Linux – Why does Fedora 20 still deny access to home directories after enabling SELinux httpd_read_user_content and setting files to httpd_user_content_t

apache-2.4fedoralinuxpermissionsselinux

On my Fedora 20, I've learned that to allow write access to files by processes like PHP via Apache, the process owner, which is in my case apache, must have write permissions to the files. Also, since SELinux is enabled, the files must have the httpd_system_rw_content_t context.

It also looks like an SELinux policy prevents httpd from accessing any files under /home. Just about everyone agrees that to remedy this, the files you want accessed must have security context httpd_user_content_t or httpd_user_rw_content_t. I've been sure to do this, yet Apache still says it does not have permission to access the directories. When those files don't have the user_content context, I indeed get SELinux warnings. When the context is set, I don't get the warnings, but Apache still can't access the files. Everything under /home/me/game has the following user permissions and security context:

$ sudo chcon -Rv --type=httpd_user_rw_content_t game
$ sudo setsebool -P httpd_read_user_content 1
$ sudo chown -R :apache game
$ ll -Zd game
drwxrwxr-x. me apache unconfined_u:object_r:httpd_user_rw_content_t:s0 game

Yet Apache tells me:

Forbidden

You don't have permission to access /game on this server.

Might anyone know what else I could check?

Best Answer

Sigh... always check your permissions, people. Even though the SELinux settings were good, there was a directory on the way down to the path I wanted apache to reach that was not allowing that user to read/execute it.

First of all, I should have looked at /var/log/httpd/error_log which plainly said:

(13)Permission denied: [client 127.0.0.1:38628] AH00035: access to /game/ denied (filesystem >path '/home/me/game') because search permissions are missing on a component of the path

Looking up the error on Google, I found this page that also spells out the issue. Since it had no problem serving things from /var/www I checked the directory permissions all the way down:

$ ll -d /
drwxr-xr-x. 18 root root 4096 Jun 22 18:52 /
$ ll -d /var
drwxr-xr-x. 21 root root 4096 Jun 22 12:51 /var
$ ll -d /var/www
drwxr-xr-x. 8 root root 4096 Jun 21 09:19 /var/www

I did the same all the way down my home dirs:

$ ll -d /home
drwxr-xr-x. 4 root root 4096 Jun 13 21:31 /home
$ ll -d /home/me
drwx------. 35 me me 4096 Jun 22 19:05 /home/me

Yep... a simple sudo chmod o=rx /home/me got me up and going. I couldn't have done it without checking everything you guys asked me to, and I thank you.

Related Solutions

Linux – How to Set Up Permissions for the WWW Folder

After more research it seems like another (possibly better way) to answer this would be to setup the www folder like so.

sudo usermod -a -G developer user1 (add each user to developer group)
sudo chgrp -R developer /var/www/site.com/ so that developers can work in there
sudo chmod -R 2774 /var/www/site.com/ so that only developers can create/edit files (other/world can read)
sudo chgrp -R www-data /var/www/site.com/uploads so that www-data (apache/nginx) can create uploads.

Since git runs as whatever user is calling it, then as long as the user is in the "developer" group they should be able to create folders, edit PHP files, and manage the git repository.

Note: In step (3): '2' in 2774 means to 'set Group ID' for the directory. This causes new files and sub directories created within it to inherit the group ID of the parent directory (instead of the primary group of the user) Reference: http://en.wikipedia.org/wiki/Setuid#setuid_and_setgid_on_directories

Ftp – How to tell SELinux to give vsftpd write access in a specific directory

# semanage fcontext -a -t public_content_rw_t "/myftp/pub(/.*)?"

Be sure to include the (/.*)? at the end of the directory name.

I also tried to use audit2allow to generate a policy, but what it does is generate a policy that gives ftpd write access to directories of type public_content_t; this is equivalent to turning on allow_ftpd_full_access, if I understood it correctly

Essentially, yes; since SELinux allows directories/files labeled with public_content_t to be shared between different services. However, further access control is in place through the use of sebooleans (or sebool, more precisely).

Giving "ftpd full access", doesn't mean giving it the rights to do/read/write what and where it wants. SELinux has designated policies in place for the services on your system; meaning, ftpd is allowed to read files if the directory's file context (fcontext) is public_content_t. SELinux gives write permissions to the ftp server if the directory's fcontext is public_content_rw_t; other services such as samba, apache, etc. have to be allowed write permissions to those directories through the booleans, according to the pertaining RedHat Documentation. If your "local policy" gives ftpd write access in directories labelled public_content_t, it essentially strips away a layer of security. Therefore, I suggest labeling the directory with the public_content_rw_t context, and removing your custom generated local policy.

For further information and details, please see the SELinux wiki pages.

Forbidden

Best Answer

Related Solutions

Linux – How to Set Up Permissions for the WWW Folder

Ftp – How to tell SELinux to give vsftpd write access in a specific directory

Related Topic