LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 10-24-2009, 10:44 AM   #1
chickenjoy
Member
 
Registered: Apr 2007
Distribution: centos,rhel, solaris
Posts: 239

Rep: Reputation: 30
Unable to access webserver folder


SELinux restricting access to a folder which in turn prevents my apache config access the document root.

- I have SELinux turned on.

=== No Problem with the following: ===
/etc/httpd/conf/httpd.conf:
<VirtualHost *:80>
ServerAdmin root@www.clare.com
DocumentRoot /var/www/html/clare.dev
ServerName www.clare.com
ErrorLog logs/www.clare.com-error_log
CustomLog logs/www.clare.com-access_log common
</VirtualHost>

I can access the site.

=== Problem arises when: ===
I change the folder to a higher level:
DocumentRoot to /claresite

[error] [client 127.0.0.1] client denied by server configuration: /claresite/

Here are my return results:

root@linux1 logs/ # ls -Z /claresite/
-rw-r--r-- root root rootbject_r:httpd_sys_content_t index.html
root@linux1 logs/ # ls -Z /var/www/html/clare.dev/
-rw-r--r-- root root rootbject_r:httpd_sys_content_t index.html

I'm new to SELinux and I can't find out why this is happening? Can anyone share some ideas on why this is occurring?

TIA

Last edited by chickenjoy; 10-24-2009 at 10:46 AM.
 
Old 10-24-2009, 11:17 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
Originally Posted by chickenjoy View Post
[error] [client 127.0.0.1] client denied by server configuration: /claresite/
A typical webserver log entry. This does not show any evidence of SELinux restricting access to that folder. If there is any you'd find it in /var/log/audit/audit.log (or /var/log/messages if you don't run Auditd) but not in /var/log/httpd/.
 
Old 10-24-2009, 11:51 AM   #3
rjlee
Senior Member
 
Registered: Jul 2004
Distribution: Ubuntu 7.04
Posts: 1,994

Rep: Reputation: 76
SELinux restricts access to files and folders by their labels; what do you get for the output of this:
Code:
ls -lZd /var/www/html/claire.dev /clairesite
As unSpawn says, the error you're getting doesn't point to SELinux; you should check the audit.log file to be sure. If it is an SELinux issue, then this should help you setting up the right rules and labels: http://stuff.mit.edu/afs/athena.mit....pter-0017.html

Since the error refers to the server configuration, it seems more likely that you are missing a <Document> or <Location> tag entry for the document or folder that you're reading from in Apache's httpd.conf file (or an included configuration file for the site).
 
Old 10-24-2009, 12:44 PM   #4
chickenjoy
Member
 
Registered: Apr 2007
Distribution: centos,rhel, solaris
Posts: 239

Original Poster
Rep: Reputation: 30
- Thanks guys, ok its not a SELinux problem after all. I've checked the audit.log and there was no entry.
- I made a test to see if the Virtual Host's DocumentRoot can see a folder higher than the general DocumentRoot which was '/var/www/html'.
---- I changed the /claresite to a symbolic link to /var/www/html/clare.dev instead. So I believe that even the SELinux labels are preserved when accessing this folder. Result: still wasn't able to access the index.html file inside.

Still haven't solved it; but I'm still intrigued.
 
Old 10-25-2009, 03:35 AM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
Originally Posted by chickenjoy View Post
- I made a test to see if the Virtual Host's DocumentRoot can see a folder higher than the general DocumentRoot which was '/var/www/html'. I changed the /claresite to a symbolic link to /var/www/html/clare.dev instead. (..) Result: still wasn't able to access the index.html file inside.
I've reflected your growing insight by changing your thread title to read "Unable to access webserver folder". Furthermore I think you should adjust your webservers configuration instead of symlinking. I'll move this thread to the Linux Server forum as it is not a Linux Security issue. The symlink will dissolve in 5 days.
 
Old 10-26-2009, 12:57 AM   #6
miltonhork
LQ Newbie
 
Registered: Oct 2009
Posts: 3

Rep: Reputation: 0
If your linux system is unable to access webserver then do following:
Step 1. Configure Apache to Allow Access Authorization.
Step 2. Identify the Folder/Directory to Protect.
Step 3. Add Access Files to the Folder.
Step 4. Add Additional Users.
Step 5. Test the Password Function.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Unable to access fedora 10 shared folder from windows nightmare49 Linux - Software 2 08-17-2009 06:41 AM
Unable to access folder phodopus Slackware 12 12-18-2008 08:49 AM
Folder Max Size and Limiting SSH access to home folder. Mefistofeles Linux - General 4 11-26-2005 02:09 PM
Where is the data folder for webserver? helpme0904 Linux - General 1 11-03-2004 08:49 AM
Unable to access the webserver through bridged interface ibrahimt Linux - Networking 1 07-05-2004 04:54 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 04:57 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration