Apache2 directory listing problem F16
 

I'm trying to get apache2 to allow me to list files and directories on
my netbook for use as a public repo to let my kids copy them if they
want them.


The problem is, no matter what I do, I get an access denied error. By
default apache2 has INDEXES enabled for DOCROOT, but to be on the safe
side I added a new directory directive for <DOCROOT/pics> and set
INDEXES. Still nothing.


Then it occurred to me that selinux might be screwing with me, so I hit
the troubleshooter and followed the directions for setting up a new
policy for enabling directory access and used semodule to enable it.


Still no go. Anything else I can do to fix this? There's nothing really
in the access or error logs that help. The apache user is owner and the
perms are correct.



--

Mark Haney
Software Developer/Consultant
AB Emblem
markh@abemblem.com
Linux marius.homelinux 3.4.4-4.fc16.x86_64 GNU/Linux
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Apache2 directory listing problem F16
 

> The problem is, no matter what I do, I get an access denied error.

Here is what I have on my desktop at work to allow everyone to
get to a directory where I have ISO images for various
linux distros installed, seems to work for me (but I do have
selinux disabled):

# And throw in /caliban/install-iso as well
#
Alias /install-iso /caliban/install-iso

<Directory /caliban/install-iso>
Order allow,deny
Allow from all
Options +Indexes
</Directory>

I seem to recall there is also some mysterious setting
somewhere I had to dig up at home because certain files
are hidden by default (with names like README - no idea
why you'd want to hide all README files).
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Apache2 directory listing problem F16
 

On Fri, 2012-07-27 at 11:55 -0400, Mark Haney wrote:
> The problem is, no matter what I do, I get an access denied error. By
> default apache2 has INDEXES enabled for DOCROOT, but to be on the safe
> side I added a new directory directive for <DOCROOT/pics> and set
> INDEXES. Still nothing.

Is your access denied error just for trying to view an index, or does it
happen when trying to view anything?

Did you set that directive /after/ any opposing rules, were set? And is
your filepath inside the usual docroot, or outside of it? (It goes
inside <Directory> clauses.)

The files, and all the directories back to the Linux /, all need to be
world-readable, and the directories also need to be world executable.

e.g. /var/
/var/www/
/var/www/html/
/var/www/html/whatever-else/

All need to have at least -------r-x directory permissions, and
-------r-- file permissions.

Likewise, if you're serving from /home/your-username/public_html/

If SELinux is enforcing, then there needs to be a "httpd_sys_content" or
"httpd_user_content" context to the file and directories, too. That'll
be set, by default, if you create or copy files in the usual web serving
filepaths; but not if you created them elsewhere, and moved them over.

If you're serving from an unusual filepath, then you'll need to manually
apply file contexts. And you'll need to re-apply them anytime there's a
relabelling of the file system, or, you'd create a rule for your serving
filespace, so it gets labelled automatically.

You may also need to tick some options on inside a SELinux configurator,
regarding local webserving, too.

--
[tim@localhost ~]$ uname -r
2.6.27.25-78.2.56.fc9.i686

Don't send private replies to my address, the mailbox is ignored. I
read messages from the public lists.



--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Apache2 directory listing problem F16
 

On 07/27/2012 12:46, Tim wrote:

On Fri, 2012-07-27 at 11:55 -0400, Mark Haney wrote:
The problem is, no matter what I do, I get an access denied error.
By
default apache2 has INDEXES enabled for DOCROOT, but to be on the
safe

side I added a new directory directive for <DOCROOT/pics> and set
INDEXES. Still nothing.


Is your access denied error just for trying to view an index, or does
it

happen when trying to view anything?

Did you set that directive /after/ any opposing rules, were set? And
is

your filepath inside the usual docroot, or outside of it? (It goes
inside <Directory> clauses.)

The files, and all the directories back to the Linux /, all need to
be

world-readable, and the directories also need to be world executable.

e.g. /var/
/var/www/
/var/www/html/
/var/www/html/whatever-else/

All need to have at least -------r-x directory permissions, and
-------r-- file permissions.

