Apache forbidden by SELinux and access permissions

This post is a very trivial one, but it's just that I've found myself ignoring these things time and again. Every time I need to setup a new system for development in PHP or Drupal, I've ran into almost all of these small "issues". I would always prefer to have the working copy of the code somewhere in my home directory, and maybe have it symlinked from the directory which is set as my "Document Root" in Apache.

# cd /var/www/html
# ln -s ~ausmarton/Public/website/drupal-7.7 drupal

Assuming, everything is set up and will work, I go ahead to access the application in my browser, just to find out that all I can get is a big "Forbidden" message. Now, this happens because, in linux, to be able to access the contents of a directory, you should have the 'x' permission. But, unfortunately, home directories are by default set not to be accessible by anyone other than the designated user.

drwx------. 37 ausmarton ausmarton  4096 Aug 25 17:08 ausmarton

Hence, first of all, we need to give that 'x' permission to apache and since apache is neither the owner of the directory nor does it belong to the group of the directory, we need to give that 'x' permission to all other users.

# cd /home
# chmod o+x ausmarton
# ll
drwx-----x. 37 ausmarton ausmarton  4096 Aug 25 17:08 ausmarton

This solves the problem of permissions on the home directory. Yet, again when you try to reload the page in your browser you might not see any change if you have SELinux enabled. If you don't have SELinux on your system or if you have it disabled, you might not face any of the things mentioned further on. You might see a notification which says something like this:

SELinux is preventing /usr/sbin/httpd from search access on the directory /home/ausmarton.

A easy solution to this would be to disable SElinux, but if you want to keep SElinux running, you would have to instruct it to allow Apache to access your code files. The following command should fix the problem as long as you don't want Apache to be writing to any file/directory.


# setsebool -P httpd_read_user_content 1

However, if you want Apache to write to certain directories, you would need to run additional commands. The good thing about SELinux is, that every time it blocks access to something, it will show you notifications which will also contain a section on how to fix the problem for you.
Location: Diamond District, Kodihalli, Bengaluru, Karnataka, India

Comments

Post a Comment

Popular posts from this blog

Errors while trying to monitor Asterisk through Nagios

Today, I was trying to configure nagios to monitor an asterisk setup. I installed the nagios-plugins-check_sip plugin available for CentOS. I also had check_asterisk downloaded from here just to try out both. Now, check_asterisk and check_sip are perl scipts which can be used to monitor an asterisk setup. When run through the command line, they seem to work fine, i.e: given that asterisk or any other sip server is listening and your command is correct, you should get output similar to this: ;SIP/2.0 200 OK, 0.000585 seconds response time, cnt=1 Although, that's exactly what I got, it didn't work the same way through nagios, I was getting the following as the output from the plugin. (Service check did not exit properly) After enabling debug info for nagios, I found this in the logs, HOST: remotehost, SERVICE: Asterisk, CHECK TYPE: Active, OPTIONS: 1, SCHEDULED: Yes, RESCHEDULE: Yes, EXITED OK: No, RETURN CODE: 3, OUTPUT: **ePN failed to compile /usr/lib64/nagios/plugins/chec...
Read more

Configuring remote access for couchdb

By default, CouchDb is configured to be access only from a local port, i.e: you can connect to a couchdb instance as long as it is on the same host. Also, it is necessary that the HTTP request be made using the loopback IP address (127.0.0.1). In case you want to be able to access a couchdb instance from an external machine, you need to make some changes to the couchdb configuration. Note that you would need to have superuser access in order to make changes to these files. Usually couchdb will have two configuration (ini) files in /etc/couchdb depending on your installation. Both these files (default.ini and local.ini) can be used to enable remote hosts to access couchdb. The configuration required for this is: [httpd] port = 5984 bind_address = 0.0.0.0 By default the configuration would be: [httpd] port = 5984 bind_address = 127.0.0.1 This means that the Http server is bound only to the loopback IP address, which is why we change it to 0.0.0.0 to make it bind to any IP address. If...
Read more

Proxy Error 502 “Reason: Error reading from remote server” with Apache 2.2.3

I had a setup of tomcat running on port 8080 and Apache proxying for tomcat on port 80. If I tried to access webapps directly from tomcat on port 8080,. they were accessible, while on port 80, I would get the followig error: Proxy Error 502 “Reason: Error reading from remote server” with Apache 2.2.3 following fix worked: adding retry=1 acquire=3000 timeout=600 Keepalive=On after the Proxy directive in the http configuration.
Read more