Re: [CentOS] Help with httpd userdir recovery

[Robert Moskowitz]

Interesting, but I can't do anything until around the 9th.

On 12/30/2016 01:08 AM, Gordon Messmer wrote:

type=AVC msg=audit(1482944350.289:339): avc:  denied  { read } for pid=2141 comm="httpd" 
name="family" dev="sda3" ino=262199 scontext=system_u:system_r:httpd_t:s0 
tcontext=unconfined_u:object_r:httpd_user_content_t:s0 tclass=dir permissive=0

I ran into the same problem, I think.  I ran "audit2why" and passed in
the AVC.  It suggested a pair of booleans I've never seen before.

# audit2why
type=AVC msg=audit(1483077583.703:1539671): avc:  denied  { read } for
  pid=11162 comm="httpd" name="courier-pythonfilter" dev="dm-0"
ino=533228 scontext=system_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:httpd_user_content_t:s0 tclass=dir

 Was caused by:
 One of the following booleans was set incorrectly.
 Description:
 Allow httpd to read user content

 Allow access by executing:
 # setsebool -P httpd_read_user_content 1
 Description:
 Allow httpd to unified

 Allow access by executing:
 # setsebool -P httpd_unified 1
# setsebool -P httpd_read_user_content 1

... and setting one of them fixed the problem.

I don't see a bug filed for this.  Can anyone else confirm that
httpd_enable_homedirs doesn't work as it did before 7.3?  I suspect
it's not widely used and the bug may not have been noticed yet.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Help with httpd userdir recovery

[Gordon Messmer]

> type=AVC msg=audit(1482944350.289:339): avc:  denied  { read } for pid=2141 
> comm="httpd" name="family" dev="sda3" ino=262199 
> scontext=system_u:system_r:httpd_t:s0 
> tcontext=unconfined_u:object_r:httpd_user_content_t:s0 tclass=dir permissive=0

I ran into the same problem, I think.  I ran "audit2why" and passed in
the AVC.  It suggested a pair of booleans I've never seen before.

# audit2why
type=AVC msg=audit(1483077583.703:1539671): avc:  denied  { read } for
 pid=11162 comm="httpd" name="courier-pythonfilter" dev="dm-0"
ino=533228 scontext=system_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:httpd_user_content_t:s0 tclass=dir

Was caused by:
One of the following booleans was set incorrectly.
Description:
Allow httpd to read user content

Allow access by executing:
# setsebool -P httpd_read_user_content 1
Description:
Allow httpd to unified

Allow access by executing:
# setsebool -P httpd_unified 1
# setsebool -P httpd_read_user_content 1

... and setting one of them fixed the problem.

I don't see a bug filed for this.  Can anyone else confirm that
httpd_enable_homedirs doesn't work as it did before 7.3?  I suspect
it's not widely used and the bug may not have been noticed yet.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Help with httpd userdir recovery

[Robert Moskowitz]

On 12/28/2016 06:33 PM, Greg Cornell wrote:

On 12/28/16, 3:28 PM, "CentOS on behalf of Robert Moskowitz" 
 wrote:

On 12/28/2016 06:13 PM, Greg Cornell wrote:

On 12/28/16, 3:09 PM, "CentOS on behalf of Robert Moskowitz" 
 wrote:



On 12/28/2016 06:05 PM, J Martin Rushton wrote:

On 28/12/16 21:24, m.r...@5-cent.us wrote:

Robert Moskowitz wrote:

On 12/28/2016 03:32 PM, J Martin Rushton wrote:

On 28/12/16 20:11, Robert Moskowitz wrote:

On 12/28/2016 01:53 PM, m.r...@5-cent.us wrote:

Robert Moskowitz wrote:

On 12/28/2016 05:11 AM, Todor Petkov wrote:

On Wed, Dec 28, 2016 at 5:18 AM, Robert Moskowitz

wrote:

Which is why I wonder if there is some different config for the
C7.3
version
of apache.

Or something with the C7-arm build...

Can you check for SELinux warnings/errors in
/var/log/audit/audit.log?

Good advice.  As I suspect the problem is with SELinux.

So I tried an access.  What follows is the access_log entry, the
error_log entry and the 3 entries in the audit.log:

192.168.160.12 - - [28/Dec/2016:11:59:10 -0500] "GET /~rgm/family/
HTTP/1.1" 403 214 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64;
rv:50.0)
Gecko/20100101 Firefox/50.0"

[Wed Dec 28 11:59:10.294915 2016] [autoindex:error] [pid 2141]
(13)Permission denied: [client 192.168.160.12:56456] AH01275: Can't
open
directory for index: /home/rgm/public_html/family/

type=AVC msg=audit(1482944350.289:339): avc:  denied  { read } for
pid=2141 comm="httpd" name="family" dev="sda3" ino=262199
scontext=system_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:httpd_user_content_t:s0 tclass=dir
permissive=0

type=SYSCALL msg=audit(1482944350.289:339): arch=4028 syscall=322
per=80 success=no exit=-13 a0=ff9c a1=80657458 a2=a4800 a3=0
items=0 ppid=2135 pid=2141 auid=4294967295 uid=48 gid=48 euid=48
suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295
comm="httpd"
exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)

type=PROCTITLE msg=audit(1482944350.289:339):
proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44


I will say that after enabling selinux on this image per the
instructions of the team doing the Centos7-arm builds, I got the
following messages when I did things like 'setsebool -P
httpd_enable_homedirs on':

[ 2273.047017] SELinux:  Class binder not defined in policy.
[ 2273.052531] SELinux: the above unknown classes and permissions
will
be allowed


So something may well not be right with my SELinux.


Bang. I would suggest, at this point, that you might want to set
selinux
into permissive mode, so you'll get the error messages from it, and
can
work out fixes, but will let your system operate as you intend.
setselinux 0

Note that this is *temporary*, and will revert on reboot. To make it
permanent, you'd need to edit /etc/selinux/config.

Thanks, Mark, I was just getting around to that way of thinking.

The command, at least on my Centos7-arm system is

setenforce 0

A presto it works.  So now to figure out what is wrong with SElinux on
this image.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Have you got the setroubleshoot-server package installed?  For x86_64 it
is part of the base repository, obviously arm may differ.  The package
installs a "SELinux Troubleshooter" entry in the Applications/Sundry
menu, or it can be launched via:

No GUI in the base image.  And on arm, we tend to use Xfce.


# /usr/bin/python -Es /usr/bin/sealert -s

no sealert bin file, so it is off to install it.


It generates suggestions to fix SELinx issues.  Sometimes it is quite
useful, on other occasions it just lists vast numbers of possibilities
with little or no help.  On balance it is worth trying for when it does
help.

I have never had it make useful suggestions to my on my notebook, but we
will see...

so here is what happens after I install it:

# /usr/bin/python -Es /usr/bin/sealert -s
Opps, sealert hit an error!

Traceback (most recent call last):
  File "/usr/bin/sealert", line 651, in 
import gtk
ImportError: No module named gtk

If it needs a GUI, then that won't work here.  Headless system.


Nahh... you want to instal setroubleshoot.

  mark

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos


Sorry, missed the no GUI if it was mentioned earlier.

Never mentioned it.  I have not checked to see what GUI has been ported
to try and load something.  I *DO* use Xfce with Fedora-arm systems.
But I would have to hook this little server up to such.


You _might_ get away with ssh -Y from a workstation but you might end up 
wasting time.
No guarantees I'm afraid. :-) Martin

Yeah, ssh -Y can be such fun with a headless system.

Re: [CentOS] Help with httpd userdir recovery

[Greg Cornell]

On 12/28/16, 3:28 PM, "CentOS on behalf of Robert Moskowitz" 
 wrote:

On 12/28/2016 06:13 PM, Greg Cornell wrote:
> On 12/28/16, 3:09 PM, "CentOS on behalf of Robert Moskowitz" 
>  wrote:
>
>
>
> On 12/28/2016 06:05 PM, J Martin Rushton wrote:
>> On 28/12/16 21:24, m.r...@5-cent.us wrote:
>>> Robert Moskowitz wrote:
 On 12/28/2016 03:32 PM, J Martin Rushton wrote:
> On 28/12/16 20:11, Robert Moskowitz wrote:
>> On 12/28/2016 01:53 PM, m.r...@5-cent.us wrote:
>>> Robert Moskowitz wrote:
 On 12/28/2016 05:11 AM, Todor Petkov wrote:
> On Wed, Dec 28, 2016 at 5:18 AM, Robert Moskowitz
> 
> wrote:
>> Which is why I wonder if there is some different config for the
>> C7.3
>> version
>> of apache.
>>
>> Or something with the C7-arm build...
> Can you check for SELinux warnings/errors in
> /var/log/audit/audit.log?
 Good advice.  As I suspect the problem is with SELinux.

 So I tried an access.  What follows is the access_log entry, the
 error_log entry and the 3 entries in the audit.log:

 192.168.160.12 - - [28/Dec/2016:11:59:10 -0500] "GET /~rgm/family/
 HTTP/1.1" 403 214 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64;
 rv:50.0)
 Gecko/20100101 Firefox/50.0"

 [Wed Dec 28 11:59:10.294915 2016] [autoindex:error] [pid 2141]
 (13)Permission denied: [client 192.168.160.12:56456] AH01275: Can't
 open
 directory for index: /home/rgm/public_html/family/

 type=AVC msg=audit(1482944350.289:339): avc:  denied  { read } for
 pid=2141 comm="httpd" name="family" dev="sda3" ino=262199
 scontext=system_u:system_r:httpd_t:s0
 tcontext=unconfined_u:object_r:httpd_user_content_t:s0 tclass=dir
 permissive=0

 type=SYSCALL msg=audit(1482944350.289:339): arch=4028 syscall=322
 per=80 success=no exit=-13 a0=ff9c a1=80657458 a2=a4800 a3=0
 items=0 ppid=2135 pid=2141 auid=4294967295 uid=48 gid=48 euid=48
 suid=48
 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295
 comm="httpd"
 exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)

 type=PROCTITLE msg=audit(1482944350.289:339):
 proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44


 I will say that after enabling selinux on this image per the
 instructions of the team doing the Centos7-arm builds, I got the
 following messages when I did things like 'setsebool -P
 httpd_enable_homedirs on':

 [ 2273.047017] SELinux:  Class binder not defined in policy.
 [ 2273.052531] SELinux: the above unknown classes and permissions
 will
 be allowed


 So something may well not be right with my SELinux.

>>> Bang. I would suggest, at this point, that you might want to set
>>> selinux
>>> into permissive mode, so you'll get the error messages from it, and
>>> can
>>> work out fixes, but will let your system operate as you intend.
>>> setselinux 0
>>>
>>> Note that this is *temporary*, and will revert on reboot. To make it
>>> permanent, you'd need to edit /etc/selinux/config.
>> Thanks, Mark, I was just getting around to that way of thinking.
>>
>> The command, at least on my Centos7-arm system is
>>
>> setenforce 0
>>
>> A presto it works.  So now to figure out what is wrong with SElinux on
>> this image.
>>
>> ___
>> CentOS mailing list
>> CentOS@centos.org
>> https://lists.centos.org/mailman/listinfo/centos
> Have you got the setroubleshoot-server package installed?  For x86_64 it
> is part of the base repository, obviously arm may differ.  The package
> installs a "SELinux Troubleshooter" entry in the Applications/Sundry
> menu, or it can be launched via:
 No GUI in the base image.  And on arm, we tend to use Xfce.

> # /usr/bin/python -Es /usr/bin/sealert -s
 no sealert bin file, so it is off to install it.

