[CentOS] Forbidden: can't access *.html files in /var/www/html
Hello, I'm using the latest CentOS with phpBB 3.0.x + postgreSQL + sendmail (relayed through gmail.com) - all those programs working fine, with no big modifications of the CentOS defaults (i.e. SELinux is on). Now I'm struggling with the seemingly simple problem, that when I put an .html file into /var/www/html/ then Apache won't serve it. In the browser I see: Forbidden You don't have permission to access /Alex.html on this server. Apache/2.2.3 (CentOS) Server at Port 80 In the /var/log/httpd/error_log (I've set LogLevel debug) I only see: [error] [client 10.216.40.68] (13)Permission denied: access to /Alex.html denied [error] [client 10.216.40.68] (13)Permission denied: access to /Alex.html denied The other filetypes like crossdomain.xml and index.php or hello-world.php are served just fine. Also, if I move my *.html files under /var/www/html/test/ - then they are served ok. The permissions are ok in my book: # ls -al Alex.html index.php hello-world.php -r--r--r-- 1 rootroot 599 Sep 29 15:49 Alex.html -rw-r--r-- 1 afarber afarber 33 Jul 29 11:32 hello-world.php -rw-r--r-- 1 rootroot5631 Jun 27 09:38 index.php # ls -ald / /var /var/www /var/www/html drwxr-xr-x 23 root root 4096 Sep 29 15:54 / drwxr-xr-x 22 root root 4096 Jun 22 15:25 /var drwxr-xr-x 8 root root 4096 Sep 29 11:45 /var/www drwxr-xr-x 16 root root 4096 Sep 29 15:59 /var/www/html # cat /var/www/html/.htaccess (installed by phpBB) Files config.php Order Allow,Deny Deny from All /Files Files common.php Order Allow,Deny Deny from All /Files # /usr/sbin/getsebool -a | grep http allow_httpd_anon_write -- off allow_httpd_bugzilla_script_anon_write -- off allow_httpd_cvs_script_anon_write -- off allow_httpd_mod_auth_pam -- off allow_httpd_nagios_script_anon_write -- off allow_httpd_prewikka_script_anon_write -- off allow_httpd_squid_script_anon_write -- off allow_httpd_sys_script_anon_write -- off httpd_builtin_scripting -- on httpd_can_network_connect -- off httpd_can_network_connect_db -- off httpd_can_network_relay -- off httpd_can_sendmail -- on httpd_disable_trans -- off httpd_enable_cgi -- on httpd_enable_ftp_server -- off httpd_enable_homedirs -- on httpd_read_user_content -- off httpd_rotatelogs_disable_trans -- off httpd_ssi_exec -- off httpd_suexec_disable_trans -- off httpd_tty_comm -- on httpd_unified -- on httpd_use_cifs -- off httpd_use_nfs -- off I've looked into /etc/httpd/conf/httpd.conf and conf.d/ files... Does anybody know what is wrong, how to find out? Regards Alex ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Forbidden: can't access *.html files in /var/www/html
Now I'm struggling with the seemingly simple problem Sometimes simple problems have simple solutions! For example: # ls -al Alex.html index.php hello-world.php -r--r--r-- 1 rootroot 599 Sep 29 15:49 Alex.html -rw-r--r-- 1 afarber afarber 33 Jul 29 11:32 hello-world.php -rw-r--r-- 1 rootroot5631 Jun 27 09:38 index.php Why is Alex.html only readable and the php files readable *and* writable? Did you try making the php files *only readable* and see what happens? This may not be relevant to the problem, but I have observed in Ubuntu that the apache server by default likes to make files it serves executable. Not sure why, just a simple observation. Hope this helps, Rob ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Forbidden: can't access *.html files in /var/www/html
Alexander Farber wrote: Hello, I'm using the latest CentOS with phpBB 3.0.x + postgreSQL + sendmail (relayed through gmail.com) - all those programs working fine, with no big modifications of the CentOS defaults (i.e. SELinux is on). Now I'm struggling with the seemingly simple problem, that when I put an .html file into /var/www/html/ then Apache won't serve it. SNIP I've looked into /etc/httpd/conf/httpd.conf and conf.d/ files... Does anybody know what is wrong, how to find out? Regards Alex Did you possibly use mv to put the file in that directory? If so, it will not always set the file context properly. You can tell if you will check to see if SELinux is active (run getenforce and see if it returns Enforcing) and use the -Z switch to ls to see the file context of the problem files. If the context is not httpd_sys_content_t or something similar you need to fix the context. Fixing it is easy, just run restorecon: restorecon -rv /var/www/html This will walk down the directory tree and fix up the file contexts, giving you a message about the files it changes. Of course, if it isn't an SELinux problem, this won't help. -- Jay Leafey - jay.lea...@mindless.com Memphis, TN smime.p7s Description: S/MIME Cryptographic Signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Forbidden: can't access *.html files in /var/www/html
Nope this doesn't help. I've tried both 444 and 644 for Alex.html and vice versa: 444 and 644 for the .php and .xml files. On Wed, Sep 29, 2010 at 4:52 PM, Rob Del Vecchio rob.delvecc...@gmail.com wrote: # ls -al Alex.html index.php hello-world.php -r--r--r-- 1 root root 599 Sep 29 15:49 Alex.html -rw-r--r-- 1 afarber afarber 33 Jul 29 11:32 hello-world.php -rw-r--r-- 1 root root 5631 Jun 27 09:38 index.php Why is Alex.html only readable and the php files readable *and* writable? Did you try making the php files *only readable* and see what happens? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Forbidden: can't access *.html files in /var/www/html
