OK.. this one is driving me nuts....

I am running RH ES 4 and their standard apache server install. If I use it as it comes preconfigured with the standard docroot in /var/www/html, everything is fine. However, if I create any alias statements that reference outside of the docroot, ex) /webservices/cosmo, then I keep getting access denied - Forbidden 403 errors. I have googled for the past 4 hours and haven't found anything conclusive. Below is an excerpt of the 'cosmo' section.

<Directory />
Options Indexes FollowSymLinks
AllowOverride None
</Directory>

Alias /cosmo "/webservices/cosmo/"
<Directory "/webservices/cosmo/">
Options +Indexes #I've also tried just Indexes (w/o the +)
AllowOverride None
Order allow,deny
Allow from all
</Directory>

I have given permissions 755 and to the entire /webservices tree. I have changed the owners and group from the root.root to apache.apache. I have restarted the services, tried rebooting the server, I am completely out of ideas. I don't remember having this problem on previous versions of Apache.

Below is the error_log contents from the point that I start the apache service and then try to access the alias '/cosmo'

[Tue Sep 20 23:20:06 2005] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Tue Sep 20 23:20:06 2005] [info] Init: Initializing OpenSSL library
[Tue Sep 20 23:20:06 2005] [info] Init: Seeding PRNG with 256 bytes of entropy
[Tue Sep 20 23:20:06 2005] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Tue Sep 20 23:20:06 2005] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Tue Sep 20 23:20:06 2005] [info] Init: Initializing (virtual) servers for SSL
[Tue Sep 20 23:20:06 2005] [info] Server: Apache/2.0.52, Interface: mod_ssl/2.0.52, Library: OpenSSL/0.9.7a
[Tue Sep 20 23:20:07 2005] [notice] Digest: generating secret for digest authentication ...
[Tue Sep 20 23:20:07 2005] [notice] Digest: done
[Tue Sep 20 23:20:07 2005] [notice] LDAP: Built with OpenLDAP LDAP SDK
[Tue Sep 20 23:20:07 2005] [notice] LDAP: SSL support unavailable
[Tue Sep 20 23:20:07 2005] [notice] mod_python: Creating 4 session mutexes based on 256 max processes and 0 max threads.
[Tue Sep 20 23:20:07 2005] [info] Init: Initializing OpenSSL library
[Tue Sep 20 23:20:07 2005] [info] Init: Seeding PRNG with 256 bytes of entropy
[Tue Sep 20 23:20:07 2005] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Tue Sep 20 23:20:09 2005] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Tue Sep 20 23:20:09 2005] [info] Shared memory session cache initialised
[Tue Sep 20 23:20:09 2005] [info] Init: Initializing (virtual) servers for SSL
[Tue Sep 20 23:20:09 2005] [info] Server: Apache/2.0.52, Interface: mod_ssl/2.0.52, Library: OpenSSL/0.9.7a
[Tue Sep 20 23:20:09 2005] [notice] Apache/2.0.52 (Red Hat) configured -- resuming normal operations
[Tue Sep 20 23:20:09 2005] [info] Server built: Aug 31 2005 10:37:57
[Tue Sep 20 23:20:11 2005] [error] [client 127.0.0.1] (13)Permission denied: access to /cosmo denied



Thanks for any help...
Michael

Try setting it like this

I contacted Red Hat support and it turns out the issue is caused by the security function of SELinux which is included with RH ES3 & 4. This security feature works on top of the standard UNIX style sid & gid. Unless you want to return just to standard UNIX style security, you either have to turn off SELinux for the httpd process or update the context of files and directories that you want httpd to view.

Since httpd sets the security context for the default installation just fine, you only need to modify the context of directories outside the documentroot. Using my previous config setup, I needed to issue:

chcon -R system_u:object_r:httpd_sys_content_t webservices

for this to work successfully. Once I did that, everything began serving as it should. Thanks for those who responded though.