> It generates suggestions to fix SELinx issues.  Sometimes it is quite
> useful, on other occasions it just lists vast numbers of possibilities
> with little or no help.  On balance it is worth trying for when it does
> help.
 I have never had it make useful suggestions to my on my notebook, but we
 will see...

 so here is what happens after I install it:

 # /usr/bin/python -Es /usr/bin/sealert -s
 Opps, sealert hit an error!

 Traceback (most recent call last):
  File "/usr/bin/sealert", line 651, in 

Re: [CentOS] Help with httpd userdir recovery

[Robert Moskowitz]

On 12/28/2016 06:13 PM, Greg Cornell wrote:

On 12/28/16, 3:09 PM, "CentOS on behalf of Robert Moskowitz" 
 wrote:



On 12/28/2016 06:05 PM, J Martin Rushton wrote:

On 28/12/16 21:24, m.r...@5-cent.us wrote:

Robert Moskowitz wrote:

On 12/28/2016 03:32 PM, J Martin Rushton wrote:

On 28/12/16 20:11, Robert Moskowitz wrote:

On 12/28/2016 01:53 PM, m.r...@5-cent.us wrote:

Robert Moskowitz wrote:

On 12/28/2016 05:11 AM, Todor Petkov wrote:

On Wed, Dec 28, 2016 at 5:18 AM, Robert Moskowitz

wrote:

Which is why I wonder if there is some different config for the
C7.3
version
of apache.

Or something with the C7-arm build...

Can you check for SELinux warnings/errors in
/var/log/audit/audit.log?

Good advice.  As I suspect the problem is with SELinux.

So I tried an access.  What follows is the access_log entry, the
error_log entry and the 3 entries in the audit.log:

192.168.160.12 - - [28/Dec/2016:11:59:10 -0500] "GET /~rgm/family/
HTTP/1.1" 403 214 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64;
rv:50.0)
Gecko/20100101 Firefox/50.0"

[Wed Dec 28 11:59:10.294915 2016] [autoindex:error] [pid 2141]
(13)Permission denied: [client 192.168.160.12:56456] AH01275: Can't
open
directory for index: /home/rgm/public_html/family/

type=AVC msg=audit(1482944350.289:339): avc:  denied  { read } for
pid=2141 comm="httpd" name="family" dev="sda3" ino=262199
scontext=system_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:httpd_user_content_t:s0 tclass=dir
permissive=0

type=SYSCALL msg=audit(1482944350.289:339): arch=4028 syscall=322
per=80 success=no exit=-13 a0=ff9c a1=80657458 a2=a4800 a3=0
items=0 ppid=2135 pid=2141 auid=4294967295 uid=48 gid=48 euid=48
suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295
comm="httpd"
exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)

type=PROCTITLE msg=audit(1482944350.289:339):
proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44


I will say that after enabling selinux on this image per the
instructions of the team doing the Centos7-arm builds, I got the
following messages when I did things like 'setsebool -P
httpd_enable_homedirs on':

[ 2273.047017] SELinux:  Class binder not defined in policy.
[ 2273.052531] SELinux: the above unknown classes and permissions
will
be allowed


So something may well not be right with my SELinux.


Bang. I would suggest, at this point, that you might want to set
selinux
into permissive mode, so you'll get the error messages from it, and
can
work out fixes, but will let your system operate as you intend.
setselinux 0

Note that this is *temporary*, and will revert on reboot. To make it
permanent, you'd need to edit /etc/selinux/config.

Thanks, Mark, I was just getting around to that way of thinking.

The command, at least on my Centos7-arm system is

setenforce 0

A presto it works.  So now to figure out what is wrong with SElinux on
this image.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Have you got the setroubleshoot-server package installed?  For x86_64 it
is part of the base repository, obviously arm may differ.  The package
installs a "SELinux Troubleshooter" entry in the Applications/Sundry
menu, or it can be launched via:

No GUI in the base image.  And on arm, we tend to use Xfce.


# /usr/bin/python -Es /usr/bin/sealert -s

no sealert bin file, so it is off to install it.


It generates suggestions to fix SELinx issues.  Sometimes it is quite
useful, on other occasions it just lists vast numbers of possibilities
with little or no help.  On balance it is worth trying for when it does
help.

I have never had it make useful suggestions to my on my notebook, but we
will see...

so here is what happens after I install it:

# /usr/bin/python -Es /usr/bin/sealert -s
Opps, sealert hit an error!

Traceback (most recent call last):
 File "/usr/bin/sealert", line 651, in 
   import gtk
ImportError: No module named gtk

If it needs a GUI, then that won't work here.  Headless system.


Nahh... you want to instal setroubleshoot.

 mark

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos


Sorry, missed the no GUI if it was mentioned earlier.

Never mentioned it.  I have not checked to see what GUI has been ported
to try and load something.  I *DO* use Xfce with Fedora-arm systems.
But I would have to hook this little server up to such.


You _might_ get away with ssh -Y from a workstation but you might end up 
wasting time.
No guarantees I'm afraid. :-) Martin

Yeah, ssh -Y can be such fun with a headless system.


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Sorry, I’m a bit late to this thread so I don’t know if anyone has 

Re: [CentOS] Help with httpd userdir recovery

[Greg Cornell]

On 12/28/16, 3:09 PM, "CentOS on behalf of Robert Moskowitz" 
 wrote:



On 12/28/2016 06:05 PM, J Martin Rushton wrote:
>
> On 28/12/16 21:24, m.r...@5-cent.us wrote:
>> Robert Moskowitz wrote:
>>>
>>> On 12/28/2016 03:32 PM, J Martin Rushton wrote:
 On 28/12/16 20:11, Robert Moskowitz wrote:
> On 12/28/2016 01:53 PM, m.r...@5-cent.us wrote:
>> Robert Moskowitz wrote:
>>> On 12/28/2016 05:11 AM, Todor Petkov wrote:
 On Wed, Dec 28, 2016 at 5:18 AM, Robert Moskowitz
 
 wrote:
> Which is why I wonder if there is some different config for the
> C7.3
> version
> of apache.
>
> Or something with the C7-arm build...
 Can you check for SELinux warnings/errors in
 /var/log/audit/audit.log?
>>> Good advice.  As I suspect the problem is with SELinux.
>>>
>>> So I tried an access.  What follows is the access_log entry, the
>>> error_log entry and the 3 entries in the audit.log:
>>>
>>> 192.168.160.12 - - [28/Dec/2016:11:59:10 -0500] "GET /~rgm/family/
>>> HTTP/1.1" 403 214 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64;
>>> rv:50.0)
>>> Gecko/20100101 Firefox/50.0"
>>>
>>> [Wed Dec 28 11:59:10.294915 2016] [autoindex:error] [pid 2141]
>>> (13)Permission denied: [client 192.168.160.12:56456] AH01275: Can't
>>> open
>>> directory for index: /home/rgm/public_html/family/
>>>
>>> type=AVC msg=audit(1482944350.289:339): avc:  denied  { read } for
>>> pid=2141 comm="httpd" name="family" dev="sda3" ino=262199
>>> scontext=system_u:system_r:httpd_t:s0
>>> tcontext=unconfined_u:object_r:httpd_user_content_t:s0 tclass=dir
>>> permissive=0
>>>
>>> type=SYSCALL msg=audit(1482944350.289:339): arch=4028 syscall=322
>>> per=80 success=no exit=-13 a0=ff9c a1=80657458 a2=a4800 a3=0
>>> items=0 ppid=2135 pid=2141 auid=4294967295 uid=48 gid=48 euid=48
>>> suid=48
>>> fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295
>>> comm="httpd"
>>> exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
>>>
>>> type=PROCTITLE msg=audit(1482944350.289:339):
>>> proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44
>>>
>>>
>>> I will say that after enabling selinux on this image per the
>>> instructions of the team doing the Centos7-arm builds, I got the
>>> following messages when I did things like 'setsebool -P
>>> httpd_enable_homedirs on':
>>>
>>> [ 2273.047017] SELinux:  Class binder not defined in policy.
>>> [ 2273.052531] SELinux: the above unknown classes and permissions
>>> will
>>> be allowed
>>>
>>>
>>> So something may well not be right with my SELinux.
>>>
>> Bang. I would suggest, at this point, that you might want to set
>> selinux
>> into permissive mode, so you'll get the error messages from it, and
>> can
>> work out fixes, but will let your system operate as you intend.
>> setselinux 0
>>
>> Note that this is *temporary*, and will revert on reboot. To make it
>> permanent, you'd need to edit /etc/selinux/config.
> Thanks, Mark, I was just getting around to that way of thinking.
>
> The command, at least on my Centos7-arm system is
>
> setenforce 0
>
> A presto it works.  So now to figure out what is wrong with SElinux on
> this image.
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
 Have you got the setroubleshoot-server package installed?  For x86_64 it
 is part of the base repository, obviously arm may differ.  The package
 installs a "SELinux Troubleshooter" entry in the Applications/Sundry
 menu, or it can be launched via:
>>> No GUI in the base image.  And on arm, we tend to use Xfce.
>>>
 # /usr/bin/python -Es /usr/bin/sealert -s
>>> no sealert bin file, so it is off to install it.
>>>
 It generates suggestions to fix SELinx issues.  Sometimes it is quite
 useful, on other occasions it just lists vast numbers of possibilities
 with little or no help.  On balance it is worth trying for when it does
 help.
>>> I have never had it make useful suggestions to my on my notebook, but we
>>> will see...
>>>
>>> so here is what happens after I install it:
>>>
>>> # /usr/bin/python -Es /usr/bin/sealert -s
>>> Opps, sealert hit an error!
>>>
>>> Traceback (most recent call last):
>>> File "/usr/bin/sealert", line 651, in 
>>>   import gtk
>>> ImportError: No module named gtk
>>>
>>> If it needs a GUI, then that won't work here.  Headless system.
>>>
>> Nahh... you want to instal setroubleshoot.
>>
>> mark
>>
>> ___
>> CentOS mailing list
>> 

Re: [CentOS] Help with httpd userdir recovery

[Robert Moskowitz]

On 12/28/2016 06:05 PM, J Martin Rushton wrote:


On 28/12/16 21:24, m.r...@5-cent.us wrote:

Robert Moskowitz wrote:


On 12/28/2016 03:32 PM, J Martin Rushton wrote:

On 28/12/16 20:11, Robert Moskowitz wrote:

On 12/28/2016 01:53 PM, m.r...@5-cent.us wrote:

Robert Moskowitz wrote:

On 12/28/2016 05:11 AM, Todor Petkov wrote:

On Wed, Dec 28, 2016 at 5:18 AM, Robert Moskowitz

wrote:

Which is why I wonder if there is some different config for the
C7.3
version
of apache.

Or something with the C7-arm build...

Can you check for SELinux warnings/errors in
/var/log/audit/audit.log?

Good advice.  As I suspect the problem is with SELinux.

So I tried an access.  What follows is the access_log entry, the
error_log entry and the 3 entries in the audit.log:

192.168.160.12 - - [28/Dec/2016:11:59:10 -0500] "GET /~rgm/family/
HTTP/1.1" 403 214 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64;
rv:50.0)
Gecko/20100101 Firefox/50.0"

[Wed Dec 28 11:59:10.294915 2016] [autoindex:error] [pid 2141]
(13)Permission denied: [client 192.168.160.12:56456] AH01275: Can't
open
directory for index: /home/rgm/public_html/family/

type=AVC msg=audit(1482944350.289:339): avc:  denied  { read } for
pid=2141 comm="httpd" name="family" dev="sda3" ino=262199
scontext=system_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:httpd_user_content_t:s0 tclass=dir
permissive=0

type=SYSCALL msg=audit(1482944350.289:339): arch=4028 syscall=322
per=80 success=no exit=-13 a0=ff9c a1=80657458 a2=a4800 a3=0
items=0 ppid=2135 pid=2141 auid=4294967295 uid=48 gid=48 euid=48
suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295
comm="httpd"
exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)

type=PROCTITLE msg=audit(1482944350.289:339):
proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44


I will say that after enabling selinux on this image per the
instructions of the team doing the Centos7-arm builds, I got the
following messages when I did things like 'setsebool -P
httpd_enable_homedirs on':

[ 2273.047017] SELinux:  Class binder not defined in policy.
[ 2273.052531] SELinux: the above unknown classes and permissions
will
be allowed


So something may well not be right with my SELinux.


