Very Objective Very Objective - 2 months ago 18
Apache Configuration Question

(13)Permission denied: access to /~me denied

I am trying to configure Apache httpd.conf (on my CentOS 6.4) to allow access to my user directory (i.e. ~me/public_html/index.html).

I changed the original

httpd.conf
(i.e. out-of-the-box) as follows:

[root@myhost www]# diff /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.orig.out-of-the-box
366c366
< #UserDir disabled
---
> UserDir disabled
373c373
< UserDir public_html
---
> #UserDir public_html


This should in principle provide access to
http://myhost/~me
but instead, I am getting the dreaded error:

You don't have permission to access /~me on this server.


I checked the file /var/log/httpd/error_log and, sure enough, it reads:

(13)Permission denied: access to /~me denied


The first weird thing I noticed is that a
/
is prepended to
~me
.


  • Where does that leading
    /
    come from?

  • Is it only a "red herring"?

  • Or is this pointing to the root cause of the problem (i.e. something else I need to modify in httpd.conf)?



Most importantly, since I know that my
~me/public_html
is has world-readable permissions, how do I troubleshoot a problem like this?

Is there a way to find out why "access to /~me denied"?


  • SELinux?

  • httpd.conf?

  • directory permissions?

  • all of the above?






Update 1, answering the 2 questions in the comments by @UlrichSchwarz below:


  1. The home directory does seem to have the 'x' permission:

    [root@myhost ~]# ls -lad /home/me

    drwxr-xr-x. 33 me me 4096 Feb 8 16:30 /home/me

  2. SELinux info on public_html:

    [root@myhost ~]# ls -Z -d /home/me/public_html/

    drwxrwxr-x. me me unconfined_u:object_r:file_t:s0 /home/me/public_html/






Update 2, after I verified that this is indeed an SELinux issue (thanks to the tip by @Scolytus):


  1. I ran the command:

    chcon -R -t httpd_user_content_t /home/me/public_html/

    Still no go.

    [root@myhost ~]# ls -Z -d /home/me/public_html/

    drwxrwxr-x. me me unconfined_u:object_r:httpd_user_content_t:s0 /home/me/public_html/

  2. Then I ran "Allow HTTPD to read home directories" from the command line:

    setsebool -P httpd_enable_homedirs=1

    Still no go.



/var/log/httpd/error_log now shows (in addition to the (13)permission denied error) the following:

[notice] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
[notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[notice] Digest: generating secret for digest authentication ...
[notice] Digest: done
[notice] Apache/2.2.15 (Unix) DAV/2 configured -- resuming normal operations


Perhaps the problem lies in the discrepancy between context_system_u and httpd_user_content_t?

What else do I need to do? (without disabling SELinux completely, that is)




Update 3, thanks to information in @lserni's answer, I discovered the ausearch command:

ausearch -m avc --start today


Which provided the following output:

time->Fri Jul 4 09:16:44 2014
type=SYSCALL msg=audit(1404479804.256:1312): arch=40000003 syscall=196 success=no exit=-13 a0=12c2c80 a1=bfeb1d00 a2=a34ff4 a3=2008171 items=0 ppid=5880 pid=5886 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=193 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1404479804.256:1312): avc: denied { getattr } for pid=5886 comm="httpd" path="/home/me" dev=dm-3 ino=2 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir


Huh? Why
/home/me
and not
/home/me/public_html
?

Here is the output of
ls -Zd /home/me/
:

drwxr-xr-x. me me system_u:object_r:file_t:s0 /home/me/


Should I run the
chcon -t httpd_user_content_t
on /home/me, too?

Continuing to research...




Update 4: Success!

I ran the command:

chcon -t httpd_user_content_t /home/me/


And all is well now.

[root@myhost sa]# ls -Z -d /home/me/

drwxr-xr-x. me me system_u:object_r:httpd_user_content_t:s0 /home/me/

Answer

I've seen a slightly different version of the command you gave, supplied by sealert:

SELinux denied access to /var/www/html/file1 requested by httpd. /var/www/html/file1 has a context used for sharing by different program. If you would like to share /var/www/html/file1 from httpd also, you need to change its file context to public_content_t. If you did not intend to this access, this could signal a intrusion attempt.

Allowing Access:

You can alter the file context by executing chcon -t public_content_t '/var/www/html/file1'

Fix Command:

chcon -t public_content_t '/var/www/html/file1'

how do I troubleshoot a problem like this?

Most SELinux-related information is generally in the auditd logs, but you probably want some tool such as sealert to decode it for you. I've done a brief search and came up with this tool that I didn't know of, but seems interesting: SELinux GUI.

Addendum: Some examples with semanage