Very Objective Very Objective - 1 year ago 162
Apache Configuration Question

(13)Permission denied: access to /~me denied

I am trying to configure Apache httpd.conf (on my CentOS 6.4) to allow access to my user directory (i.e. ~me/public_html/index.html).

I changed the original

(i.e. out-of-the-box) as follows:

[root@myhost www]# diff /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.orig.out-of-the-box
< #UserDir disabled
> UserDir disabled
< UserDir public_html
> #UserDir public_html

This should in principle provide access to
but instead, I am getting the dreaded error:

You don't have permission to access /~me on this server.

I checked the file /var/log/httpd/error_log and, sure enough, it reads:

(13)Permission denied: access to /~me denied

The first weird thing I noticed is that a
is prepended to

  • Where does that leading
    come from?

  • Is it only a "red herring"?

  • Or is this pointing to the root cause of the problem (i.e. something else I need to modify in httpd.conf)?

Most importantly, since I know that my
is has world-readable permissions, how do I troubleshoot a problem like this?

Is there a way to find out why "access to /~me denied"?

  • SELinux?

  • httpd.conf?

  • directory permissions?

  • all of the above?

Update 1, answering the 2 questions in the comments by @UlrichSchwarz below:

  1. The home directory does seem to have the 'x' permission:

    [root@myhost ~]# ls -lad /home/me

    drwxr-xr-x. 33 me me 4096 Feb 8 16:30 /home/me

  2. SELinux info on public_html:

    [root@myhost ~]# ls -Z -d /home/me/public_html/

    drwxrwxr-x. me me unconfined_u:object_r:file_t:s0 /home/me/public_html/

Update 2, after I verified that this is indeed an SELinux issue (thanks to the tip by @Scolytus):

  1. I ran the command:

    chcon -R -t httpd_user_content_t /home/me/public_html/

    Still no go.

    [root@myhost ~]# ls -Z -d /home/me/public_html/

    drwxrwxr-x. me me unconfined_u:object_r:httpd_user_content_t:s0 /home/me/public_html/

  2. Then I ran "Allow HTTPD to read home directories" from the command line:

    setsebool -P httpd_enable_homedirs=1

    Still no go.

/var/log/httpd/error_log now shows (in addition to the (13)permission denied error) the following:

[notice] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
[notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[notice] Digest: generating secret for digest authentication ...
[notice] Digest: done
[notice] Apache/2.2.15 (Unix) DAV/2 configured -- resuming normal operations

Perhaps the problem lies in the discrepancy between context_system_u and httpd_user_content_t?

What else do I need to do? (without disabling SELinux completely, that is)

Update 3, thanks to information in @lserni's answer, I discovered the ausearch command:

ausearch -m avc --start today

Which provided the following output:

time->Fri Jul 4 09:16:44 2014
type=SYSCALL msg=audit(1404479804.256:1312): arch=40000003 syscall=196 success=no exit=-13 a0=12c2c80 a1=bfeb1d00 a2=a34ff4 a3=2008171 items=0 ppid=5880 pid=5886 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=193 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1404479804.256:1312): avc: denied { getattr } for pid=5886 comm="httpd" path="/home/me" dev=dm-3 ino=2 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir

Huh? Why
and not

Here is the output of
ls -Zd /home/me/

drwxr-xr-x. me me system_u:object_r:file_t:s0 /home/me/

Should I run the
chcon -t httpd_user_content_t
on /home/me, too?

Continuing to research...

Update 4: Success!

I ran the command:

chcon -t httpd_user_content_t /home/me/

And all is well now.

[root@myhost sa]# ls -Z -d /home/me/

drwxr-xr-x. me me system_u:object_r:httpd_user_content_t:s0 /home/me/

Answer Source

I've seen a slightly different version of the command you gave, supplied by sealert:

SELinux denied access to /var/www/html/file1 requested by httpd. /var/www/html/file1 has a context used for sharing by different program. If you would like to share /var/www/html/file1 from httpd also, you need to change its file context to public_content_t. If you did not intend to this access, this could signal a intrusion attempt.

Allowing Access:

You can alter the file context by executing chcon -t public_content_t '/var/www/html/file1'

Fix Command:

chcon -t public_content_t '/var/www/html/file1'

how do I troubleshoot a problem like this?

Most SELinux-related information is generally in the auditd logs, but you probably want some tool such as sealert to decode it for you. I've done a brief search and came up with this tool that I didn't know of, but seems interesting: SELinux GUI.

Addendum: Some examples with semanage

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download