Bang. I would suggest, at this point, that you might want to set
selinux
into permissive mode, so you'll get the error messages from it, and
can
work out fixes, but will let your system operate as you intend.
setselinux 0

Note that this is *temporary*, and will revert on reboot. To make it
permanent, you'd need to edit /etc/selinux/config.

Thanks, Mark, I was just getting around to that way of thinking.

The command, at least on my Centos7-arm system is

setenforce 0

A presto it works.  So now to figure out what is wrong with SElinux on
this image.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Have you got the setroubleshoot-server package installed?  For x86_64 it
is part of the base repository, obviously arm may differ.  The package
installs a "SELinux Troubleshooter" entry in the Applications/Sundry
menu, or it can be launched via:

No GUI in the base image.  And on arm, we tend to use Xfce.


# /usr/bin/python -Es /usr/bin/sealert -s

no sealert bin file, so it is off to install it.


It generates suggestions to fix SELinx issues.  Sometimes it is quite
useful, on other occasions it just lists vast numbers of possibilities
with little or no help.  On balance it is worth trying for when it does
help.

I have never had it make useful suggestions to my on my notebook, but we
will see...

so here is what happens after I install it:

# /usr/bin/python -Es /usr/bin/sealert -s
Opps, sealert hit an error!

Traceback (most recent call last):
File "/usr/bin/sealert", line 651, in 
  import gtk
ImportError: No module named gtk

If it needs a GUI, then that won't work here.  Headless system.


Nahh... you want to instal setroubleshoot.

mark

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos


Sorry, missed the no GUI if it was mentioned earlier.


Never mentioned it.  I have not checked to see what GUI has been ported 
to try and load something.  I *DO* use Xfce with Fedora-arm systems.  
But I would have to hook this little server up to such.



You _might_ get away with ssh -Y from a workstation but you might end up 
wasting time.
No guarantees I'm afraid. :-) Martin


Yeah, ssh -Y can be such fun with a headless system.


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Help with httpd userdir recovery

[Robert Moskowitz]

On 12/28/2016 04:24 PM, m.r...@5-cent.us wrote:

Robert Moskowitz wrote:


On 12/28/2016 03:32 PM, J Martin Rushton wrote:

On 28/12/16 20:11, Robert Moskowitz wrote:

On 12/28/2016 01:53 PM, m.r...@5-cent.us wrote:

Robert Moskowitz wrote:

On 12/28/2016 05:11 AM, Todor Petkov wrote:

On Wed, Dec 28, 2016 at 5:18 AM, Robert Moskowitz

wrote:

Which is why I wonder if there is some different config for the
C7.3
version
of apache.

Or something with the C7-arm build...

Can you check for SELinux warnings/errors in
/var/log/audit/audit.log?

Good advice.  As I suspect the problem is with SELinux.

So I tried an access.  What follows is the access_log entry, the
error_log entry and the 3 entries in the audit.log:

192.168.160.12 - - [28/Dec/2016:11:59:10 -0500] "GET /~rgm/family/
HTTP/1.1" 403 214 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64;
rv:50.0)
Gecko/20100101 Firefox/50.0"

[Wed Dec 28 11:59:10.294915 2016] [autoindex:error] [pid 2141]
(13)Permission denied: [client 192.168.160.12:56456] AH01275: Can't
open
directory for index: /home/rgm/public_html/family/

type=AVC msg=audit(1482944350.289:339): avc:  denied  { read } for
pid=2141 comm="httpd" name="family" dev="sda3" ino=262199
scontext=system_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:httpd_user_content_t:s0 tclass=dir
permissive=0

type=SYSCALL msg=audit(1482944350.289:339): arch=4028 syscall=322
per=80 success=no exit=-13 a0=ff9c a1=80657458 a2=a4800 a3=0
items=0 ppid=2135 pid=2141 auid=4294967295 uid=48 gid=48 euid=48
suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295
comm="httpd"
exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)

type=PROCTITLE msg=audit(1482944350.289:339):
proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44


I will say that after enabling selinux on this image per the
instructions of the team doing the Centos7-arm builds, I got the
following messages when I did things like 'setsebool -P
httpd_enable_homedirs on':

[ 2273.047017] SELinux:  Class binder not defined in policy.
[ 2273.052531] SELinux: the above unknown classes and permissions
will
be allowed


So something may well not be right with my SELinux.


Bang. I would suggest, at this point, that you might want to set
selinux
into permissive mode, so you'll get the error messages from it, and
can
work out fixes, but will let your system operate as you intend.
setselinux 0

Note that this is *temporary*, and will revert on reboot. To make it
permanent, you'd need to edit /etc/selinux/config.

Thanks, Mark, I was just getting around to that way of thinking.

The command, at least on my Centos7-arm system is

setenforce 0

A presto it works.  So now to figure out what is wrong with SElinux on
this image.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Have you got the setroubleshoot-server package installed?  For x86_64 it
is part of the base repository, obviously arm may differ.  The package
installs a "SELinux Troubleshooter" entry in the Applications/Sundry
menu, or it can be launched via:

No GUI in the base image.  And on arm, we tend to use Xfce.


# /usr/bin/python -Es /usr/bin/sealert -s

no sealert bin file, so it is off to install it.


It generates suggestions to fix SELinx issues.  Sometimes it is quite
useful, on other occasions it just lists vast numbers of possibilities
with little or no help.  On balance it is worth trying for when it does
help.

I have never had it make useful suggestions to my on my notebook, but we
will see...

so here is what happens after I install it:

# /usr/bin/python -Es /usr/bin/sealert -s
Opps, sealert hit an error!

Traceback (most recent call last):
File "/usr/bin/sealert", line 651, in 
  import gtk
ImportError: No module named gtk

If it needs a GUI, then that won't work here.  Headless system.


Nahh... you want to instal setroubleshoot.


# yum install setroubleshoot
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
No package setroubleshoot available.
Error: Nothing to do


:(


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Help with httpd userdir recovery

[J Martin Rushton]

On 28/12/16 21:24, m.r...@5-cent.us wrote:
> Robert Moskowitz wrote:
>>
>>
>> On 12/28/2016 03:32 PM, J Martin Rushton wrote:
>>>
>>> On 28/12/16 20:11, Robert Moskowitz wrote:

 On 12/28/2016 01:53 PM, m.r...@5-cent.us wrote:
> Robert Moskowitz wrote:
>> On 12/28/2016 05:11 AM, Todor Petkov wrote:
>>> On Wed, Dec 28, 2016 at 5:18 AM, Robert Moskowitz
>>> 
>>> wrote:
 Which is why I wonder if there is some different config for the
 C7.3
 version
 of apache.

 Or something with the C7-arm build...
>>> Can you check for SELinux warnings/errors in
>>> /var/log/audit/audit.log?
>> Good advice.  As I suspect the problem is with SELinux.
>>
>> So I tried an access.  What follows is the access_log entry, the
>> error_log entry and the 3 entries in the audit.log:
>>
>> 192.168.160.12 - - [28/Dec/2016:11:59:10 -0500] "GET /~rgm/family/
>> HTTP/1.1" 403 214 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64;
>> rv:50.0)
>> Gecko/20100101 Firefox/50.0"
>>
>> [Wed Dec 28 11:59:10.294915 2016] [autoindex:error] [pid 2141]
>> (13)Permission denied: [client 192.168.160.12:56456] AH01275: Can't
>> open
>> directory for index: /home/rgm/public_html/family/
>>
>> type=AVC msg=audit(1482944350.289:339): avc:  denied  { read } for
>> pid=2141 comm="httpd" name="family" dev="sda3" ino=262199
>> scontext=system_u:system_r:httpd_t:s0
>> tcontext=unconfined_u:object_r:httpd_user_content_t:s0 tclass=dir
>> permissive=0
>>
>> type=SYSCALL msg=audit(1482944350.289:339): arch=4028 syscall=322
>> per=80 success=no exit=-13 a0=ff9c a1=80657458 a2=a4800 a3=0
>> items=0 ppid=2135 pid=2141 auid=4294967295 uid=48 gid=48 euid=48
>> suid=48
>> fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295
>> comm="httpd"
>> exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
>>
>> type=PROCTITLE msg=audit(1482944350.289:339):
>> proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44
>>
>>
>> I will say that after enabling selinux on this image per the
>> instructions of the team doing the Centos7-arm builds, I got the
>> following messages when I did things like 'setsebool -P
>> httpd_enable_homedirs on':
>>
>> [ 2273.047017] SELinux:  Class binder not defined in policy.
>> [ 2273.052531] SELinux: the above unknown classes and permissions
>> will
>> be allowed
>>
>>
>> So something may well not be right with my SELinux.
>>
> Bang. I would suggest, at this point, that you might want to set
> selinux
> into permissive mode, so you'll get the error messages from it, and
> can
> work out fixes, but will let your system operate as you intend.
> setselinux 0
>
> Note that this is *temporary*, and will revert on reboot. To make it
> permanent, you'd need to edit /etc/selinux/config.
 Thanks, Mark, I was just getting around to that way of thinking.

 The command, at least on my Centos7-arm system is

 setenforce 0

 A presto it works.  So now to figure out what is wrong with SElinux on
 this image.

 ___
 CentOS mailing list
 CentOS@centos.org
 https://lists.centos.org/mailman/listinfo/centos
>>> Have you got the setroubleshoot-server package installed?  For x86_64 it
>>> is part of the base repository, obviously arm may differ.  The package
>>> installs a "SELinux Troubleshooter" entry in the Applications/Sundry
>>> menu, or it can be launched via:
>>
>> No GUI in the base image.  And on arm, we tend to use Xfce.
>>
>>> # /usr/bin/python -Es /usr/bin/sealert -s
>>
>> no sealert bin file, so it is off to install it.
>>
>>> It generates suggestions to fix SELinx issues.  Sometimes it is quite
>>> useful, on other occasions it just lists vast numbers of possibilities
>>> with little or no help.  On balance it is worth trying for when it does
>>> help.
>>
>> I have never had it make useful suggestions to my on my notebook, but we
>> will see...
>>
>> so here is what happens after I install it:
>>
>> # /usr/bin/python -Es /usr/bin/sealert -s
>> Opps, sealert hit an error!
>>
>> Traceback (most recent call last):
>>File "/usr/bin/sealert", line 651, in 
>>  import gtk
>> ImportError: No module named gtk
>>
>> If it needs a GUI, then that won't work here.  Headless system.
>>
> Nahh... you want to instal setroubleshoot.
> 
>mark
> 
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
> 
Sorry, missed the no GUI if it was mentioned earlier.  You _might_ get
away with ssh -Y from a workstation but you might end up wasting time.
No guarantees I'm afraid. :-) Martin



signature.asc
Description: OpenPGP 

Re: [CentOS] Help with httpd userdir recovery

[m . roth]