Alexander Farber wrote: Nope this doesn't help. I've tried both 444 and 644 for Alex.html and vice versa: 444 and 644 for the .php and .xml files. On Wed, Sep 29, 2010 at 4:52 PM, Rob Del Vecchio rob.delvecc...@gmail.com wrote: # ls -al Alex.html index.php hello-world.php -r--r--r-- 1 root root 599 Sep 29 15:49 Alex.html -rw-r--r-- 1 afarber afarber 33 Jul 29 11:32 hello-world.php -rw-r--r-- 1 root root 5631 Jun 27 09:38 index.php Why is Alex.html only readable and the php files readable *and* writable? Did you try making the php files *only readable* and see what happens? What's the entry in /etc/httpd/conf/httpd.conf for /var/www/html? You say that this stuff is in /var/www/html/test/ - is apache configured to let it be seen? The error message you give sounds like apache configuration. Oh, right - are you using http, or https? mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Forbidden: can't access *.html files in /var/www/html
Alexander Farber sent a missive on 2010-09-29: Nope this doesn't help. I've tried both 444 and 644 for Alex.html and vice versa: 444 and 644 for the .php and .xml files. On Wed, Sep 29, 2010 at 4:52 PM, Rob Del Vecchio rob.delvecc...@gmail.com wrote: # ls -al Alex.html index.php hello-world.php -r--r--r-- 1 root root 599 Sep 29 15:49 Alex.html -rw-r--r-- 1 afarber afarber 33 Jul 29 11:32 hello-world.php -rw-r--r-- 1 root root 5631 Jun 27 09:38 index.php Why is Alex.html only readable and the php files readable *and* writable? Did you try making the php files *only readable* and see what happens? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos Hi. Can you show the output of ls -laZ please? This will show the selinux context information for the files - the error is usually to do with the context of the files. Rgds S. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Forbidden: can't access *.html files in /var/www/html
On Wed, 29 Sep 2010, Jay Leafey wrote: Fixing it is easy, just run restorecon: restorecon -rv /var/www/html Is there any received wisdom about when it is more appropriate to use restorecon directly instead of the fixfiles wrapper? I tend to use fixfiles, but I haven't really thought it through. -- Paul Heinlein heinl...@madboa.com http://www.madboa.com/ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Forbidden: can't access *.html files in /var/www/html
On Wed, Sep 29, 2010 at 5:29 PM, Simon Billis si...@houxou.com wrote: Can you show the output of ls -laZ please? This will show the selinux context information for the files - the error is usually to do with the context of the files. Hello and thanks for your reply. The SELinux stuff is new for me. Yes I have moved that Alex.html from my home dir and (the 1st one fails): # ls -laZ /var/www/html/Alex.html -r--r--r-- root root system_u:object_r:user_home_t/var/www/html/Alex.html # ls -laZ /var/www/html/test/Alex.html -r--r--r-- root root user_u:object_r:httpd_sys_content_t /var/www/html/test/Alex.html # ls -laZ /var/www/html/index.php -rw-r--r-- root root user_u:object_r:httpd_sys_content_t /var/www/html/index.php # ls -laZ /var/www/html/hello-world.php -rw-r--r-- afarber afarber user_u:object_r:httpd_sys_content_t /var/www/html/hello-world.php I'm using http, not https. And /usr/sbin/getenforce prints Enforcing. I didn't know that there were additional attributes for the files. And I don't know how to stop/start SELinux (it is not a service in /etc/init.d, right?) but I'd like to keep SELinux running, since all other programs I've listed seem to cope okay with it. Regards Alex ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Forbidden: can't access *.html files in /var/www/html
At Wed, 29 Sep 2010 17:13:14 +0200 CentOS mailing list centos@centos.org wrote: Nope this doesn't help. I've tried both 444 and 644 for Alex.html and vice versa: 444 and 644 for the .php and .xml files. On Wed, Sep 29, 2010 at 4:52 PM, Rob Del Vecchio rob.delvecc...@gmail.com wrote:  # ls -al Alex.html index.php hello-world.php -r--r--r-- 1 root   root   599 Sep 29 15:49 Alex.html -rw-r--r-- 1 afarber afarber  33 Jul 29 11:32 hello-world.php -rw-r--r-- 1 root   root   5631 Jun 27 09:38 index.php Why is Alex.html only readable and the php files readable *and* writable?  Did you try making the php files *only readable* and see what happens? What is the mode on the directory? What is the ownership of the directory? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- Robert Heller -- 978-544-6933 Deepwoods Software-- Download the Model Railroad System http://www.deepsoft.com/ -- Binaries for Linux and MS-Windows hel...@deepsoft.com -- http://www.deepsoft.com/ModelRailroadSystem/ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Forbidden: can't access *.html files in /var/www/html