Likewise, if you're serving from /home/your-username/public_html/

If SELinux is enforcing, then there needs to be a "httpd_sys_content"
or
"httpd_user_content" context to the file and directories, too.
That'll
be set, by default, if you create or copy files in the usual web
serving
filepaths; but not if you created them elsewhere, and moved them
over.


If you're serving from an unusual filepath, then you'll need to
manually
apply file contexts. And you'll need to re-apply them anytime
there's a
relabelling of the file system, or, you'd create a rule for your
serving

filespace, so it gets labelled automatically.

You may also need to tick some options on inside a SELinux
configurator,

regarding local webserving, too.

--
[tim@localhost ~]$ uname -r
2.6.27.25-78.2.56.fc9.i686

Don't send private replies to my address, the mailbox is ignored. I
read messages from the public lists.


If he is serving from an unusual path he should use the semanage
fcontext command to add the proper labeling and then just relabel that
location. That way he doesn't have to worry about relabeling operations.


Dave
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Apache2 directory listing problem F16
 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/27/2012 11:55 AM, Mark Haney wrote:
> I'm trying to get apache2 to allow me to list files and directories on my
> netbook for use as a public repo to let my kids copy them if they want
> them.
>
> The problem is, no matter what I do, I get an access denied error. By
> default apache2 has INDEXES enabled for DOCROOT, but to be on the safe side
> I added a new directory directive for <DOCROOT/pics> and set INDEXES.
> Still nothing.
>
> Then it occurred to me that selinux might be screwing with me, so I hit
> the troubleshooter and followed the directions for setting up a new policy
> for enabling directory access and used semodule to enable it.
>
> Still no go. Anything else I can do to fix this? There's nothing really in
> the access or error logs that help. The apache user is owner and the perms
> are correct.
>
>
What directory are you sharing? What is DOCROOT?

If you set permissive mode "#setenforce 0" does it work?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAlAS64sACgkQrlYvE4MpobOmgQCaA7PdGAeJvb P+zAwh6uWP34UZ
pREAn0i1ZhejpGieCGa6xijI7Ru6LywQ
=vT3r
-----END PGP SIGNATURE-----
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Apache2 directory listing problem F16
 

Hi Mark,

Sorry for starting a new thread but your post got inadvertently deleted.

Have you tried putting a <limit> directive into your <directory> or
<location> directives?


<limit GET>
order allow,deny
allow from all # or IPs, hosts, etc
</limit>

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Apache2 directory listing problem F16
 

On 07/27/2012 01:22 PM, David Quigley wrote:

On 07/27/2012 12:46, Tim wrote:

On Fri, 2012-07-27 at 11:55 -0400, Mark Haney wrote:

The problem is, no matter what I do, I get an access denied error. By
default apache2 has INDEXES enabled for DOCROOT, but to be on the safe
side I added a new directory directive for <DOCROOT/pics> and set
INDEXES. Still nothing.


Is your access denied error just for trying to view an index, or does it
happen when trying to view anything?


It happens when I try to view anything.


Did you set that directive /after/ any opposing rules, were set? And is
your filepath inside the usual docroot, or outside of it? (It goes
inside <Directory> clauses.)

The files, and all the directories back to the Linux /, all need to be
world-readable, and the directories also need to be world executable.

e.g. /var/
/var/www/
/var/www/html/
/var/www/html/whatever-else/

All need to have at least -------r-x directory permissions, and
-------r-- file permissions.


This is okay.



--
[tim@localhost ~]$ uname -r
2.6.27.25-78.2.56.fc9.i686

Don't send private replies to my address, the mailbox is ignored. I
read messages from the public lists.


If he is serving from an unusual path he should use the semanage


The Apache2 setup is the default setup. DOCROOT is /var/www/html and I
simply added a new directory /var/www/html/pics to it. I tinkered with
setting a new DIRECTORY directive with the new directory and +Indexes,
allow from all just to see if it worked.


