403 error on Apache Server with Django application

Question

I've been searching throughout this site for a solution but haven't been able to find one. I have a CentOS 6.4 server with Apache 2.2.15, Django 1.6 and mod_wsgi 3.2. I am using Apache to display static files and mod_wsgi to display Django content.

I placed the Django project files in the /srv directory due to this page.

When I run the Django development server, the test page that I wrote up displays properly. However, when I start my Apache server and visit 127.0.0.1, I get a 403 Forbidden error.

django.wsgi (in /srv/mysite)

import os
import sys

envpath = '/usr/lib/python2.6/site-packages'

pwd = os.path.dirname(os.path.abspath(__file__))
os.chdir(pwd)
sys.path = [env] + sys.path

os.environ['PYTHON_EGG_CACHE'] = '/srv/mysite/.python-egg'
os.environ['DJANGO_SETTINGS_MODULE'] = 'mysite.settings'

site.addsitedir(envpath)

from django.core.handlers.wsgi import WSGIHandler
application = WSGIHandlers()

httpd.conf

WSGIScriptAlias / /srv/mysite/django.wsgi
WSGIPythonPath /srv/mysite
<more aliases and tags in order to get the right static files to show>

In the httpd.conf file, the user and group that is listed is the default apache. I ran a ls -l on the /srv directory and its owner and group were listed as root. So, I ran sudo chown -R apache:apache /srv/mysite which changed the directory and all subdirectories to use apache as owner and group.

However, no matter how much I Google or try, I can't get over this 403 error.

EDIT:

I've discovered that when I disable SELinux, and the WSGIPythonPath variable in the http.conf file is django.wsgi, it results in a 500 Internal Server error. However, when I change it to wsgi.py, my website displays properly. I am curious as to why that is.

In any case, since this will be a production machine, I prefer to keep SELinux on and figure out how to get the appropriate permissions figured out.

EDIT 2:

I've edited my django.wsgi file (changed above) ala this link

EDIT 3:

I tried moving my project files into the my /home/ folder. I've been alternating between trying django.wsgi and wsgi.py but still can't get past the 403 Forbidden error. I thought it was originally a permissions issue with the /srv directory but it appears that's not the case...I am trying to figure this out but nothing is working.

EDIT 4:

I decided to just stick the development server for now...but I still need to get this working and I am at the end of my rope. Is there anyone out there that can help me?

Answer 1

SELinux has its own system of granting access. Your process ever has to be granted to access files on filesystem depending on SELinux context. There are some default politics and contexts defined in SELinux those are usefull for default cases of your installation. Just web files are expected to be in '/var/www'. You can mostly check the current context of files or processes using switch '-Z', see

[root@localhost]#  ls -Z /var
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 www

Check the context of /srv/mysite

[root@localhost]#  ls -Z /srv
drwxr-xr-x. root root system_u:object_r:var_t:s0       mysite

The Apache HTTPD server is allowed to access files with SELinux type httpd_sys_content_t byt it is NOT allowed to access files with SELinux type var_t.

1. Change the SELinux type for your directory and check the context

[root@localhost]#  chcon -R -t  httpd_sys_content_t /srv/mysite
[root@localhost]#  ls -Z /srv
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 mysite

Check if your webiste is working right now.

Till now it is not finished yet, while you relabel filesystem to default or if you use a daemon to check or relabel itself, you risk to lose your new labeling.

2. Make the default labaling for your directory

Create the default labeling by 'semange' and apply it on your directory by 'restorecon'

[root@localhost]#  semanage fcontext -a -t httpd_sys_content_t /srv/mysite
[root@localhost]#  restorecon -v -R /srv/mysite
[root@localhost]#  ls -Z /srv
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 mysite

Right now your SELinux labeling is fixed.

Note: It is possible regular expressions to define default context.

Debian: I'm not a Debian user, so the SELinux type can be a bit different, the principle is just the same, check the SELinux type of your apache directory and set it on your directory you want to be accessible from apache.

---

Read more at RedHat: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Persistent_Changes_semanage_fcontext.html

Fedora SELinux documentation: http://docs.fedoraproject.org/en-US/Fedora/13/html/Security-Enhanced_Linux/