Configure SELinux access so that Apache can access mounted directories

StackOverflow https://stackoverflow.com/questions/22597482

  •  19-06-2023
  •  | 
  •  

문제

I have a mounted directory from home in /var/www/html/ict. Allow user permissions are fine but still through the web browser I get 403 error.

SELinux I suspect does not allow files and directories coming from other locations. Can you help me add the relevant permission so that this can fixed.

The error log from the audit file:

    type=AVC msg=audit(1395610534.041:179195): avc:  denied  { search } for  pid=18370 comm="httpd" name="upload" dev=dm-0 ino=2506938 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=SYSCALL msg=audit(1395610534.041:179195): arch=c000003e syscall=4 success=no exit=-13 a0=7ffb5f863bc8 a1=7fff80a374c0 a2=7fff80a374c0 a3=0 items=0 ppid=3075 pid=18370 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1395610534.043:179196): avc:  denied  { getattr } for  pid=18370 comm="httpd" path="/var/www/html/ict/farengine" dev=dm-0 ino=2506938 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=SYSCALL msg=audit(1395610534.043:179196): arch=c000003e syscall=6 success=no exit=-13 a0=7ffb5f863cb0 a1=7fff80a374c0 a2=7fff80a374c0 a3=1 items=0 ppid=3075 pid=18370 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
도움이 되었습니까?

해결책

Rather than simply provide a link, but not completely rip off the content of that link, here's the run down.

Install policycoreutils-python that contains SEMANAGE, to allow policy to be set up that will allow Apache to read, or read/write area outside of the DocumentRoot.

yum install -y policycoreutils-python

The article also mentioned a trouble shooting package, but my machine could not locate it.

Create policy for read only areas that are a part of your application, outside of the DocumentRoot

semanage fcontext -a -t httpd_sys_content_t "/webapps(/.*)?"

Create policy for logging directories

semanage fcontext -a -t httpd_log_t "/webapps/logs(/.*)?"

Create policy for cache directories

semanage fcontext -a -t httpd_cache_t "/webapps/cache(/.*)?"

Create policy for read/write areas that are outside of the DocumentRoot

semanage fcontext -a -t httpd_sys_rw_content_t "/webapps/app1/public_html/uploads(/.*)?"

Apply the policy with the restorecon command

restorecon -Rv /webapps

Verify policy has been applied

ls -lZ /webapps

That's it in a nutshell. The original article is nicer to read, however.

다른 팁

If you are using CentOS with SELinux Try: 

sudo restorecon -r /var/www/html

See more: https://www.centos.org/forums/viewtopic.php?t=6834#p31548

라이센스 : CC-BY-SA ~와 함께 속성
제휴하지 않습니다 StackOverflow
scroll top