Everything I've tried seems to end up with an SELinux error. I've got
it disabled now, but haven't rebooted to see if that fixes it. It's
strange, the troubleshooter offers a couple of commands to set SELinux
correctly for what I want, but it still chokes on it.




--

Mark Haney
Software Developer/Consultant
AB Emblem
markh@abemblem.com
Linux marius.homelinux 3.4.4-4.fc16.x86_64 GNU/Linux
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Apache2 directory listing problem F16
 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/30/2012 09:41 AM, Mark Haney wrote:
> On 07/27/2012 01:22 PM, David Quigley wrote:
>> On 07/27/2012 12:46, Tim wrote:
>>> On Fri, 2012-07-27 at 11:55 -0400, Mark Haney wrote:
>>>> The problem is, no matter what I do, I get an access denied error.
>>>> By default apache2 has INDEXES enabled for DOCROOT, but to be on the
>>>> safe side I added a new directory directive for <DOCROOT/pics> and
>>>> set INDEXES. Still nothing.
>>>
>>> Is your access denied error just for trying to view an index, or does
>>> it happen when trying to view anything?
>
> It happens when I try to view anything.
>>>
>>> Did you set that directive /after/ any opposing rules, were set? And
>>> is your filepath inside the usual docroot, or outside of it? (It goes
>>> inside <Directory> clauses.)
>>>
>>> The files, and all the directories back to the Linux /, all need to be
>>> world-readable, and the directories also need to be world executable.
>>>
>>> e.g. /var/ /var/www/ /var/www/html/ /var/www/html/whatever-else/
>>>
>>> All need to have at least -------r-x directory permissions, and
>>> -------r-- file permissions.
>
> This is okay.
>
>>>
>>> -- [tim@localhost ~]$ uname -r 2.6.27.25-78.2.56.fc9.i686
>>>
>>> Don't send private replies to my address, the mailbox is ignored. I
>>> read messages from the public lists.
>>
>> If he is serving from an unusual path he should use the semanage
>
> The Apache2 setup is the default setup. DOCROOT is /var/www/html and I
> simply added a new directory /var/www/html/pics to it. I tinkered with
> setting a new DIRECTORY directive with the new directory and +Indexes,
> allow from all just to see if it worked.
>
> Everything I've tried seems to end up with an SELinux error. I've got it
> disabled now, but haven't rebooted to see if that fixes it. It's strange,
> the troubleshooter offers a couple of commands to set SELinux correctly for
> what I want, but it still chokes on it.
>
>
>


What avc's are you seeing?

ausearch -m avc -ts recent


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAlAWlWsACgkQrlYvE4MpobOZ+ACfZhNxzZrYXg 3eIRDsx8PAezex
5M4AoKCPJHPi7+BEpQfFV2y0ko9Y79w/
=9krB
-----END PGP SIGNATURE-----
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Apache2 directory listing problem F16
 

On 07/30/2012 08:41 AM, Mark Haney wrote:
> On 07/27/2012 01:22 PM, David Quigley wrote:
>> On 07/27/2012 12:46, Tim wrote:
>>> On Fri, 2012-07-27 at 11:55 -0400, Mark Haney wrote:
>>>> The problem is, no matter what I do, I get an access denied error. By
>>>> default apache2 has INDEXES enabled for DOCROOT, but to be on the safe
>>>> side I added a new directory directive for <DOCROOT/pics> and set
>>>> INDEXES. Still nothing.
>>>
>>> Is your access denied error just for trying to view an index, or does it
>>> happen when trying to view anything?
>
> It happens when I try to view anything.
>>>
>>> Did you set that directive /after/ any opposing rules, were set? And is
>>> your filepath inside the usual docroot, or outside of it? (It goes
>>> inside <Directory> clauses.)
>>>
>>> The files, and all the directories back to the Linux /, all need to be
>>> world-readable, and the directories also need to be world executable.
>>>
>>> e.g. /var/
>>> /var/www/
>>> /var/www/html/
>>> /var/www/html/whatever-else/
>>>
>>> All need to have at least -------r-x directory permissions, and
>>> -------r-- file permissions.
>
> This is okay.
>
>>>
>>> --
>>> [tim@localhost ~]$ uname -r
>>> 2.6.27.25-78.2.56.fc9.i686
>>>
>>> Don't send private replies to my address, the mailbox is ignored. I
>>> read messages from the public lists.
>>
>> If he is serving from an unusual path he should use the semanage
>
> The Apache2 setup is the default setup. DOCROOT is /var/www/html and I
> simply added a new directory /var/www/html/pics to it. I tinkered with
> setting a new DIRECTORY directive with the new directory and +Indexes,
> allow from all just to see if it worked.
>
> Everything I've tried seems to end up with an SELinux error. I've got
> it disabled now, but haven't rebooted to see if that fixes it. It's
> strange, the troubleshooter offers a couple of commands to set SELinux
> correctly for what I want, but it still chokes on it.
>
>
>
If you copied files from some other directory into pics, then they
probably brought along their existing context. Go back to /var/www/html
and try "sudo restorecon -r *".

