running LAMP

FEDORA CORE 3

should be able to access only sub dirs of /var/www/html/

have three dirs. one is 755 the other two are 775.

all come up as 403. the two that are 775 havee apache in the group that owns the group rights.

still not working.

everything i have found talks about .htaccess.
that is apparently set up right according to all of them (including the apache site)


i'm looking for any suggesstions tat will get ti to work

port 80 is open AND the apache test page does load, as do files in the base directory

Edit the following file commonhttpd.conf

Now find this part of the code
#Restricted set of options
<Directory />
Options -All -Multiviews
AllowOverride None
<IfModule mod_access.c>
Order deny,allow
Deny from all
</IfModule>
</Directory>

Uncomment as listed above and add the following changes to the appropriate line

<Directory /PATH/TO/YOUR/DIRECTORY>
* this correspondes to the line immediately below the
#Restricted set of options


Also the line Order deny,allow should be changed to

Order allow,deny

That should do it - le me know how you go

Regards
Shelton.

This is your ANSWER

Security Contexts For Web Pages

Fedora Core 3 introduced the concept of security contexts as part of the Security Enhanced Linux (SELinux) definition. (See Appendix I, "Miscellaneous Linux Topics," for details.) A Web page may have the right permissions, but the Apache httpd daemon to read it unless you assign it the correct security context or daemon access permissions. Context-related configuration errors will give "403 Forbidden" browser messages, and in some cases, you will get the default Fedora Apache page where your expected Web page should be.

When a file is created, it inherits the security context of its parent directory. If you decide to place your Web pages in the default /var/www/ directory, then they will inherit the context of that directory and you should have very few problems.

The context of a file depends on the SELinux label it is given. The most important types of security label are listed in Table 20-1.

Table 20-1 SELinux Security Context File Labels

HTTP

Code

Description

httpd_sys_content_t



The type used by regular static web pages with .html and .htm extensions.

httpd_sys_script_ro_t

Required for CGI scripts to read files and directories.

httpd_sys_script_ra_t

Same as the httpd_sys_script_ro_t type but also allows appending data to files by the CGI script.

httpd_sys_script_rw_t

Files with this type may be changed by a CGI script in any way, including deletion.

httpd_sys_script_exec_t

The type required for the execution of CGI scripts



As expected, security contexts become important when Web pages need to be placed in directories that are not the Apache defaults. In this example, user root creates a directory /home/www/site1 in which the pages for a new Web site will be placed. Using the ls -Z command, you can see that the user_home_t security label has been assigned to the directory and the index.html page created in it. This label is not accessible by Apache.



[root@bigboy tmp]# mkdir /home/www/site1

[root@bigboy tmp]# ls -Z /home/www/

drwxr-xr-x root root rootbject_r:user_home_t site1

[root@bigboy tmp]# touch /home/www/site1/index.html

[root@bigboy tmp]# ls -Z /home/www/site1/index.html

-rw-r--r-- root root rootbject_r:user_home_t /home/www/site1/index.html

[root@bigboy tmp]#



Accessing the index.html file via a Web browser gets a "Forbidden 403" error on your screen, even though the permissions are correct. Viewing the /var/log/httpd/error_log gives a "Permission Denied" message and the /var/log/messages file shows kernel audit errors.



[root@bigboy tmp]# tail /var/log/httpd/error_log

[Fri Dec 24 17:59:24 2004] [error] [client 216.10.119.250] (13)Permission denied: access to / denied

[root@bigboy tmp]# tail /var/log/messages

Dec 24 17:59:24 bigboy kernel: audit(1103939964.444:0): avc: denied { getattr } for pid=2188 exe=/usr/sbin/httpd path=/home/www/site1 dev=hda5 ino=73659 scontext=system_u:system_r:httpd_t tcontext=rootbject_r:user_home_t tclass=dir

[root@bigboy tmp]#



SELinux security context labels can be modified using the chcon command. Recognizing the error, user root uses chcon with the -R (recursive) and -h (modify symbolic links) qualifiers to modify the label of the directory to httpd_sys_content_t with the -t qualifier.



[root@bigboy tmp]# chcon -R -h -t httpd_sys_content_t /home/www/site1

[root@bigboy tmp]# ls -Z /home/www/site1/

-rw-r--r-- root root rootbject_r:httpd_sys_content_t index.html

[root@bigboy tmp]#



Browsing now works without errors. User root won't have to run the chcon command again for the directory, because new files created in the directory will inherit the SELinux security label of the parent directory. You can see this when the file /home/www/site1/test.txt is created.



[root@bigboy tmp]# touch /home/www/site1/test.txt

[root@bigboy tmp]# ls -Z /home/www/site1/

-rw-r--r-- root root rootbject_r:httpd_sys_content_t index.html

-rw-r--r-- root root rootbject_r:httpd_sys_content_t test.txt

[root@bigboy tmp]#

source: http://www.siliconvalleyccie.com/lin...pachebasic.htm

Shazam, you da MAN. That was it. The funny thing was that I ran across the chcon when I was surfing for an answer. I tried a few commands I thought might do it, but didn't spend enough time on it.

Thanks again..

vm

No problems - glad to help!

Regards
Shelton.

shazam75,

I realize this is an older thread, but you seriously helped where nobody else seemed able.

Thanks for this explanation/tutorial!!!

Hey Jeff

No THANKYOU for appreciating and taking the time to write! Have fun with Linux!!

Regards
Shelton.

Thanks for the tutorial but now I run into this.

chcon: can't apply partial context to unlabeled file /usr/local/apache2/htdocs/utstats

Any ideas?