Which is why I wonder if there is some different config for the C7.3
>>>> version
>>>> of apache.
>>>>
>>>> Or something with the C7-arm build...
>>> Can you check for SELinux warnings/errors in /var/log/audit/audit.log?
>> Good advice.  As I suspect the problem is with SELinux.
>>
>> So I tried an access.  What follows is the access_log entry, the
>> error_log entry and the 3 entries in the audit.log:
>>
>> 192.168.160.12 - - [28/Dec/2016:11:59:10 -0500] "GET /~rgm/family/
>> HTTP/1.1" 403 214 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:50.0)
>> Gecko/20100101 Firefox/50.0"
>>
>> [Wed Dec 28 11:59:10.294915 2016] [autoindex:error] [pid 2141]
>> (13)Permission denied: [client 192.168.160.12:56456] AH01275: Can't open
>> directory for index: /home/rgm/public_html/family/
>>
>> type=AVC msg=audit(1482944350.289:339): avc:  denied  { read } for
>> pid=2141 comm="httpd" name="family" dev="sda3" ino=262199
>> scontext=system_u:system_r:httpd_t:s0
>> tcontext=unconfined_u:object_r:httpd_user_content_t:s0 tclass=dir
>> permissive=0
>>
>> type=SYSCALL msg=audit(1482944350.289:339): arch=40000028 syscall=322
>> per=800000 success=no exit=-13 a0=ffffff9c a1=80657458 a2=a4800 a3=0
>> items=0 ppid=2135 pid=2141 auid=4294967295 uid=48 gid=48 euid=48 suid=48
>> fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd"
>> exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
>>
>> type=PROCTITLE msg=audit(1482944350.289:339):
>> proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44
>>
>>
>> I will say that after enabling selinux on this image per the
>> instructions of the team doing the Centos7-arm builds, I got the
>> following messages when I did things like 'setsebool -P
>> httpd_enable_homedirs on':
>>
>> [ 2273.047017] SELinux:  Class binder not defined in policy.
>> [ 2273.052531] SELinux: the above unknown classes and permissions will
>> be allowed
>>
>>
>> So something may well not be right with my SELinux.
>>
> Bang. I would suggest, at this point, that you might want to set selinux
> into permissive mode, so you'll get the error messages from it, and can
> work out fixes, but will let your system operate as you intend.
> setselinux 0
>
> Note that this is *temporary*, and will revert on reboot. To make it
> permanent, you'd need to edit /etc/selinux/config.

Thanks, Mark, I was just getting around to that way of thinking.

The command, at least on my Centos7-arm system is

setenforce 0

A presto it works.  So now to figure out what is wrong with SElinux on 
this image.