--
-- Steve
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Apache2 directory listing problem F16
 

On 07/30/2012 10:46 AM, Steven Stern wrote:

On 07/30/2012 08:41 AM, Mark Haney wrote:

On 07/27/2012 01:22 PM, David Quigley wrote:



Everything I've tried seems to end up with an SELinux error. I've got
it disabled now, but haven't rebooted to see if that fixes it. It's
strange, the troubleshooter offers a couple of commands to set SELinux
correctly for what I want, but it still chokes on it.




If you copied files from some other directory into pics, then they
probably brought along their existing context. Go back to /var/www/html
and try "sudo restorecon -r *".



I've attached the full output of the troubleshooter just in case I
managed not to include everything needed.



--

Mark Haney
Software Developer/Consultant
AB Emblem
markh@abemblem.com
Linux marius.homelinux 3.4.4-4.fc16.x86_64 GNU/Linux
SELinux is preventing /usr/sbin/httpd from open access on the directory /var/www/html/updates.

***** Plugin restorecon (99.5 confidence) suggests *************************

If you want to fix the label.
/var/www/html/updates default label should be httpd_sys_content_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /var/www/html/updates

***** Plugin catchall (1.49 confidence) suggests ***************************

If you believe that httpd should be allowed open access on the updates directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep httpd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context unconfined_u:object_r:user_home_t:s0
Target Objects /var/www/html/updates [ dir ]
Source httpd
Source Path /usr/sbin/httpd
Port <Unknown>
Host marius.homelinux
Source RPM Packages httpd-2.2.22-2.fc16.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.10.0-90.fc16.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name marius.homelinux
Platform Linux marius.homelinux 3.4.4-4.fc16.x86_64 #1 SMP
Thu Jul 5 20:01:38 UTC 2012 x86_64 x86_64
Alert Count 2
First Seen Mon 30 Jul 2012 08:58:18 AM EDT
Last Seen Mon 30 Jul 2012 09:48:30 AM EDT
Local ID 64b33ecc-7dd0-4af0-b753-da769b4fc13b

Raw Audit Messages
type=AVC msg=audit(1343656110.659:126): avc: denied { open } for pid=13506 comm="httpd" name="updates" dev="dm-1" ino=278541 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir


type=SYSCALL msg=audit(1343656110.659:126): arch=x86_64 syscall=openat success=no exit=EACCES a0=ffffffffffffff9c a1=7f43778e6b58 a2=90800 a3=0 items=0 ppid=13504 pid=13506 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null)

Hash: httpd,httpd_t,user_home_t,dir,open

audit2allow

#============= httpd_t ==============
#!!!! This avc can be allowed using one of the these booleans:
# httpd_read_user_content, httpd_enable_homedirs

allow httpd_t user_home_t:dir open;

audit2allow -R

#============= httpd_t ==============
#!!!! This avc can be allowed using one of the these booleans:
# httpd_read_user_content, httpd_enable_homedirs

allow httpd_t user_home_t:dir open;


--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org