Thursday, July 12, 2012

Fun with SELinux and Apache

I was so proud of myself getting UserDir to work in Apache.  I thought I was set.  But when I tried to log into my account on my web server I got an error message saying it could not find my user directory so it was dropping me in /.  This was not good.  I let it go for a little while since this was a learning platform and not a production system.  But today I decided to find out why this was happening.

I looked at the file name (remember that in Unix/Linux everything is a file) and it was okay.  I checked the permissions on the file and they were okay.  Then I looked at the SELinux settings

ls -dZ ~

and what I saw was

drwx--x--x.  <username> <groupname> unconfirmed_t:object_r:httpd_sys_content_t:s0  /home/<username>

which was how the instructions I read said they should be.  On another VM I ran the same command and I saw user_home_dir_t instead of httpd_sys_content_t and I had no problems with the home directory there so I changed the context back on the web server VM

chcon -t user_home_dir_t  ~

and then I logged out and back in.  Hurrah!  I was in my home directory again.  I wanted to verify the web server was still able to access my test PHP scripts in ~/public_html directory.  Not a chance.  The dreaded 403 Forbidden message was displayed.  Now what do I do?

I did a Google search to see if I could set two context types in SELinux but I couldn't find anything that indicated I could.  The tool chcon has an option for a range of contexts but I couldn't find an example of how it worked.  My next option was to try the end user forum for the Linux distro I'm using for my test server.  Since I didn't have an account at CentOS I created one.  Why not?  It's always nice to have ready access to information.

A search of the CentOS forums showed an option that I didn't see, or glossed over, the first time I tried setting up UserDir.  So I typed the command

setsebool -P httpd_enable_home_dirs 1

and tried to access the web server again.  Success!  Now I can have my cake (UserDir access on my web server) and eat it too (access to my home dir in my web server).

Lesson learned: read all the documentation.

No comments:

Post a Comment