This is your ANSWER
Security Contexts For Web Pages
Fedora Core 3 introduced the concept of security contexts as part of the Security Enhanced Linux (SELinux) definition. (See Appendix I, "Miscellaneous Linux Topics," for details.) A Web page may have the right permissions, but the Apache httpd daemon to read it unless you assign it the correct security context or daemon access permissions. Context-related configuration errors will give "403 Forbidden" browser messages, and in some cases, you will get the default Fedora Apache page where your expected Web page should be.
When a file is created, it inherits the security context of its parent directory. If you decide to place your Web pages in the default /var/www/ directory, then they will inherit the context of that directory and you should have very few problems.
The context of a file depends on the SELinux label it is given. The most important types of security label are listed in Table 20-1.
Table 20-1 SELinux Security Context File Labels
HTTP
Code
Description
httpd_sys_content_t
The type used by regular static web pages with .html and .htm extensions.
httpd_sys_script_ro_t
Required for CGI scripts to read files and directories.
httpd_sys_script_ra_t
Same as the httpd_sys_script_ro_t type but also allows appending data to files by the CGI script.
httpd_sys_script_rw_t
Files with this type may be changed by a CGI script in any way, including deletion.
httpd_sys_script_exec_t
The type required for the execution of CGI scripts
As expected, security contexts become important when Web pages need to be placed in directories that are not the Apache defaults. In this example, user root creates a directory /home/www/site1 in which the pages for a new Web site will be placed. Using the ls -Z command, you can see that the user_home_t security label has been assigned to the directory and the index.html page created in it. This label is not accessible by Apache.
[root@bigboy tmp]# mkdir /home/www/site1
[root@bigboy tmp]# ls -Z /home/www/
drwxr-xr-x root root root
bject_r:user_home_t site1
[root@bigboy tmp]# touch /home/www/site1/index.html
[root@bigboy tmp]# ls -Z /home/www/site1/index.html
-rw-r--r-- root root root
bject_r:user_home_t /home/www/site1/index.html
[root@bigboy tmp]#
Accessing the index.html file via a Web browser gets a "Forbidden 403" error on your screen, even though the permissions are correct. Viewing the /var/log/httpd/error_log gives a "Permission Denied" message and the /var/log/messages file shows kernel audit errors.
[root@bigboy tmp]# tail /var/log/httpd/error_log
[Fri Dec 24 17:59:24 2004] [error] [client 216.10.119.250] (13)Permission denied: access to / denied
[root@bigboy tmp]# tail /var/log/messages
Dec 24 17:59:24 bigboy kernel: audit(1103939964.444:0): avc: denied { getattr } for pid=2188 exe=/usr/sbin/httpd path=/home/www/site1 dev=hda5 ino=73659 scontext=system_u:system_r:httpd_t tcontext=root
bject_r:user_home_t tclass=dir
[root@bigboy tmp]#
SELinux security context labels can be modified using the chcon command. Recognizing the error, user root uses chcon with the -R (recursive) and -h (modify symbolic links) qualifiers to modify the label of the directory to httpd_sys_content_t with the -t qualifier.
[root@bigboy tmp]# chcon -R -h -t httpd_sys_content_t /home/www/site1
[root@bigboy tmp]# ls -Z /home/www/site1/
-rw-r--r-- root root root
bject_r:httpd_sys_content_t index.html
[root@bigboy tmp]#
Browsing now works without errors. User root won't have to run the chcon command again for the directory, because new files created in the directory will inherit the SELinux security label of the parent directory. You can see this when the file /home/www/site1/test.txt is created.
[root@bigboy tmp]# touch /home/www/site1/test.txt
[root@bigboy tmp]# ls -Z /home/www/site1/
-rw-r--r-- root root root
bject_r:httpd_sys_content_t index.html
-rw-r--r-- root root root
bject_r:httpd_sys_content_t test.txt
[root@bigboy tmp]#
source:
http://www.siliconvalleyccie.com/lin...pachebasic.htm