Oct 11 2010

SELinux Issue: Apache 403 permission denied on virtual hosts

Linux 0 Comments Last Modified on 2024-01-16
SELinux Permission Denied Error

Platform setup:

Fedora Core 3
Apache 2.0.52-3
SELinux enabled.

Apache configuration is set up correctly with the right permissions, but the server throws a 403 error.

The log entry in the /etc/httpd/logs/error_log:

"[error] [client xx.xx.xxx.xxx] (13) Permission denied: access to / denied"

The issue is well known but the fixes only apply to Fedora 3, such as:

"Use : chcon -R -t httpd_sys_content_t "

or

"deactive SELinux at the command line or GUI".

or

Turn off SELinux enforcing off at boot.

You can specify the SELinux mode using the configuration file /etc/sysconfig/selinux."

However these commands do not work with Fedora 1.

Here are some of the explanations.

******************************************************

Note for SELinux / Fedora Core 3+ / RedHat Enterprise users:

In addition to regular Unix permissions, under SELinux every file, directory, process, etc. has a 'security context'. When a process attempts to access a file, besides checking the Unix permissions the system also checks to see if the security context of the process is compatible with the security context of the file.

Fedora Core 3, among other systems, comes with SELinux installed by default, configured so that Apache runs in a fairly restricted security context. To run Subversion under Apache, you have to set the security context of the repository to allow Apache access (or turn off the restrictions on Apache, if you think all this is overkill). The chcon command is used to set the security context of files (similarly to how the chmod sets the traditional Unix permissions). For example, one user had to issue this command

To view the current security contexts of any given file, you can use the Unix command 'ls' with only the '-Z' option. 

   $ ls -Z PATH_TO_REPOSITORY
   $ chcon -R -h -t httpd_sys_content_t PATH_TO_REPOSITORY
   $ ls -Z PATH_TO_REPOSITORY

to set the security context to be able to successfully access the repository.

******************************************************

Share this post

Comments (0)

    No comment

Leave a comment

All comments are moderated. Spammy and bot submitted comments are deleted. Please submit the comments that are helpful to others, and we'll approve your comments. A comment that includes outbound link will only be approved if the content is relevant to the topic, and has some value to our readers.


Login To Post Comment