Search code examples
apacheselinux

Configure SELinux access so that Apache can access mounted directories

I have a mounted directory from home in /var/www/html/ict. Allow user permissions are fine but still through the web browser I get 403 error.

SELinux I suspect does not allow files and directories coming from other locations. Can you help me add the relevant permission so that this can fixed.

The error log from the audit file:

    type=AVC msg=audit(1395610534.041:179195): avc:  denied  { search } for  pid=18370 comm="httpd" name="upload" dev=dm-0 ino=2506938 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=SYSCALL msg=audit(1395610534.041:179195): arch=c000003e syscall=4 success=no exit=-13 a0=7ffb5f863bc8 a1=7fff80a374c0 a2=7fff80a374c0 a3=0 items=0 ppid=3075 pid=18370 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1395610534.043:179196): avc:  denied  { getattr } for  pid=18370 comm="httpd" path="/var/www/html/ict/farengine" dev=dm-0 ino=2506938 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=SYSCALL msg=audit(1395610534.043:179196): arch=c000003e syscall=6 success=no exit=-13 a0=7ffb5f863cb0 a1=7fff80a374c0 a2=7fff80a374c0 a3=1 items=0 ppid=3075 pid=18370 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
Solution

  • Rather than simply provide a link, but not completely rip off the content of that link, here's the run down.

    Install policycoreutils-python that contains SEMANAGE, to allow policy to be set up that will allow Apache to read, or read/write area outside of the DocumentRoot.

    yum install -y policycoreutils-python

    The article also mentioned a trouble shooting package, but my machine could not locate it.

    Create policy for read only areas that are a part of your application, outside of the DocumentRoot

    semanage fcontext -a -t httpd_sys_content_t "/webapps(/.*)?"

    Create policy for logging directories

    semanage fcontext -a -t httpd_log_t "/webapps/logs(/.*)?"

    Create policy for cache directories

    semanage fcontext -a -t httpd_cache_t "/webapps/cache(/.*)?"

    Create policy for read/write areas that are outside of the DocumentRoot

    semanage fcontext -a -t httpd_sys_rw_content_t "/webapps/app1/public_html/uploads(/.*)?"

    Apply the policy with the restorecon command

    restorecon -Rv /webapps

    Verify policy has been applied

    ls -lZ /webapps

    That's it in a nutshell. The original article is nicer to read, however.