Same permissions, different rights?

Question

I am running a Python script within an Apache server through CGI. Inside the script I try to read files that reside inside /home directory. However, I can read one file and not the other. This is very frustrating to my goal of understanding permissions and what can be read or not.

# Works
file_tmp = open("/home/blastdbs/db_01.fasta", 'r')

# Fails
file_tmp = open("/home/blast_dbs/db_01.fasta", 'r')
<type 'exceptions.IOError'>: [Errno 13] Permission denied: '/home/blast_dbs/db_01.fasta' 

ls -l /home/
drwxr-xr-x.  2 myself myself  4096 Jun 17 18:18 blastdbs
drwxr-xr-x.  2 myself myself  4096 Jun 17 18:18 blast_dbs

ls -l /home/blastdbs/
-rwxr-xr-x. 1 myself myself   32484551 Jun 17 17:28 db_01.fasta
-rwxr-xr-x. 1 myself myself 2279012809 Jun 17 13:10 db_02.fasta

ls -l /home/blast_dbs/
-rwxr-xr-x. 1 myself myself  32484551 Jun 17 13:09 db_01.fasta

By the way, trying to read db_02 yields the same exception.

I hope someone could bring some light on this. Thank you

Answer 1

The Apache server is installed within a Linux distribution with SELinux enabled. SELinux by default denies Apache to read files in /home folders. By using ls -Z one can check SELinux labels of files. In my case, while usual (DAC) permissions were the same and there were no ACLs set, SELinux context was different:

Next one is readable from Apache daemon and scripts:

unconfined_u:object_r:httpd_sys_content_t:

Next one is the file that SELinux denies access to Apache:

unconfined_u:object_r:user_home_t

Answer 2

Use the following insturctions but with httpd_sys_content_t for labeling your directory. Do not label the whole home directory, but just for example /home/myuser/apache

https://superuser.com/questions/607409/configuring-selinux-to-allow-logging-to-a-file-thats-outside-var-log