Apache

runlikeanantelope · 02-19-2007, 04:02 PM

I can access the default page at http://localhost, but when I try to browse to something under /var/www/html, I get the 403 forbidden error. Now I've seen posts about changing permissions of the folder and files under /var/www/html, but do I set them to the user that the webserver has defined it is settings (apache:apache)? Whatever I try does not seem to work.

[root@linuxmcarey /]# chown -R apache:apache /var/www/html
[root@linuxmcarey /]# chmod 755 /var/www/html

Also, I've seen posts about checking the httpd file, but when I do a search, a couple come up. How do I tell which httpd file it is using?

sikofitt · 02-19-2007, 05:30 PM

check in your apache configuration that it is infact apache:apache and make sure its uncommented, different distros change this to different things sometimes.

runlikeanantelope · 02-20-2007, 07:39 AM

Sorry, this is RedHat 4. Not sure what version of apache.

Yes, when I open up the Web Server applet, the user and group both have apache. The folder I'm trying to access is cacti:

[root@linuxmcarey html]# ls -al
total 1132
drwxr-xr-x 3 apache apache 4096 Feb 19 16:35 .
drwxr-xr-x 9 root root 4096 Feb 19 15:35 ..
drwxr-xr-x 11 apache apache 4096 Feb 19 16:32 cacti
-rwxr-xr-x 1 apache apache 1126337 Feb 19 15:17 cacti-0.8.6j.tar.gz
[root@linuxmcarey html]#

sn68 · 02-20-2007, 07:50 AM

Has to do with SElinux policy, if you disable then there will be no errors, however to work with SElinux polix do
>chcon -R -h -t httpd_sys_content_t /home/www/html/*

Ref: http://www.linuxhomenetworking.com/w...hat_.2F_Fedora

Quote:

Accessing the index.html file via a Web browser gets a "Forbidden 403" error on your screen, even though the permissions are correct. Viewing the /var/log/httpd/error_log gives a "Permission Denied" message and the /var/log/messages file shows kernel audit errors.

[root@bigboy tmp]# tail /var/log/httpd/error_log
[Fri Dec 24 17:59:24 2004] [error] [client 216.10.119.250] (13)Permission denied: access to / denied
[root@bigboy tmp]# tail /var/log/messages
Dec 24 17:59:24 bigboy kernel: audit(1103939964.444:0): avc: denied { getattr } for pid=2188 exe=/usr/sbin/httpd path=/home/www/site1 dev=hda5 ino=73659 scontext=system_u:system_r:httpd_t tcontext=root

bject_r:user_home_t tclass=dir
[root@bigboy tmp]#

SELinux security context labels can be modified using the chcon command. Recognizing the error, user root uses chcon with the -R (recursive) and -h (modify symbolic links) qualifiers to modify the label of the directory to httpd_sys_content_t with the -t qualifier.

[root@bigboy tmp]# chcon -R -h -t httpd_sys_content_t /home/www/site1
[root@bigboy tmp]# ls -Z /home/www/site1/
-rw-r--r-- root root root

bject_r:httpd_sys_content_t index.html
[root@bigboy tmp]#

Browsing now works without errors. User root won't have to run the chcon command again for the directory, because new files created in the directory will inherit the SELinux security label of the parent directory. You can see this when the file /home/www/site1/test.txt is created.

[root@bigboy tmp]# touch /home/www/site1/test.txt
[root@bigboy tmp]# ls -Z /home/www/site1/
-rw-r--r-- root root root

bject_r:httpd_sys_content_t index.html
-rw-r--r-- root root root

bject_r:httpd_sys_content_t test.txt
[root@bigboy tmp]#