![[info]](http://l-stat.livejournal.com/img/userinfo.gif){kind=small}
Apache + SELinux in fedora 8
For about three days I've been struggling with apache and SELinux, trying to set apache to use /home/user_name/public_html as a document root for a virtual host. After lots of cups of coffee, long night hours, and some (a lot) help from the guys at #fedora at freenode i managed to get the server up and running along with SELinux in enforcing mode and using my home dir as the document root for my websites.
So for all of you who want to do the same thing, here I'm writing this small "tutorial", so you don't have to go visit your psychiatrist after trying to set it up.
First of all, This is not an apache tutorial so don't expect a detailed explanation on how to set a virtual host, the purpose of this tutorial is to show how to set SELinux to let apache use home dirs. I'm going to use my personal home dir as an example, please change the paths to your needs. Also i assume you have a minimal experience using apache and Linux.
Now, lets say we have set apache to use a virtual host with document root /home/juank/public_html. In the httpd.conf it should be something like this:
Also we need to comment out the line UserDir disable and uncomment UserDir public_html If its not there, then add that line.
As i said before I'm not gonna enter in details about configuring apache.
Now if you have your public_html you should be sure it is accessible by apache so we have to give some permissions to the that folder. We do this with the following command, so open a terminal and write this:
Also we need to be sure our personal home directory is accessible and have the right permissions. to do this we use the same command as before, but with different permisions, so it would be like this:
What we did with the chmod command was to give the owner total access to ~/public_html and the group and others will have only reading rights. Also we set executions permissions to 'Other' at /home/juank, but they can't read nor write files on it.
For more information on chmod:
Now if we create a file to be read by our browser by accessing our virtual host at ~/public_html we will see a forbidden error (a 403 error) and if you have setroubleshoot on installed (which i recommend) a pop-up will show you that apache is being denied the access to home dirs and that you should set the booleans in SELinux to let apache read home directories.
The thing is, if we open system-config-selinux and search in the boolean window for the home dirs to be accessible
by apache we will notice that it is already enabled. So this is the tricky part! as nobody else (if we ever used SELinux) told us that its not enough to give chmod permissions to our folders when SELinux is activate. We have to set the correct security policy to our folders in order to be used by apache.
So if we do 'a ls -aZ' to our /home/juank/public_html, we might get something similar to this:
That command is showing us the chmod permissions of the folder along with the SELinux policy applied to it, Take a look at the bold text above. That is what we are interested in. Having that policy sets that a process like apache wont be able to access and use its content, so we have to change that policy to something that accept apache.
To do that execute the following command on a terminal:
That command will relabel the ~/public_html directory to something accessible by apache the '-t' option just tells chcon to set the specified Type ( httpd_sys_content_t ) in the target, in this case our ~/public_html dir.
For more info abut chcon:
Now, create a file with some content in ~/public_html to be displayed byt the browser :
Then if we open our browser and point it to http://localhost:8080/index.html the content we added above should be displayed.
So this is the end, i hope it work for you. and remember when adding content to the ~/public_html either create the content in that folder or cp instead of mv the content as mv will leave the policy of the file as it is, while cp will change the policy to the one of ~/public_html
If you need more information about setting apache with SELinux i recommend to read the official fedora documentation, though its specified to be for fedora core 3 it works fine with current stable version of fedora.
So for all of you who want to do the same thing, here I'm writing this small "tutorial", so you don't have to go visit your psychiatrist after trying to set it up.
First of all, This is not an apache tutorial so don't expect a detailed explanation on how to set a virtual host, the purpose of this tutorial is to show how to set SELinux to let apache use home dirs. I'm going to use my personal home dir as an example, please change the paths to your needs. Also i assume you have a minimal experience using apache and Linux.
Now, lets say we have set apache to use a virtual host with document root /home/juank/public_html. In the httpd.conf it should be something like this:
<VirtualHost 127.0.0.1:8080>
DocumentRoot /home/juank/public_html
...
...
</VirtualHost>
Also we need to comment out the line UserDir disable and uncomment UserDir public_html If its not there, then add that line.
As i said before I'm not gonna enter in details about configuring apache.
Now if you have your public_html you should be sure it is accessible by apache so we have to give some permissions to the that folder. We do this with the following command, so open a terminal and write this:
# chmod 755 /home/juank/public_html
Also we need to be sure our personal home directory is accessible and have the right permissions. to do this we use the same command as before, but with different permisions, so it would be like this:
# chmod 701 /home/juank
What we did with the chmod command was to give the owner total access to ~/public_html and the group and others will have only reading rights. Also we set executions permissions to 'Other' at /home/juank, but they can't read nor write files on it.
For more information on chmod:
# man chmod
Now if we create a file to be read by our browser by accessing our virtual host at ~/public_html we will see a forbidden error (a 403 error) and if you have setroubleshoot on installed (which i recommend) a pop-up will show you that apache is being denied the access to home dirs and that you should set the booleans in SELinux to let apache read home directories.
The thing is, if we open system-config-selinux and search in the boolean window for the home dirs to be accessible
by apache we will notice that it is already enabled. So this is the tricky part! as nobody else (if we ever used SELinux) told us that its not enough to give chmod permissions to our folders when SELinux is activate. We have to set the correct security policy to our folders in order to be used by apache.
So if we do 'a ls -aZ' to our /home/juank/public_html, we might get something similar to this:
drwxrwxr-x juank juank unconfined_u:object_r:unconfined_home_t:s0 .
drwx------ juank juank unconfined_u:object_r:unconfined_home_dir_t:s0 ..
drwx------ juank juank unconfined_u:object_r:unconfined_home_dir_t:s0 ..
That command is showing us the chmod permissions of the folder along with the SELinux policy applied to it, Take a look at the bold text above. That is what we are interested in. Having that policy sets that a process like apache wont be able to access and use its content, so we have to change that policy to something that accept apache.
To do that execute the following command on a terminal:
# chcon -t httpd_sys_content_t /home/juank/public_html
That command will relabel the ~/public_html directory to something accessible by apache the '-t' option just tells chcon to set the specified Type ( httpd_sys_content_t ) in the target, in this case our ~/public_html dir.
For more info abut chcon:
# man chcon
Now, create a file with some content in ~/public_html to be displayed byt the browser :
# echo "This is a test, if you can see this in your browser then it means the tutorial worked" > /home/juank/public_html/index.html
Then if we open our browser and point it to http://localhost:8080/index.html the content we added above should be displayed.
So this is the end, i hope it work for you. and remember when adding content to the ~/public_html either create the content in that folder or cp instead of mv the content as mv will leave the policy of the file as it is, while cp will change the policy to the one of ~/public_html
If you need more information about setting apache with SELinux i recommend to read the official fedora documentation, though its specified to be for fedora core 3 it works fine with current stable version of fedora.