Robert Moskowitz wrote:
>
>
> On 12/28/2016 03:32 PM, J Martin Rushton wrote:
>>
>> On 28/12/16 20:11, Robert Moskowitz wrote:
>>>
>>> On 12/28/2016 01:53 PM, m.r...@5-cent.us wrote:
 Robert Moskowitz wrote:
> On 12/28/2016 05:11 AM, Todor Petkov wrote:
>> On Wed, Dec 28, 2016 at 5:18 AM, Robert Moskowitz
>> 
>> wrote:
>>> Which is why I wonder if there is some different config for the
>>> C7.3
>>> version
>>> of apache.
>>>
>>> Or something with the C7-arm build...
>> Can you check for SELinux warnings/errors in
>> /var/log/audit/audit.log?
> Good advice.  As I suspect the problem is with SELinux.
>
> So I tried an access.  What follows is the access_log entry, the
> error_log entry and the 3 entries in the audit.log:
>
> 192.168.160.12 - - [28/Dec/2016:11:59:10 -0500] "GET /~rgm/family/
> HTTP/1.1" 403 214 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64;
> rv:50.0)
> Gecko/20100101 Firefox/50.0"
>
> [Wed Dec 28 11:59:10.294915 2016] [autoindex:error] [pid 2141]
> (13)Permission denied: [client 192.168.160.12:56456] AH01275: Can't
> open
> directory for index: /home/rgm/public_html/family/
>
> type=AVC msg=audit(1482944350.289:339): avc:  denied  { read } for
> pid=2141 comm="httpd" name="family" dev="sda3" ino=262199
> scontext=system_u:system_r:httpd_t:s0
> tcontext=unconfined_u:object_r:httpd_user_content_t:s0 tclass=dir
> permissive=0
>
> type=SYSCALL msg=audit(1482944350.289:339): arch=4028 syscall=322
> per=80 success=no exit=-13 a0=ff9c a1=80657458 a2=a4800 a3=0
> items=0 ppid=2135 pid=2141 auid=4294967295 uid=48 gid=48 euid=48
> suid=48
> fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295
> comm="httpd"
> exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
>
> type=PROCTITLE msg=audit(1482944350.289:339):
> proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44
>
>
> I will say that after enabling selinux on this image per the
> instructions of the team doing the Centos7-arm builds, I got the
> following messages when I did things like 'setsebool -P
> httpd_enable_homedirs on':
>
> [ 2273.047017] SELinux:  Class binder not defined in policy.
> [ 2273.052531] SELinux: the above unknown classes and permissions
> will
> be allowed
>
>
> So something may well not be right with my SELinux.
>
 Bang. I would suggest, at this point, that you might want to set
 selinux
 into permissive mode, so you'll get the error messages from it, and
 can
 work out fixes, but will let your system operate as you intend.
 setselinux 0

 Note that this is *temporary*, and will revert on reboot. To make it
 permanent, you'd need to edit /etc/selinux/config.
>>> Thanks, Mark, I was just getting around to that way of thinking.
>>>
>>> The command, at least on my Centos7-arm system is
>>>
>>> setenforce 0
>>>
>>> A presto it works.  So now to figure out what is wrong with SElinux on
>>> this image.
>>>
>>> ___
>>> CentOS mailing list
>>> CentOS@centos.org
>>> https://lists.centos.org/mailman/listinfo/centos
>> Have you got the setroubleshoot-server package installed?  For x86_64 it
>> is part of the base repository, obviously arm may differ.  The package
>> installs a "SELinux Troubleshooter" entry in the Applications/Sundry
>> menu, or it can be launched via:
>
> No GUI in the base image.  And on arm, we tend to use Xfce.
>
>> # /usr/bin/python -Es /usr/bin/sealert -s
>
> no sealert bin file, so it is off to install it.
>
>> It generates suggestions to fix SELinx issues.  Sometimes it is quite
>> useful, on other occasions it just lists vast numbers of possibilities
>> with little or no help.  On balance it is worth trying for when it does
>> help.
>
> I have never had it make useful suggestions to my on my notebook, but we
> will see...
>
> so here is what happens after I install it:
>
> # /usr/bin/python -Es /usr/bin/sealert -s
> Opps, sealert hit an error!
>
> Traceback (most recent call last):
>File "/usr/bin/sealert", line 651, in 
>  import gtk
> ImportError: No module named gtk
>
> If it needs a GUI, then that won't work here.  Headless system.
>
Nahh... you want to instal setroubleshoot.

   mark

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Help with httpd userdir recovery

[Robert Moskowitz]

On 12/28/2016 03:32 PM, J Martin Rushton wrote:


On 28/12/16 20:11, Robert Moskowitz wrote:


On 12/28/2016 01:53 PM, m.r...@5-cent.us wrote:

Robert Moskowitz wrote:

On 12/28/2016 05:11 AM, Todor Petkov wrote:

On Wed, Dec 28, 2016 at 5:18 AM, Robert Moskowitz 
wrote:

Which is why I wonder if there is some different config for the C7.3
version
of apache.

Or something with the C7-arm build...

Can you check for SELinux warnings/errors in /var/log/audit/audit.log?

Good advice.  As I suspect the problem is with SELinux.

So I tried an access.  What follows is the access_log entry, the
error_log entry and the 3 entries in the audit.log:

192.168.160.12 - - [28/Dec/2016:11:59:10 -0500] "GET /~rgm/family/
HTTP/1.1" 403 214 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:50.0)
Gecko/20100101 Firefox/50.0"

[Wed Dec 28 11:59:10.294915 2016] [autoindex:error] [pid 2141]
(13)Permission denied: [client 192.168.160.12:56456] AH01275: Can't open
directory for index: /home/rgm/public_html/family/

type=AVC msg=audit(1482944350.289:339): avc:  denied  { read } for
pid=2141 comm="httpd" name="family" dev="sda3" ino=262199
scontext=system_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:httpd_user_content_t:s0 tclass=dir
permissive=0

type=SYSCALL msg=audit(1482944350.289:339): arch=4028 syscall=322
per=80 success=no exit=-13 a0=ff9c a1=80657458 a2=a4800 a3=0
items=0 ppid=2135 pid=2141 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd"
exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)

type=PROCTITLE msg=audit(1482944350.289:339):
proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44


I will say that after enabling selinux on this image per the
instructions of the team doing the Centos7-arm builds, I got the
following messages when I did things like 'setsebool -P
httpd_enable_homedirs on':

[ 2273.047017] SELinux:  Class binder not defined in policy.
[ 2273.052531] SELinux: the above unknown classes and permissions will
be allowed


So something may well not be right with my SELinux.


Bang. I would suggest, at this point, that you might want to set selinux
into permissive mode, so you'll get the error messages from it, and can
work out fixes, but will let your system operate as you intend.
setselinux 0

Note that this is *temporary*, and will revert on reboot. To make it
permanent, you'd need to edit /etc/selinux/config.

Thanks, Mark, I was just getting around to that way of thinking.

The command, at least on my Centos7-arm system is

setenforce 0

A presto it works.  So now to figure out what is wrong with SElinux on
this image.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Have you got the setroubleshoot-server package installed?  For x86_64 it
is part of the base repository, obviously arm may differ.  The package
installs a "SELinux Troubleshooter" entry in the Applications/Sundry
menu, or it can be launched via:


No GUI in the base image.  And on arm, we tend to use Xfce.


# /usr/bin/python -Es /usr/bin/sealert -s


no sealert bin file, so it is off to install it.


It generates suggestions to fix SELinx issues.  Sometimes it is quite
useful, on other occasions it just lists vast numbers of possibilities
with little or no help.  On balance it is worth trying for when it does
help.


I have never had it make useful suggestions to my on my notebook, but we 
will see...


so here is what happens after I install it:

# /usr/bin/python -Es /usr/bin/sealert -s
Opps, sealert hit an error!

Traceback (most recent call last):
  File "/usr/bin/sealert", line 651, in 
import gtk
ImportError: No module named gtk

If it needs a GUI, then that won't work here.  Headless system.


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Help with httpd userdir recovery

[m . roth]

Robert Moskowitz wrote:
> On 12/28/2016 01:53 PM, m.r...@5-cent.us wrote:
>> Robert Moskowitz wrote:

>> Bang. I would suggest, at this point, that you might want to set selinux
>> into permissive mode, so you'll get the error messages from it, and can
>> work out fixes, but will let your system operate as you intend.
>> setselinux 0
>>
>> Note that this is *temporary*, and will revert on reboot. To make it
>> permanent, you'd need to edit /etc/selinux/config.
>
> Thanks, Mark, I was just getting around to that way of thinking.
>
> The command, at least on my Centos7-arm system is
>
> setenforce 0
>
Sorry. Clearly, there's too much blood in my caffeine stream

> A presto it works.  So now to figure out what is wrong with SElinux on
> this image.

Good luck.

   mark

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Help with httpd userdir recovery

[J Martin Rushton]

On 28/12/16 20:11, Robert Moskowitz wrote:
> 
> 
> On 12/28/2016 01:53 PM, m.r...@5-cent.us wrote:
>> Robert Moskowitz wrote:
>>> On 12/28/2016 05:11 AM, Todor Petkov wrote:
 On Wed, Dec 28, 2016 at 5:18 AM, Robert Moskowitz 
 wrote:
> Which is why I wonder if there is some different config for the C7.3
> version
> of apache.
>
> Or something with the C7-arm build...
 Can you check for SELinux warnings/errors in /var/log/audit/audit.log?
>>> Good advice.  As I suspect the problem is with SELinux.
>>>
>>> So I tried an access.  What follows is the access_log entry, the
>>> error_log entry and the 3 entries in the audit.log:
>>>
>>> 192.168.160.12 - - [28/Dec/2016:11:59:10 -0500] "GET /~rgm/family/
>>> HTTP/1.1" 403 214 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:50.0)
>>> Gecko/20100101 Firefox/50.0"
>>>
>>> [Wed Dec 28 11:59:10.294915 2016] [autoindex:error] [pid 2141]
>>> (13)Permission denied: [client 192.168.160.12:56456] AH01275: Can't open
>>> directory for index: /home/rgm/public_html/family/
>>>
>>> type=AVC msg=audit(1482944350.289:339): avc:  denied  { read } for
>>> pid=2141 comm="httpd" name="family" dev="sda3" ino=262199
>>> scontext=system_u:system_r:httpd_t:s0
>>> tcontext=unconfined_u:object_r:httpd_user_content_t:s0 tclass=dir
>>> permissive=0
>>>
>>> type=SYSCALL msg=audit(1482944350.289:339): arch=4028 syscall=322
>>> per=80 success=no exit=-13 a0=ff9c a1=80657458 a2=a4800 a3=0
>>> items=0 ppid=2135 pid=2141 auid=4294967295 uid=48 gid=48 euid=48 suid=48
>>> fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd"
>>> exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
>>>
>>> type=PROCTITLE msg=audit(1482944350.289:339):
>>> proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44
>>>
>>>
>>> I will say that after enabling selinux on this image per the
>>> instructions of the team doing the Centos7-arm builds, I got the
>>> following messages when I did things like 'setsebool -P
>>> httpd_enable_homedirs on':
>>>
>>> [ 2273.047017] SELinux:  Class binder not defined in policy.
>>> [ 2273.052531] SELinux: the above unknown classes and permissions will
>>> be allowed
>>>
>>>
>>> So something may well not be right with my SELinux.
>>>
>> Bang. I would suggest, at this point, that you might want to set selinux
>> into permissive mode, so you'll get the error messages from it, and can
>> work out fixes, but will let your system operate as you intend.
>> setselinux 0
>>
>> Note that this is *temporary*, and will revert on reboot. To make it
>> permanent, you'd need to edit /etc/selinux/config.
> 
> Thanks, Mark, I was just getting around to that way of thinking.
> 
> The command, at least on my Centos7-arm system is
> 
> setenforce 0
> 
> A presto it works.  So now to figure out what is wrong with SElinux on
> this image.
> 
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos

Have you got the setroubleshoot-server package installed?  For x86_64 it
is part of the base repository, obviously arm may differ.  The package
installs a "SELinux Troubleshooter" entry in the Applications/Sundry
menu, or it can be launched via:

# /usr/bin/python -Es /usr/bin/sealert -s

It generates suggestions to fix SELinx issues.  Sometimes it is quite
useful, on other occasions it just lists vast numbers of possibilities
with little or no help.  On balance it is worth trying for when it does
help.



signature.asc
Description: OpenPGP digital signature
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Help with httpd userdir recovery

[Robert Moskowitz]

On 12/28/2016 01:53 PM, m.r...@5-cent.us wrote:

Robert Moskowitz wrote:

On 12/28/2016 05:11 AM, Todor Petkov wrote:

On Wed, Dec 28, 2016 at 5:18 AM, Robert Moskowitz 
wrote:

Which is why I wonder if there is some different config for the C7.3
version
of apache.

Or something with the C7-arm build...

Can you check for SELinux warnings/errors in /var/log/audit/audit.log?

Good advice.  As I suspect the problem is with SELinux.

So I tried an access.  What follows is the access_log entry, the
error_log entry and the 3 entries in the audit.log:

192.168.160.12 - - [28/Dec/2016:11:59:10 -0500] "GET /~rgm/family/
HTTP/1.1" 403 214 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:50.0)
Gecko/20100101 Firefox/50.0"

[Wed Dec 28 11:59:10.294915 2016] [autoindex:error] [pid 2141]
(13)Permission denied: [client 192.168.160.12:56456] AH01275: Can't open
directory for index: /home/rgm/public_html/family/

type=AVC msg=audit(1482944350.289:339): avc:  denied  { read } for
pid=2141 comm="httpd" name="family" dev="sda3" ino=262199
scontext=system_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:httpd_user_content_t:s0 tclass=dir
permissive=0

type=SYSCALL msg=audit(1482944350.289:339): arch=4028 syscall=322
per=80 success=no exit=-13 a0=ff9c a1=80657458 a2=a4800 a3=0
items=0 ppid=2135 pid=2141 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd"
exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)

type=PROCTITLE msg=audit(1482944350.289:339):
proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44


I will say that after enabling selinux on this image per the
instructions of the team doing the Centos7-arm builds, I got the
following messages when I did things like 'setsebool -P
httpd_enable_homedirs on':

[ 2273.047017] SELinux:  Class binder not defined in policy.
[ 2273.052531] SELinux: the above unknown classes and permissions will
be allowed


So something may well not be right with my SELinux.


Bang. I would suggest, at this point, that you might want to set selinux
into permissive mode, so you'll get the error messages from it, and can
work out fixes, but will let your system operate as you intend.
setselinux 0

Note that this is *temporary*, and will revert on reboot. To make it
permanent, you'd need to edit /etc/selinux/config.


Thanks, Mark, I was just getting around to that way of thinking.

The command, at least on my Centos7-arm system is

setenforce 0

A presto it works.  So now to figure out what is wrong with SElinux on 
this image.



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Help with httpd userdir recovery

[m . roth]

Robert Moskowitz wrote:
> On 12/28/2016 05:11 AM, Todor Petkov wrote:
>> On Wed, Dec 28, 2016 at 5:18 AM, Robert Moskowitz 
>> wrote:
>>> Which is why I wonder if there is some different config for the C7.3
>>> version
>>> of apache.
>>>
>>> Or something with the C7-arm build...
>> Can you check for SELinux warnings/errors in /var/log/audit/audit.log?
>
> Good advice.  As I suspect the problem is with SELinux.
>
> So I tried an access.  What follows is the access_log entry, the
> error_log entry and the 3 entries in the audit.log:
>
> 192.168.160.12 - - [28/Dec/2016:11:59:10 -0500] "GET /~rgm/family/
> HTTP/1.1" 403 214 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:50.0)
> Gecko/20100101 Firefox/50.0"
>
> [Wed Dec 28 11:59:10.294915 2016] [autoindex:error] [pid 2141]
> (13)Permission denied: [client 192.168.160.12:56456] AH01275: Can't open
> directory for index: /home/rgm/public_html/family/
>
> type=AVC msg=audit(1482944350.289:339): avc:  denied  { read } for
> pid=2141 comm="httpd" name="family" dev="sda3" ino=262199
> scontext=system_u:system_r:httpd_t:s0
> tcontext=unconfined_u:object_r:httpd_user_content_t:s0 tclass=dir
> permissive=0
>
> type=SYSCALL msg=audit(1482944350.289:339): arch=4028 syscall=322
> per=80 success=no exit=-13 a0=ff9c a1=80657458 a2=a4800 a3=0
> items=0 ppid=2135 pid=2141 auid=4294967295 uid=48 gid=48 euid=48 suid=48
> fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd"
> exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
>
> type=PROCTITLE msg=audit(1482944350.289:339):
> proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44
>
>
> I will say that after enabling selinux on this image per the
> instructions of the team doing the Centos7-arm builds, I got the
> following messages when I did things like 'setsebool -P
> httpd_enable_homedirs on':
>
> [ 2273.047017] SELinux:  Class binder not defined in policy.
> [ 2273.052531] SELinux: the above unknown classes and permissions will
> be allowed
>
>
> So something may well not be right with my SELinux.
>
Bang. I would suggest, at this point, that you might want to set selinux
into permissive mode, so you'll get the error messages from it, and can
work out fixes, but will let your system operate as you intend.
setselinux 0

Note that this is *temporary*, and will revert on reboot. To make it
permanent, you'd need to edit /etc/selinux/config.

  mark
 mark

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Help with httpd userdir recovery

[Robert Moskowitz]

On 12/28/2016 05:11 AM, Todor Petkov wrote:

On Wed, Dec 28, 2016 at 5:18 AM, Robert Moskowitz  wrote:

Which is why I wonder if there is some different config for the C7.3 version
of apache.

Or something with the C7-arm build...

Can you check for SELinux warnings/errors in /var/log/audit/audit.log?


Good advice.  As I suspect the problem is with SELinux.

So I tried an access.  What follows is the access_log entry, the 
error_log entry and the 3 entries in the audit.log:


192.168.160.12 - - [28/Dec/2016:11:59:10 -0500] "GET /~rgm/family/ 
HTTP/1.1" 403 214 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:50.0) 
Gecko/20100101 Firefox/50.0"


[Wed Dec 28 11:59:10.294915 2016] [autoindex:error] [pid 2141] 
(13)Permission denied: [client 192.168.160.12:56456] AH01275: Can't open 
directory for index: /home/rgm/public_html/family/




type=AVC msg=audit(1482944350.289:339): avc:  denied  { read } for 
pid=2141 comm="httpd" name="family" dev="sda3" ino=262199 
scontext=system_u:system_r:httpd_t:s0 
tcontext=unconfined_u:object_r:httpd_user_content_t:s0 tclass=dir 
permissive=0


type=SYSCALL msg=audit(1482944350.289:339): arch=4028 syscall=322 
per=80 success=no exit=-13 a0=ff9c a1=80657458 a2=a4800 a3=0 
items=0 ppid=2135 pid=2141 auid=4294967295 uid=48 gid=48 euid=48 suid=48 
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" 
exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)


type=PROCTITLE msg=audit(1482944350.289:339): 
proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44



I will say that after enabling selinux on this image per the 
instructions of the team doing the Centos7-arm builds, I got the 
following messages when I did things like 'setsebool -P 
httpd_enable_homedirs on':


[ 2273.047017] SELinux:  Class binder not defined in policy.
[ 2273.052531] SELinux: the above unknown classes and permissions will 
be allowed



So something may well not be right with my SELinux.

Bob

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Help with httpd userdir recovery

[Robert Moskowitz]

On 12/28/2016 09:26 AM, Louis Lagendijk wrote:

On Wed, 2016-12-28 at 08:20 -0500, Robert Moskowitz wrote:

On 12/28/2016 07:35 AM, Louis Lagendijk wrote:

Robert,
On Wed, 2016-12-28 at 01:43 +0100, John Fawcett wrote:

On 12/28/2016 01:12 AM, Robert Moskowitz wrote:

On 12/27/2016 07:06 PM, John Fawcett wrote:

On 12/28/2016 12:34 AM, Robert Moskowitz wrote:

On 12/27/2016 05:44 PM, John Fawcett wrote:

That error should be caused by having MultiViews options
but
incorrect
permissions (711 instead of 755) on the directory.

I just did chmod -R 755 /home/rgm/public_html and no change
in
behavior.

Even tried chmod -R 755 /home/rgm

Are you actually using MultiViews? If you don't need that
option,
maybe
the easiest thing is to take it out and see if the error
message
changes.

I am using the default conf file for userdir.

/etc/httpd/conf.d/userdir.conf

So I deleted Multiviews and now the error is:

[Tue Dec 27 19:09:31.013176 2016] [autoindex:error] [pid 2138]
(13)Permission denied: [client 192.168.160.12:55762] AH01275:
Can't
open directory for index: /home/rgm/public_html/family/




I know this is not going to help, but that error means that
apache
does
not have access to read the directory
/home/rgm/public_html/family/.
That doesn't really fit with the rest of the evidence, that you
have
chmod 755 everything from /home/rgm/public_html downwards and
that
apache can read specific files from /home/rgm/public_html.
John

but is apache allowed access to /home/rgm ?
Try su - apache -s /bin/bash to run a shell as apache and see how
far
you get starting from cd /home and if that works cd /home/rgm and
so
on... That will check normal user permissions, but not selinux

Command apache not known!

All I installed, directly, for the web server was 'yum install
httpd'.



In a single command from root:
su - apache -s /bin/bash
The "su -" is part of the command


I really did not read your instructions well enough.  I got it this time 
and followed it.


I had no problem CDing all the way up the /home tree, doing 'ls' along 
the way.


So normal user permissions work.  I have to check out selinux as Todor 
recommended.


There was/is some sort of selinux issue with this C7-arm image.  I will 
post all of that in a separate message.  Plus some posts on the 
centos-arm list will be needed.


