C7 Apache File Access

Home » CentOS » C7 Apache File Access
CentOS 5 Comments

Pulling out what little hair I have here, but stumbled onto a possible problem.

I have a server running C6 apache that is set up with personal directories and no problem showing the files.

You can see it at: medon.htt-consult.com/~rgm/pogo

So I have a C7 apache server I am building. Files I create on the new server are listing fine. Files I have copied (with cp -avr …) get permission error e.g.:

[Wed Dec 23 12:32:49.359323 2015] [negotiation:error] [pid 3208]
(13)Permission denied: [client 192.168.160.20:38708] AH00686: cannot read directory for multi: /home/rgm/public_html/biby/

File permissions are the same. So in frustation I try using stat and it shows a different picture:

$ stat test/testit
File: ‘test/testit’
Size: 6 Blocks: 8 IO Block: 4096 regular file Device: 803h/2051d Inode: 524296 Links: 1
Access: (0664/-rw-rw-r–) Uid: ( 1000/ rgm) Gid: ( 1000/ rgm)
Context: unconfined_u:object_r:httpd_user_content_t:s0
Access: 2015-12-23 13:53:04.212993088 -0500
Modify: 2015-12-23 13:53:06.313000584 -0500
Change: 2015-12-23 13:53:06.313000584 -0500
Birth: –

$ stat biby/MishnahBerurah-2015-12-18.amr
File: ‘biby/MishnahBerurah-2015-12-18.amr’
Size: 2290374 Blocks: 4480 IO Block: 4096 regular file Device: 803h/2051d Inode: 136295 Links: 1
Access: (0664/-rw-rw-r–) Uid: ( 1000/ rgm) Gid: ( 1000/ rgm)
Context: system_u:object_r:unlabeled_t:s0
Access: 2015-12-18 06:54:01.000000000 -0500
Modify: 2015-12-18 06:54:01.000000000 -0500
Change: 2015-12-23 13:56:57.273824913 -0500
Birth: –

Notice the difference with Context. Wiaht is this httpd_user_content_t? Why on files I create on this system and not those I cp from a USB drive? And is this the problem or something else?

thanks

5 thoughts on - C7 Apache File Access

  • Did not help.

    in messages I see:

    Dec 23 14:54:04 medon dbus-daemon: dbus[444]: avc: received policyload notice (seqno=3)
    Dec 23 14:54:04 medon dbus[444]: avc: received policyload notice (seqno=3)
    Dec 23 14:54:04 medon dbus-daemon: dbus[444]: [system] Reloaded configuration Dec 23 14:54:04 medon dbus[444]: [system] Reloaded configuration Dec 23 14:54:11 medon setsebool: The httpd_enable_homedirs policy boolean was changed to on by root

    BUt still get the access error:

    [Wed Dec 23 14:55:26.579402 2015] [negotiation:error] [pid 3212]
    (13)Permission denied: [client 192.168.160.20:38836] AH00686: cannot read directory for multi: /home/rgm/public_html/biby/

    i should say that this system is build with the CentOS7-arm build that we are testing out. So this could be a problem with the selinux build for armv7. But I thought this was a general C7/apache issue…

  • Thank you for that reminder. I did that and the directory was displayed.

    switch back to enforcing and get the permissions error.

    So what do I try next. My current server is also an ARMv7 that is running the CentOS6 port of Redsleeve6. This port does not support selinux which is one of the many reasons I want to move all my ARMv7
    servers over to C7-arm as soon as I can. Thus I suspect I am going to be learning (relearning in some cases) a lot about selinux…

    thanks

  • That is an selinux context which httpd is allowed to access. It is defined as the label for files matching the regex
    /home/[^/]*/((www)|(web)|(public_html))(/.+)? in
    /etc/selinux/targeted/contexts/files/

    “restorecon” can be used to reset contexts to those defined in that directory.

    Because you used cp -a, which preserves permissions and labels, among other attributes. Normally, files inherit a context from their parent directory.

  • Ah yes. I was lazy, as ‘all’ I really wanted was to maintain timestamps on those files. Serves me right…

    thanks for the explaination.

    New server is more solid than current, so I am going to launch it tomorrow. Then on to BIND testing.