[olug] Apache problems between CentOS 3.x and 4.x

Michael Peterson mpeterson at charles.omhcoxmail.com
Thu Jul 21 17:59:19 UTC 2005 

All advice given was good for a normal old-style system. Thank You.
All of those bases were covered before I sent the email to the group
however.

I worked on another project Wednesday and then came up with what was
different between the old-style system and the new-style system over night.

Old-style systems do not have SELinux installed or active.
The new-style systems I am testing have SELinux installed and active.

The latest release of SELinux secures access to Apache/httpd content.
You can have everything correct as far as conf files and file and directory
permissions but get slapped down by SELinux.

Here are two links to what needs to be done when running a newer
distribution with the latest SELinux and Apache2.

http://www.centos.org/modules/newbb/viewtopic.php?topic_id=503&forum=27

http://mirror.centos.org/centos/4/docs/html/release-notes/as-x86/#id3464301%
22%3Eversion

This has fixed my initial problem so I am sharing the fix with the group
since it may happen as systems are upgraded.

SELinux also secures MySQL access as noted in the second link above.
So I will update the group if I have any issue when I get it configured and
start testing it and PHP.

Here is the content of the second link that pertains to the issue at hand.

"

Web Server
This section contains information related to software used as part of a Web
server environment.

httpd
Under the default SELinux security configuration, httpd is covered by the
targeted policy. This increases security and Web server stability by
specifically granting or denying httpd access to system objects. However,
because this has the potential to cause previously-working configurations
(such as those that use PHP) to no longer function, you must understand how
SELinux works in order to ensure that your configuration is both secure and
functional.

For example, a Boolean can be set to give specific permission to httpd to
read objects in ~/public_html/ as long as they are labeled with the security
context httpd_sys_content_t. The Apache daemon cannot access objects (files,
applications, devices, and other processes) that have a security context not
specifically granted access by SELinux to httpd.

By allowing Apache access to only what it needs to do its function, the
system is protected from compromised or misconfigured httpd daemons.

Because of the need for both standard Linux directory and file permissions
as well as SELinux file context labels, adminstrators and users will need to
know about relabeling files. Examples of relabeling include the following
commands (one for recursively relabeling the contents of a directory, and
one for relabeling a single file):



chcon -R -h -t httpd_sys_content_t public_html
chcon -t httpd_sys_content_t public_html/index.html

            
A file or directory which is not labeled with a context on the list of
Apache's allowable types will generate a 403 Forbidden error.

You can configure Boolean values or selectively disable targeted policy
coverage for just Apache (or any of the covered daemons) using
system-config-securitylevel. Under the SELinux tab, within the Modify
SELinux Policy area, you can modify the Boolean values for Apache. If you
wish, you can select to Disable SELinux protection for httpd daemon, which
disables the transition from unconfined_t (the default type that acts
transparently like standard Linux security without SELinux) to the specific
daemon type, i.e., httpd_t. Disabling this transition effectively turns off
SELinux coverage for that daemon, returning it to standard Linux security
only.

For more information about Apache and SELinux policy, refer to the Red Hat
SELinux Policy Guide at http://www.redhat.com/docs.

By default, the httpd daemon is now started using the C locale, rather than
using the configured system locale setting. This behavior can be changed by
setting the HTTPD_LANG variable in the /etc/sysconfig/httpd file.

"

-----Original Message-----
From: olug-bounces at olug.org [mailto:olug-bounces at olug.org] On Behalf Of
Mario Steele
Sent: Tuesday, July 19, 2005 7:53 PM
To: Omaha Linux User Group
Subject: Re: [olug] Apache problems between CentOS 3.x and 4.x

Michael Peterson wrote:

>Has anyone figured out the fix to be able to allow browsers to view pages
in
>user directories with CentOS 4.x?
>
> 
>
>I get this response.
>
> 
>
>
>Forbidden
>
>
>You don't have permission to access /~<username>/ on this server.
>
>Additionally, a 403 Forbidden error was encountered while trying to use an
>ErrorDocument to handle the request.
>
>I have the permissions on the username in /home and the public_html set
>properly.
>
> 
>
>I have searched the apache documentation online.
>
> 
>
>I have compared the httpd.conf files between 3.x and 4.x.
>
> 
>
>I can change the 403 message sent by apache but cannot get it to show files
>in a user directory even by entering a specific file name such as
>
> 
>
>http://<ip>/~<user>/index.html
>
> 
>
>The apache releases that work are 2.0.48 and 2.0.46.
>
>The apache release that has the issue is 2.0.52.
>
> 
>
>Any help would be appreciated.
>  
>
I'm running Apache 2.0.52, but this is often a point that is overlooked. 
(I've done it myself many diffrent times) Take a look at your 
httpd.conf, and check this section:

<IfModule mod_userdir.c>
#
# UserDir is disabled by default since it can confirm the presence
# of a username on the system (depending on home directory
# permissions).
#
UserDir disable

#
# To enable requests to /~user/ to serve the user's public_html
# directory, remove the "UserDir disable" line above, and uncomment
# the following line instead:
#
#UserDir public_html

</IfModule>

Make sure you Comment out UserDir disable. You may want to sift through 
your httpd configuration files, since most distros have gone into a 
favor for multiple files, instead of a single file. This may very well 
explain the problem. If anywhere UserDir disable is declared, it will 
disable user directories for HTTP All together, even if you declare 
UserDir public_html (Or whatever you choose) before the disable.

-- 
Mario Steele
http://www.trilake.net/
Trilake Computer Services (Web Hosting, Custom Building, PC Support,
Winblows Tech, PC Upgrading)

http://enchantedblade.trilake.net/
The insanity of the world, wrapped in a nice little HTML Document.  Welcome
to my world now.

_______________________________________________
OLUG mailing list
OLUG at olug.org
http://lists.olug.org/mailman/listinfo/olug

More information about the OLUG mailing list