On 30/09/10 12:43 AM, Alexander Farber wrote: Hello, I'm using the latest CentOS with phpBB 3.0.x + postgreSQL + sendmail (relayed through gmail.com) - all those programs working fine, with no big modifications of the CentOS defaults (i.e. SELinux is on). [SNIP Does anybody know what is wrong, how to find out? Yep, it's SELinux picking up that the files have been moved or copied to that directory. Run this command: restorecon -R /var/www/html The pages should load after that. Regards, Ben signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Forbidden: can't access *.html files in /var/www/html
Alexander Farber sent a missive on 2010-09-29: On Wed, Sep 29, 2010 at 5:29 PM, Simon Billis si...@houxou.com wrote: Can you show the output of ls -laZ please? This will show the selinux context information for the files - the error is usually to do with the context of the files. Hello and thanks for your reply. The SELinux stuff is new for me. Yes I have moved that Alex.html from my home dir and (the 1st one fails): # ls -laZ /var/www/html/Alex.html -r--r--r-- root root system_u:object_r:user_home_t /var/www/html/Alex.html You can see here that the context is incorrect for the file to be served by apache. You can change it using: chcon user_u:object_r:httpd_sys_content_t /var/www/html/Alex.html with no quotes. This will change the file to the specific context needed. You can also use restorecon -R as others have mentioned # ls -laZ /var/www/html/test/Alex.html -r--r--r-- root root user_u:object_r:httpd_sys_content_t /var/www/html/test/Alex.html # ls -laZ /var/www/html/index.php -rw-r--r-- root root user_u:object_r:httpd_sys_content_t /var/www/html/index.php # ls -laZ /var/www/html/hello-world.php -rw-r--r-- afarber afarber user_u:object_r:httpd_sys_content_t /var/www/html/hello-world.php I'm using http, not https. And /usr/sbin/getenforce prints Enforcing. You can use setenforce 0 without the quotes to disable selinux from the command line till next reboot or until you issue setenforce 1 - this is useful for testing as is looking at /var/log/audit/audit.log and also using commands such as audit2why and audit2allow (I strongly recommend reading at least the man pages and also such websites as http://www.nsa.gov/research/selinux/docs.shtml (google selinux)) I didn't know that there were additional attributes for the files. And I don't know how to stop/start SELinux (it is not a service in /etc/init.d, right?) but I'd like to keep SELinux running, since all other programs I've listed seem to cope okay with it. I recommend that you keep selinux running and enforcing and that you spend some time learning it. It is very useful. The config files are located here: /etc/selinux and you can set selinux to be disabled or if you want permissive i.e. it will not stop you or others doing things but will report on the violations. Have fun S. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Forbidden: can't access *.html files in /var/www/html
Simon Billis wrote: Alexander Farber sent a missive on 2010-09-29: On Wed, Sep 29, 2010 at 5:29 PM, Simon Billis si...@houxou.com wrote: snip You can use setenforce 0 without the quotes to disable selinux from the command line till next reboot or until you issue setenforce 1 - this is useful for testing as is looking at /var/log/audit/audit.log and also using commands such as audit2why and audit2allow (I strongly recommend reading at least the man pages and also such websites as http://www.nsa.gov/research/selinux/docs.shtml (google selinux)) Yeah, and the sealert messages in /var/log/messages *sometimes* help, and other times are garbage. (Yes, I filed a bug with the sealert team: for some things, it 100% repeatably keeps telling me that I should set httpd_unified to on... when it's been on for months. Obviously, they missed a condition, and fall through to an incorrect default.) I didn't know that there were additional attributes for the files. And I don't know how to stop/start SELinux (it is not a service in /etc/init.d, right?) but I'd like to keep SELinux running, since all other programs I've listed seem to cope okay with it. I recommend that you keep selinux running and enforcing and that you spend some time learning it. It is very useful. The config files are located here: /etc/selinux and you can set selinux to be disabled or if you want permissive i.e. it will not stop you or others doing things but will report on the violations. *bleah* to selinux. mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Forbidden: can't access *.html files in /var/www/html
On 30/09/10 3:21 AM, Simon Billis wrote: You can use setenforce 0 without the quotes to disable selinux from the command line till next reboot or until you issue setenforce 1 - this is useful for testing as is looking at /var/log/audit/audit.log and also using commands such as audit2why and audit2allow (I strongly recommend reading at least the man pages and also such websites as http://www.nsa.gov/research/selinux/docs.shtml (google selinux)) In addition to that URL, this document (which I didn't see listed, probably due to the publication date) looks very useful: http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf I'd second reading as much as possible on SELinux before diving into it, as there are more than a few gotchas. Especially when enabling and disabling it and knowing when a reboot is necessary when enabling or re-enabling it. Regards, Ben signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