Bob

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Help with httpd userdir recovery

[Louis Lagendijk]

On Wed, 2016-12-28 at 08:20 -0500, Robert Moskowitz wrote:
> 
> On 12/28/2016 07:35 AM, Louis Lagendijk wrote:
> > Robert,
> > On Wed, 2016-12-28 at 01:43 +0100, John Fawcett wrote:
> > > On 12/28/2016 01:12 AM, Robert Moskowitz wrote:
> > > > 
> > > > On 12/27/2016 07:06 PM, John Fawcett wrote:
> > > > > On 12/28/2016 12:34 AM, Robert Moskowitz wrote:
> > > > > > On 12/27/2016 05:44 PM, John Fawcett wrote:
> > > > > > > That error should be caused by having MultiViews options
> > > > > > > but
> > > > > > > incorrect
> > > > > > > permissions (711 instead of 755) on the directory.
> > > > > > 
> > > > > > I just did chmod -R 755 /home/rgm/public_html and no change
> > > > > > in
> > > > > > behavior.
> > > > > > 
> > > > > > Even tried chmod -R 755 /home/rgm
> > > > > 
> > > > > Are you actually using MultiViews? If you don't need that
> > > > > option,
> > > > > maybe
> > > > > the easiest thing is to take it out and see if the error
> > > > > message
> > > > > changes.
> > > > 
> > > > I am using the default conf file for userdir.
> > > > 
> > > > /etc/httpd/conf.d/userdir.conf
> > > > 
> > > > So I deleted Multiviews and now the error is:
> > > > 
> > > > [Tue Dec 27 19:09:31.013176 2016] [autoindex:error] [pid 2138]
> > > > (13)Permission denied: [client 192.168.160.12:55762] AH01275:
> > > > Can't
> > > > open directory for index: /home/rgm/public_html/family/
> > > > 
> > > > 
> > > > 
> > > 
> > > I know this is not going to help, but that error means that
> > > apache
> > > does
> > > not have access to read the directory
> > > /home/rgm/public_html/family/.
> > > That doesn't really fit with the rest of the evidence, that you
> > > have
> > > chmod 755 everything from /home/rgm/public_html downwards and
> > > that
> > > apache can read specific files from /home/rgm/public_html.
> > > John
> > 
> > but is apache allowed access to /home/rgm ?
> > Try su - apache -s /bin/bash to run a shell as apache and see how
> > far
> > you get starting from cd /home and if that works cd /home/rgm and
> > so
> > on... That will check normal user permissions, but not selinux
> 
> Command apache not known!
> 
> All I installed, directly, for the web server was 'yum install
> httpd'.
> 
> 
In a single command from root:
su - apache -s /bin/bash
The "su -" is part of the command
/Louis
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
> 

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Help with httpd userdir recovery

[Robert Moskowitz]

On 12/28/2016 07:35 AM, Louis Lagendijk wrote:

Robert,
On Wed, 2016-12-28 at 01:43 +0100, John Fawcett wrote:

On 12/28/2016 01:12 AM, Robert Moskowitz wrote:


On 12/27/2016 07:06 PM, John Fawcett wrote:

On 12/28/2016 12:34 AM, Robert Moskowitz wrote:

On 12/27/2016 05:44 PM, John Fawcett wrote:

That error should be caused by having MultiViews options but
incorrect
permissions (711 instead of 755) on the directory.

I just did chmod -R 755 /home/rgm/public_html and no change in
behavior.

Even tried chmod -R 755 /home/rgm

Are you actually using MultiViews? If you don't need that option,
maybe
the easiest thing is to take it out and see if the error message
changes.

I am using the default conf file for userdir.

/etc/httpd/conf.d/userdir.conf

So I deleted Multiviews and now the error is:

[Tue Dec 27 19:09:31.013176 2016] [autoindex:error] [pid 2138]
(13)Permission denied: [client 192.168.160.12:55762] AH01275: Can't
open directory for index: /home/rgm/public_html/family/




I know this is not going to help, but that error means that apache
does
not have access to read the directory /home/rgm/public_html/family/.
That doesn't really fit with the rest of the evidence, that you have
chmod 755 everything from /home/rgm/public_html downwards and that
apache can read specific files from /home/rgm/public_html.
John

but is apache allowed access to /home/rgm ?
Try su - apache -s /bin/bash to run a shell as apache and see how far
you get starting from cd /home and if that works cd /home/rgm and so
on... That will check normal user permissions, but not selinux


Command apache not known!

All I installed, directly, for the web server was 'yum install httpd'.


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Help with httpd userdir recovery

[Louis Lagendijk]

Robert,
On Wed, 2016-12-28 at 01:43 +0100, John Fawcett wrote:
> On 12/28/2016 01:12 AM, Robert Moskowitz wrote:
> > 
> > 
> > On 12/27/2016 07:06 PM, John Fawcett wrote:
> > > On 12/28/2016 12:34 AM, Robert Moskowitz wrote:
> > > > 
> > > > On 12/27/2016 05:44 PM, John Fawcett wrote:
> > > > > That error should be caused by having MultiViews options but
> > > > > incorrect
> > > > > permissions (711 instead of 755) on the directory.
> > > > 
> > > > I just did chmod -R 755 /home/rgm/public_html and no change in
> > > > behavior.
> > > > 
> > > > Even tried chmod -R 755 /home/rgm
> > > 
> > > Are you actually using MultiViews? If you don't need that option,
> > > maybe
> > > the easiest thing is to take it out and see if the error message
> > > changes.
> > 
> > I am using the default conf file for userdir.
> > 
> > /etc/httpd/conf.d/userdir.conf
> > 
> > So I deleted Multiviews and now the error is:
> > 
> > [Tue Dec 27 19:09:31.013176 2016] [autoindex:error] [pid 2138]
> > (13)Permission denied: [client 192.168.160.12:55762] AH01275: Can't
> > open directory for index: /home/rgm/public_html/family/
> > 
> > 
> > 
> 
> I know this is not going to help, but that error means that apache
> does
> not have access to read the directory /home/rgm/public_html/family/.
> That doesn't really fit with the rest of the evidence, that you have
> chmod 755 everything from /home/rgm/public_html downwards and that
> apache can read specific files from /home/rgm/public_html.
> John
but is apache allowed access to /home/rgm ?
Try su - apache -s /bin/bash to run a shell as apache and see how far
you get starting from cd /home and if that works cd /home/rgm and so
on... That will check normal user permissions, but not selinux
/Louis
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Help with httpd userdir recovery

[John Fawcett]

On 12/28/2016 04:16 AM, Robert Moskowitz wrote:
>
>
> On 12/27/2016 08:20 PM, John Fawcett wrote:
>> On 12/28/2016 01:43 AM, John Fawcett wrote:
>>> On 12/28/2016 01:12 AM, Robert Moskowitz wrote:
 On 12/27/2016 07:06 PM, John Fawcett wrote:
> On 12/28/2016 12:34 AM, Robert Moskowitz wrote:
>> On 12/27/2016 05:44 PM, John Fawcett wrote:
>>> That error should be caused by having MultiViews options but
>>> incorrect
>>> permissions (711 instead of 755) on the directory.
>> I just did chmod -R 755 /home/rgm/public_html and no change in
>> behavior.
>>
>> Even tried chmod -R 755 /home/rgm
> Are you actually using MultiViews? If you don't need that option,
> maybe
> the easiest thing is to take it out and see if the error message
> changes.
 I am using the default conf file for userdir.

 /etc/httpd/conf.d/userdir.conf

 So I deleted Multiviews and now the error is:

 [Tue Dec 27 19:09:31.013176 2016] [autoindex:error] [pid 2138]
 (13)Permission denied: [client 192.168.160.12:55762] AH01275: Can't
 open directory for index: /home/rgm/public_html/family/


 
>>> I know this is not going to help, but that error means that apache does
>>> not have access to read the directory /home/rgm/public_html/family/.
>>> That doesn't really fit with the rest of the evidence, that you have
>>> chmod 755 everything from /home/rgm/public_html downwards and that
>>> apache can read specific files from /home/rgm/public_html.
>>> John
>>> ___
>>> CentOS mailing list
>>> CentOS@centos.org
>>> https://lists.centos.org/mailman/listinfo/centos
>> Here is a small test program that you can use to check the permissions.
>>
>> You can compile it with:
>>
>> cc -o test test.c
>
> This is on Centos7-arm, so I will have to install all the build stuff,
> and hopefully won't take too long to compile
>
> Tomorrow most likely.
>
>
>
>>
>> then run it with:
>>
>> ./test apache /home/rgm/public_html/family/
>>
>> where apache is the name of the user that your web server runs under
>> (check it with ps -ef | grep http). You should run it as root (or from
>> sudo).
>>
>> John
>>
>> --test.c---
>>
>> #include 
>> #include 
>> #include 
>> #include 
>> #include 
>> #include 
>> #include 
>>
>> int
>> main(int argc, char *argv[])
>> {
>>  struct passwd pwd;
>>  struct passwd *result;
>>  char *buf;
>>  size_t bufsize;
>>  int s;
>>
>> if (argc != 3) {
>>  fprintf(stderr, "Usage: %s username directory\n", argv[0]);
>>  exit(EXIT_FAILURE);
>>  }
>>
>> bufsize = sysconf(_SC_GETPW_R_SIZE_MAX);
>>  if (bufsize == -1)  /* Value was indeterminate */
>>  bufsize = 16384;/* Should be more than enough */
>>
>> buf = malloc(bufsize);
>>  if (buf == NULL) {
>>  perror("malloc");
>>  exit(EXIT_FAILURE);
>>  }
>>
>> s = getpwnam_r(argv[1], , buf, bufsize, );
>>  if (result == NULL) {
>>  if (s == 0)
>>  printf("Not found\n");
>>  else {
>>  errno = s;
>>  perror("getpwnam_r");
>>  }
>>  exit(EXIT_FAILURE);
>>  }
>>
>>  printf("Name: %s; UID: %ld GID: %ld\n", pwd.pw_gecos, (long)
>> pwd.pw_uid, (long) pwd.pw_gid);
>>
>>  /* process is running as root, drop privileges */
>>
>>  if (getuid() == 0) {
>>  if (setgid(pwd.pw_gid) != 0) {
>>  perror("setgid: Unable to drop group privileges");
>>  exit(EXIT_FAILURE);
>>  }
>>  if (setuid(pwd.pw_uid) != 0) {
>>  perror("setuid: Unable to drop user privileges");
>>  exit(EXIT_FAILURE);
>>  }
>>  printf("dropped privileges\n");
>>  } else {
>>  errno = ENOTSUP;
>>  perror("process is not running as root cannot change user\n");
>>  exit(EXIT_FAILURE);
>>  }
>>
>>  /* check privileges really dropped */
>>
>>  if (setuid(0) != -1) {
>>  errno = ENOTSUP;
>>  perror("ERROR: Managed to regain root privileges");
>>  exit(EXIT_FAILURE);
>>  }
>>
>>  /* open directory */
>>
>>  DIR * d;
>>  d = opendir(argv[2]);
>>  printf("Attempting to open directory %s\n",argv[2]);
>>  if (d == NULL) {
>>  perror("Error opening directory");
>>  exit(EXIT_FAILURE);
>>  } else {
>>  printf("Success opening directory %s\n",argv[2]);
>>  }
>>  exit(EXIT_SUCCESS);
>> }
>>
>>
>> ___
>> CentOS mailing list
>> CentOS@centos.org
>> https://lists.centos.org/mailman/listinfo/centos
>>
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos

I'm not sure if it is worth installing a build system just for this
unless you need it for other stuff. Maybe other lines of 

Re: [CentOS] Help with httpd userdir recovery

[Todor Petkov]

On Wed, Dec 28, 2016 at 5:18 AM, Robert Moskowitz  wrote:
>
> Which is why I wonder if there is some different config for the C7.3 version
> of apache.
>
> Or something with the C7-arm build...

Can you check for SELinux warnings/errors in /var/log/audit/audit.log?

Regards,
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Help with httpd userdir recovery

[Robert Moskowitz]

On 12/27/2016 07:43 PM, John Fawcett wrote:

On 12/28/2016 01:12 AM, Robert Moskowitz wrote:


On 12/27/2016 07:06 PM, John Fawcett wrote:

On 12/28/2016 12:34 AM, Robert Moskowitz wrote:

On 12/27/2016 05:44 PM, John Fawcett wrote:

That error should be caused by having MultiViews options but incorrect
permissions (711 instead of 755) on the directory.

I just did chmod -R 755 /home/rgm/public_html and no change in
behavior.

Even tried chmod -R 755 /home/rgm

Are you actually using MultiViews? If you don't need that option, maybe
the easiest thing is to take it out and see if the error message
changes.

I am using the default conf file for userdir.

/etc/httpd/conf.d/userdir.conf

So I deleted Multiviews and now the error is:

[Tue Dec 27 19:09:31.013176 2016] [autoindex:error] [pid 2138]
(13)Permission denied: [client 192.168.160.12:55762] AH01275: Can't
open directory for index: /home/rgm/public_html/family/




I know this is not going to help, but that error means that apache does
not have access to read the directory /home/rgm/public_html/family/.
That doesn't really fit with the rest of the evidence, that you have
chmod 755 everything from /home/rgm/public_html downwards and that
apache can read specific files from /home/rgm/public_html.


Which is why I wonder if there is some different config for the C7.3 
version of apache.


Or something with the C7-arm build...


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Help with httpd userdir recovery

[Robert Moskowitz]

On 12/27/2016 08:20 PM, John Fawcett wrote:

On 12/28/2016 01:43 AM, John Fawcett wrote:

On 12/28/2016 01:12 AM, Robert Moskowitz wrote:

On 12/27/2016 07:06 PM, John Fawcett wrote:

On 12/28/2016 12:34 AM, Robert Moskowitz wrote:

On 12/27/2016 05:44 PM, John Fawcett wrote:

That error should be caused by having MultiViews options but incorrect
permissions (711 instead of 755) on the directory.

I just did chmod -R 755 /home/rgm/public_html and no change in
behavior.

Even tried chmod -R 755 /home/rgm

Are you actually using MultiViews? If you don't need that option, maybe
the easiest thing is to take it out and see if the error message
changes.

I am using the default conf file for userdir.

/etc/httpd/conf.d/userdir.conf

So I deleted Multiviews and now the error is:

[Tue Dec 27 19:09:31.013176 2016] [autoindex:error] [pid 2138]
(13)Permission denied: [client 192.168.160.12:55762] AH01275: Can't
open directory for index: /home/rgm/public_html/family/




I know this is not going to help, but that error means that apache does
not have access to read the directory /home/rgm/public_html/family/.
That doesn't really fit with the rest of the evidence, that you have
chmod 755 everything from /home/rgm/public_html downwards and that
apache can read specific files from /home/rgm/public_html.
John
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Here is a small test program that you can use to check the permissions.

You can compile it with:

cc -o test test.c


This is on Centos7-arm, so I will have to install all the build stuff, 
and hopefully won't take too long to compile


Tomorrow most likely.





then run it with:

./test apache /home/rgm/public_html/family/

where apache is the name of the user that your web server runs under
(check it with ps -ef | grep http). You should run it as root (or from
sudo).

John

--test.c---

#include 
#include 
#include 
#include 
#include 
#include 
#include 

int
main(int argc, char *argv[])
{
 struct passwd pwd;
 struct passwd *result;
 char *buf;
 size_t bufsize;
 int s;

if (argc != 3) {
 fprintf(stderr, "Usage: %s username directory\n", argv[0]);
 exit(EXIT_FAILURE);
 }

bufsize = sysconf(_SC_GETPW_R_SIZE_MAX);
 if (bufsize == -1)  /* Value was indeterminate */
 bufsize = 16384;/* Should be more than enough */

buf = malloc(bufsize);
 if (buf == NULL) {
 perror("malloc");
 exit(EXIT_FAILURE);
 }

s = getpwnam_r(argv[1], , buf, bufsize, );
 if (result == NULL) {
 if (s == 0)
 printf("Not found\n");
 else {
 errno = s;
 perror("getpwnam_r");
 }
 exit(EXIT_FAILURE);
 }

 printf("Name: %s; UID: %ld GID: %ld\n", pwd.pw_gecos, (long)
pwd.pw_uid, (long) pwd.pw_gid);

 /* process is running as root, drop privileges */

 if (getuid() == 0) {
 if (setgid(pwd.pw_gid) != 0) {
 perror("setgid: Unable to drop group privileges");
 exit(EXIT_FAILURE);
 }
 if (setuid(pwd.pw_uid) != 0) {
 perror("setuid: Unable to drop user privileges");
 exit(EXIT_FAILURE);
 }
 printf("dropped privileges\n");
 } else {
 errno = ENOTSUP;
 perror("process is not running as root cannot change user\n");
 exit(EXIT_FAILURE);
 }

 /* check privileges really dropped */

 if (setuid(0) != -1) {
 errno = ENOTSUP;
 perror("ERROR: Managed to regain root privileges");
 exit(EXIT_FAILURE);
 }

 /* open directory */

 DIR * d;
 d = opendir(argv[2]);
 printf("Attempting to open directory %s\n",argv[2]);
 if (d == NULL) {
 perror("Error opening directory");
 exit(EXIT_FAILURE);
 } else {
 printf("Success opening directory %s\n",argv[2]);
 }
 exit(EXIT_SUCCESS);
}


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Help with httpd userdir recovery

[John Fawcett]

On 12/28/2016 01:43 AM, John Fawcett wrote:
> On 12/28/2016 01:12 AM, Robert Moskowitz wrote:
>>
>> On 12/27/2016 07:06 PM, John Fawcett wrote:
>>> On 12/28/2016 12:34 AM, Robert Moskowitz wrote:
 On 12/27/2016 05:44 PM, John Fawcett wrote:
> That error should be caused by having MultiViews options but incorrect
> permissions (711 instead of 755) on the directory.
 I just did chmod -R 755 /home/rgm/public_html and no change in
 behavior.

 Even tried chmod -R 755 /home/rgm
>>> Are you actually using MultiViews? If you don't need that option, maybe
>>> the easiest thing is to take it out and see if the error message
>>> changes.
>> I am using the default conf file for userdir.
>>
>> /etc/httpd/conf.d/userdir.conf
>>
>> So I deleted Multiviews and now the error is:
>>
>> [Tue Dec 27 19:09:31.013176 2016] [autoindex:error] [pid 2138]
>> (13)Permission denied: [client 192.168.160.12:55762] AH01275: Can't
>> open directory for index: /home/rgm/public_html/family/
>>
>>
>> 
> I know this is not going to help, but that error means that apache does
> not have access to read the directory /home/rgm/public_html/family/.
> That doesn't really fit with the rest of the evidence, that you have
> chmod 755 everything from /home/rgm/public_html downwards and that
> apache can read specific files from /home/rgm/public_html.
> John
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos

Here is a small test program that you can use to check the permissions.

You can compile it with:

cc -o test test.c

then run it with:

./test apache /home/rgm/public_html/family/

where apache is the name of the user that your web server runs under
(check it with ps -ef | grep http). You should run it as root (or from
sudo).

John

--test.c---

#include 
#include 
#include 
#include 
#include 
#include 
#include 

int
main(int argc, char *argv[])
{
struct passwd pwd;
struct passwd *result;
char *buf;
size_t bufsize;
int s;

   if (argc != 3) {
fprintf(stderr, "Usage: %s username directory\n", argv[0]);
exit(EXIT_FAILURE);
}

   bufsize = sysconf(_SC_GETPW_R_SIZE_MAX);
if (bufsize == -1)  /* Value was indeterminate */
bufsize = 16384;/* Should be more than enough */

   buf = malloc(bufsize);
if (buf == NULL) {
perror("malloc");
exit(EXIT_FAILURE);
}

   s = getpwnam_r(argv[1], , buf, bufsize, );
if (result == NULL) {
if (s == 0)
printf("Not found\n");
else {
errno = s;
perror("getpwnam_r");
}
exit(EXIT_FAILURE);
}

printf("Name: %s; UID: %ld GID: %ld\n", pwd.pw_gecos, (long)
pwd.pw_uid, (long) pwd.pw_gid);

/* process is running as root, drop privileges */

if (getuid() == 0) {
if (setgid(pwd.pw_gid) != 0) {
perror("setgid: Unable to drop group privileges");
exit(EXIT_FAILURE);
}
if (setuid(pwd.pw_uid) != 0) {
perror("setuid: Unable to drop user privileges");
exit(EXIT_FAILURE);
}
printf("dropped privileges\n");
} else {
errno = ENOTSUP;
perror("process is not running as root cannot change user\n");
exit(EXIT_FAILURE);
}

/* check privileges really dropped */

if (setuid(0) != -1) {
errno = ENOTSUP;
perror("ERROR: Managed to regain root privileges");
exit(EXIT_FAILURE);
}

/* open directory */

DIR * d;
d = opendir(argv[2]);
printf("Attempting to open directory %s\n",argv[2]);
if (d == NULL) {
perror("Error opening directory");
exit(EXIT_FAILURE);
} else {
printf("Success opening directory %s\n",argv[2]);
}
exit(EXIT_SUCCESS);
}


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Help with httpd userdir recovery

[John Fawcett]

On 12/28/2016 01:12 AM, Robert Moskowitz wrote:
>
>
> On 12/27/2016 07:06 PM, John Fawcett wrote:
>> On 12/28/2016 12:34 AM, Robert Moskowitz wrote:
>>>
>>> On 12/27/2016 05:44 PM, John Fawcett wrote:
 That error should be caused by having MultiViews options but incorrect
 permissions (711 instead of 755) on the directory.
>>> I just did chmod -R 755 /home/rgm/public_html and no change in
>>> behavior.
>>>
>>> Even tried chmod -R 755 /home/rgm
>> Are you actually using MultiViews? If you don't need that option, maybe
>> the easiest thing is to take it out and see if the error message
>> changes.
>
> I am using the default conf file for userdir.
>
> /etc/httpd/conf.d/userdir.conf
>
> So I deleted Multiviews and now the error is:
>
> [Tue Dec 27 19:09:31.013176 2016] [autoindex:error] [pid 2138]
> (13)Permission denied: [client 192.168.160.12:55762] AH01275: Can't
> open directory for index: /home/rgm/public_html/family/
>
>
> 
I know this is not going to help, but that error means that apache does
not have access to read the directory /home/rgm/public_html/family/.
That doesn't really fit with the rest of the evidence, that you have
chmod 755 everything from /home/rgm/public_html downwards and that
apache can read specific files from /home/rgm/public_html.
John
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Help with httpd userdir recovery

[Robert Moskowitz]

On 12/27/2016 07:06 PM, John Fawcett wrote:

On 12/28/2016 12:34 AM, Robert Moskowitz wrote:


On 12/27/2016 05:44 PM, John Fawcett wrote:

That error should be caused by having MultiViews options but incorrect
permissions (711 instead of 755) on the directory.

I just did chmod -R 755 /home/rgm/public_html and no change in behavior.

Even tried chmod -R 755 /home/rgm

Are you actually using MultiViews? If you don't need that option, maybe
the easiest thing is to take it out and see if the error message changes.


I am using the default conf file for userdir.

/etc/httpd/conf.d/userdir.conf

So I deleted Multiviews and now the error is:

[Tue Dec 27 19:09:31.013176 2016] [autoindex:error] [pid 2138] 
(13)Permission denied: [client 192.168.160.12:55762] AH01275: Can't open 
directory for index: /home/rgm/public_html/family/



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Help with httpd userdir recovery

[John Fawcett]

On 12/28/2016 12:34 AM, Robert Moskowitz wrote:
>
>
> On 12/27/2016 05:44 PM, John Fawcett wrote:
>> That error should be caused by having MultiViews options but incorrect
>> permissions (711 instead of 755) on the directory.
>
> I just did chmod -R 755 /home/rgm/public_html and no change in behavior.
>
> Even tried chmod -R 755 /home/rgm
Are you actually using MultiViews? If you don't need that option, maybe
the easiest thing is to take it out and see if the error message changes.
John
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Help with httpd userdir recovery

[Robert Moskowitz]

On 12/27/2016 05:44 PM, John Fawcett wrote:

On 12/27/2016 11:02 PM, Robert Moskowitz wrote:


On 12/27/2016 02:58 PM, Leonard den Ottolander wrote:

Hello Robert,

On Tue, 2016-12-27 at 12:43 -0500, Robert Moskowitz wrote:

My understanding (most likely flawed) is that Indexes are needed to see
the list of files in mydir,

Correct.


   and to be able to walk down to subdir.

Incorrect. The index is a convenience. Without it directories with the
right permissions are still accessible with a direct url. So there's not
much point enabling indexes when you use an index file to avoid the
index showing up...


restorecon -Rv /home

The man page for restorecon explicitly states it does not follow
symlinks, and it might not cross file system boundaries either, so make
sure they are not causing your issue.

No symlinks.


the owner is rgm:rgm, but the permissions is 755, not 711.

You have to make sure apache can access the whole path, meaning you need
at least o+x on all directories in the path. This is quite likely *not*
the case for /home/rgm.

So I deleted the whole public_html directory.  Re moved the files
over.  I went back to the default user_dir setup of:


 AllowOverride FileInfo AuthConfig Limit Indexes
 Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
 Require method GET POST OPTIONS


Restarted httpd and tried again.  I get my ~/public_html/index.html to
display, cannot get a directory list to display.  I can display a
file.  If I list a specific jpg in one of the directories it comes up
ok, but I am not getting the listing option.

access_log:

192.168.160.12 - - [27/Dec/2016:16:53:00 -0500] "GET
/~rgm/cubieboard/cubietower-2.JPG HTTP/1.1" 200 1450256 "-"
"Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:50.0) Gecko/20100101
Firefox/50.0"
192.168.160.12 - - [27/Dec/2016:16:53:08 -0500] "GET /~rgm/cubieboard/
HTTP/1.1" 403 218 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64;
rv:50.0) Gecko/20100101 Firefox/50.0"

error_log:

[Tue Dec 27 16:53:08.858042 2016] [negotiation:error] [pid 1965]
(13)Permission denied: [client 192.168.160.12:55644] AH00686: cannot
read directory for multi: /home/rgm/public_html/cubieboard/


So I have the permissions right to retrieve files.  Something is wrong
for displaying the directory list.

:(


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

That error should be caused by having MultiViews options but incorrect
permissions (711 instead of 755) on the directory.


I just did chmod -R 755 /home/rgm/public_html and no change in behavior.

Even tried chmod -R 755 /home/rgm


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Help with httpd userdir recovery

[John Fawcett]

On 12/27/2016 11:02 PM, Robert Moskowitz wrote:
>
>
> On 12/27/2016 02:58 PM, Leonard den Ottolander wrote:
>> Hello Robert,
>>
>> On Tue, 2016-12-27 at 12:43 -0500, Robert Moskowitz wrote:
>>> My understanding (most likely flawed) is that Indexes are needed to see
>>> the list of files in mydir,
>> Correct.
>>
>>>   and to be able to walk down to subdir.
>> Incorrect. The index is a convenience. Without it directories with the
>> right permissions are still accessible with a direct url. So there's not
>> much point enabling indexes when you use an index file to avoid the
>> index showing up...
>>
>>> restorecon -Rv /home
>> The man page for restorecon explicitly states it does not follow
>> symlinks, and it might not cross file system boundaries either, so make
>> sure they are not causing your issue.
>
> No symlinks.
>
>>> the owner is rgm:rgm, but the permissions is 755, not 711.
>> You have to make sure apache can access the whole path, meaning you need
>> at least o+x on all directories in the path. This is quite likely *not*
>> the case for /home/rgm.
>
> So I deleted the whole public_html directory.  Re moved the files
> over.  I went back to the default user_dir setup of:
>
> 
> AllowOverride FileInfo AuthConfig Limit Indexes
> Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
> Require method GET POST OPTIONS
> 
>
> Restarted httpd and tried again.  I get my ~/public_html/index.html to
> display, cannot get a directory list to display.  I can display a
> file.  If I list a specific jpg in one of the directories it comes up
> ok, but I am not getting the listing option.
>
> access_log:
>
> 192.168.160.12 - - [27/Dec/2016:16:53:00 -0500] "GET
> /~rgm/cubieboard/cubietower-2.JPG HTTP/1.1" 200 1450256 "-"
> "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:50.0) Gecko/20100101
> Firefox/50.0"
> 192.168.160.12 - - [27/Dec/2016:16:53:08 -0500] "GET /~rgm/cubieboard/
> HTTP/1.1" 403 218 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64;
> rv:50.0) Gecko/20100101 Firefox/50.0"
>
> error_log:
>
> [Tue Dec 27 16:53:08.858042 2016] [negotiation:error] [pid 1965]
> (13)Permission denied: [client 192.168.160.12:55644] AH00686: cannot
> read directory for multi: /home/rgm/public_html/cubieboard/
>
>
> So I have the permissions right to retrieve files.  Something is wrong
> for displaying the directory list.
>
> :(
>
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos

That error should be caused by having MultiViews options but incorrect
permissions (711 instead of 755) on the directory.

John

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Help with httpd userdir recovery

[Robert Moskowitz]

On 12/27/2016 02:58 PM, Leonard den Ottolander wrote:

Hello Robert,

On Tue, 2016-12-27 at 12:43 -0500, Robert Moskowitz wrote:

My understanding (most likely flawed) is that Indexes are needed to see
the list of files in mydir,

Correct.


  and to be able to walk down to subdir.

Incorrect. The index is a convenience. Without it directories with the
right permissions are still accessible with a direct url. So there's not
much point enabling indexes when you use an index file to avoid the
index showing up...


restorecon -Rv /home

The man page for restorecon explicitly states it does not follow
symlinks, and it might not cross file system boundaries either, so make
sure they are not causing your issue.


No symlinks.


the owner is rgm:rgm, but the permissions is 755, not 711.

You have to make sure apache can access the whole path, meaning you need
at least o+x on all directories in the path. This is quite likely *not*
the case for /home/rgm.


So I deleted the whole public_html directory.  Re moved the files over.  
I went back to the default user_dir setup of:



AllowOverride FileInfo AuthConfig Limit Indexes
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
Require method GET POST OPTIONS


Restarted httpd and tried again.  I get my ~/public_html/index.html to 
display, cannot get a directory list to display.  I can display a file.  
If I list a specific jpg in one of the directories it comes up ok, but I 
am not getting the listing option.


access_log:

192.168.160.12 - - [27/Dec/2016:16:53:00 -0500] "GET 
/~rgm/cubieboard/cubietower-2.JPG HTTP/1.1" 200 1450256 "-" "Mozilla/5.0 
(X11; Fedora; Linux x86_64; rv:50.0) Gecko/20100101 Firefox/50.0"
192.168.160.12 - - [27/Dec/2016:16:53:08 -0500] "GET /~rgm/cubieboard/ 
HTTP/1.1" 403 218 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:50.0) 
Gecko/20100101 Firefox/50.0"


error_log:

[Tue Dec 27 16:53:08.858042 2016] [negotiation:error] [pid 1965] 
(13)Permission denied: [client 192.168.160.12:55644] AH00686: cannot 
read directory for multi: /home/rgm/public_html/cubieboard/



So I have the permissions right to retrieve files.  Something is wrong 
for displaying the directory list.


:(


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Help with httpd userdir recovery

[Leonard den Ottolander]

Hello Robert,

On Tue, 2016-12-27 at 12:43 -0500, Robert Moskowitz wrote:
> My understanding (most likely flawed) is that Indexes are needed to see 
> the list of files in mydir,

Correct.

>  and to be able to walk down to subdir.

Incorrect. The index is a convenience. Without it directories with the
right permissions are still accessible with a direct url. So there's not
much point enabling indexes when you use an index file to avoid the
index showing up...

> restorecon -Rv /home

The man page for restorecon explicitly states it does not follow
symlinks, and it might not cross file system boundaries either, so make
sure they are not causing your issue.

> the owner is rgm:rgm, but the permissions is 755, not 711.

You have to make sure apache can access the whole path, meaning you need
at least o+x on all directories in the path. This is quite likely *not*
the case for /home/rgm.

Regards,
Leonard.

-- 
mount -t life -o ro /dev/dna /genetic/research


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Help with httpd userdir recovery

[Robert Moskowitz]

On 12/27/2016 02:19 PM, John Fawcett wrote:

On 12/27/2016 06:43 PM, Robert Moskowitz wrote:

the owner is rgm:rgm, but the permissions is 755, not 711.

So still scratching my head here..

is the error message you mention displayed in the browser? Have you
looked into the logging produced by the web server itself?


That was what the browser showed.  The error_log is:

[Tue Dec 27 12:42:57.513529 2016] [authz_core:error] [pid 2060] [client 
192.168.160.12:41588] AH01630: client denied by server configuration: 
/home/rgm/public_html/mydir/



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Help with httpd userdir recovery

[John Fawcett]

On 12/27/2016 06:43 PM, Robert Moskowitz wrote:
>
> the owner is rgm:rgm, but the permissions is 755, not 711.
>
> So still scratching my head here..
is the error message you mention displayed in the browser? Have you
looked into the logging produced by the web server itself?
John
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Help with httpd userdir recovery

[Robert Moskowitz]

On 12/27/2016 11:48 AM, Leonard den Ottolander wrote:

Hello Robert,

On Tue, 2016-12-27 at 10:25 -0500, Robert Moskowitz wrote:

I can display the /home/rgm/public_html/index.html file that only has
"Hello World' in it (to prevent anyone from walking my file tree from
the root).

To prevent people walking a directory structure you better disable
Options Indexes.


If I tell someone about ~rgm/mydir (really no such dir), then I want 
them to find ~rgm/mydir/subdir, but not know about ~rgm/otherdir.


My understanding (most likely flawed) is that Indexes are needed to see 
the list of files in mydir, and to be able to walk down to subdir.  By 
having a ~rgm/index.html file, they can't query what other files are 
directly in the public_html directory.





But when I try to display the files in a subdir with ipaddr/~rgm/mydir

I get

You don't have permission to access /~rgm/mydir/ on this server.

The fact that you see the index page makes me assume SELinux is not the
problem. If you do have it enabled you might want to check out the
sebooleans that affect apache.

$ getsebool -a | grep http

httpd_enable_homedirs is one of those.


I ran

setsebool -P httpd_enable_homedirs on
restorecon -Rv /home

And I see:

httpd_enable_homedirs --> on



Remember that file access is based on file permissions in combination
with file ownership. This means that if apache is neither owner nor
group owner of a file world must have read access for apache to access
such files. A 711 permission on a directory is then insufficient. It
allows apache to cd to, but not read the directory.


the owner is rgm:rgm, but the permissions is 755, not 711.

So still scratching my head here..


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Help with httpd userdir recovery

[Leonard den Ottolander]

Hello Robert,

On Tue, 2016-12-27 at 10:25 -0500, Robert Moskowitz wrote:
> I can display the /home/rgm/public_html/index.html file that only has 
> "Hello World' in it (to prevent anyone from walking my file tree from 
> the root).

To prevent people walking a directory structure you better disable
Options Indexes.

> But when I try to display the files in a subdir with ipaddr/~rgm/mydir
> 
> I get
> 
> You don't have permission to access /~rgm/mydir/ on this server.

The fact that you see the index page makes me assume SELinux is not the
problem. If you do have it enabled you might want to check out the
sebooleans that affect apache.

$ getsebool -a | grep http

httpd_enable_homedirs is one of those.

Remember that file access is based on file permissions in combination
with file ownership. This means that if apache is neither owner nor
group owner of a file world must have read access for apache to access
such files. A 711 permission on a directory is then insufficient. It
allows apache to cd to, but not read the directory.

Regards,
Leonard.

-- 
mount -t life -o ro /dev/dna /genetic/research


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos