Apache permissions with SELinux


Had a little problem recently with Apache.

I wanted to set up a local LAMP development for a project I was working on, so I set up an Apache VHost on a testing directory to serve files out of it. Having done this quite a number of times before, I assumed this to be a routine set up and went through the motions accordingly.

Listen directive? Check. <Directory> directive? Check. Allow, deny? Check. File system permissions? 755, check.

Looking good, I browsed my local URL.

And got greeted with a 403 (Forbidden) error.

Ok, so maybe I missed something out. But no.. all permissions seemed to be in order. I made the test directory’s group same as the apache user. No cigar. Gave the group elevated privileges. Nope. In desperation I have the entire test directory tree 777 permissions. And still got the 403 error.

Diving in to the logs, I was greeted with the following message:

(13)Permission denied: file permissions deny server access: /home/ruiwen/Project/tests/test.html

File permissions deny access? Surely not? They were open to the world!

Next, I figured that the errors might have been caused by Leopard’s new ACLs, since the directory where the files were hosted were on a HFS+ drive. Apparently Leopard sets ACLs on a few select directories to prevent them from being (accidentally?) deleted (eg. Pictures, Documents, Applications and similarly ‘important’ directories). Up to this point, I’d been developing in my newly installed Fedora 10 (dual-booted, and sharing a home partition with Leopard Mac OS X). So I rebooted into Leopard to attempt to discover where the fault lay.

The only problem was that the project directory simply had no ACLs nor extended attributes set on it.

File serving using the Apache within Leopard worked fine though, using the user-specific directory, ~/Sites.

Frustrated, I went back to Fedora to try again. In a stroke of inspiration, I checked out the SELinux settings.


SELinux -- Allow http to read user home directories

SELinux -- Allow http to read user home directories

It was SELinux that was restricting Apache’s access to the file all along!

In my previous installations of Fedora, I’d always deactivated SELinux to prevent it from tripping me up. But with this installation of Fedora 10, I’d installed from the Live CD, and I don’t remember that ever giving me a dialogue to do that. Besides, once the system was running, I didn’t seem to run into any problems (until now), with SELinux, so I left it on. Well, guess I know better.. SELinux’s still on though, but at least now I know where I’ll look first in the future.

Well.. it took me 2 days of Googling without useful results. Hopefully this will cut somebody else’s search time short.


5 Responses to “Apache permissions with SELinux”

  1. 1 Ryan Shuya

    Whew! Thank goodness! I was having the same problem and I was starting to go crazy. My solution was a bit different; checking the box didn’t work. I needed to change the default policy to be permissive. If it wasn’t for this post though, I would have never looked in SELinux Management! Thanks again!

  2. 3 Brian G

    Thanks, too. Both Suse 11 and Fedora 10 on removable HDDs have been giving me blocking problems (for access by other PCs over internet – but not as localhost) on a PC/ Router setup working fine with XP.

    I had just been left with SEL as the culprit. However, oddly by chmod’ing /var/log/httpd to 777 to study error log I can now serve pages to the external world. I do not understand why! but it now works across the net.

  3. 4 Andy

    LOL i just encountered the same issue in Fedora, took me forever to figure it out on my own… I wish this was more of a topic on discussion boards, easy thing to miss if you’re used to RH releases… I never encountered this issue in the past 😛

  4. 5 Andy

    **Found an EASIER fix for this issue. Move documents to ServerRoot, execute ‘restorecon’ -R (reclusive) on ServerRoot, should reset SELinux permissions to system defaults for Apache… I HOPE THIS HELPS SOMEONE LIKE ME 😛

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: