[SOLVED] Apache Permission Denied on httpd.conf

Issues related to applications and software problems
Post Reply
aaronc
Posts: 3
Joined: 2019/01/09 19:23:17

[SOLVED] Apache Permission Denied on httpd.conf

Post by aaronc » 2019/01/09 19:32:02

I'm moving our Apache Server to a new physical machine and apache was working just fine. Then I moved the old config file over via rsync, and did a
`sudo mv ~/httpd.conf /etc/httpd/conf/httpd.conf`

It had the incorrect ownership at first, so I fixed that, but I'm still getting:

Code: Select all

httpd: Could not open configuration file /etc/httpd/conf/httpd.conf: Permission denied
when running

Code: Select all

sudo systemctl restart httpd
So I checked permission with

Code: Select all

ll /etc/httpd/conf/
and get

Code: Select all

-rw-r--r--. 1 root root 31153 Jan  9 11:11 httpd.conf
So this doesn't make sense, as it's exactly as it was. I tried opening it up as 0777 temporarily but no luck either. Is this an SELinux thing? I noticed our old server had it turned set to permissive under 'getenforce'. I obviously don't want to do that, but I'll need to know what to configure. Thanks.
Last edited by aaronc on 2019/01/09 20:32:26, edited 1 time in total.

aaronc
Posts: 3
Joined: 2019/01/09 19:23:17

Re: Apache Permission Denied on httpd.conf

Post by aaronc » 2019/01/09 20:31:58

I solved this about 15 minutes after I posted, so I'll share. I honestly didn't understand SELinux fundamentals, so I didn't know about contexts etc. Of course, since I pulled the files into my home directory via rsync, they were way off.

Running ls -z produced:

Code: Select all

-rw-r--r--. root root unconfined_u:object_r:user_home_t:s0 httpd.conf
Since I still hadn't written over /etc/httpd/conf/magic I was able to see what it should be set as. To get the file back to the right SELinux settings I ran:

Code: Select all

semanage fcontext -a -t httpd_config_t -s system_u httpd.conf
restorecon -vF httpd.conf
Which then get's me back to the right user and context:

Code: Select all

-rw-r--r--. root root system_u:object_r:httpd_config_t:s0 httpd.conf
I turned back on SELinux with:

Code: Select all

setenforce 1
getenforce
And finally tested the changes with

Code: Select all

systemctl restart httpd
So things are working. Sorry, but hopefully it helps document SELinux features for others. I'm actually kind of excited about the features now that I get it.

pjsr2
Posts: 614
Joined: 2014/03/27 20:11:07

Re: [SOLVED] Apache Permission Denied on httpd.conf

Post by pjsr2 » 2019/01/09 22:29:58

It is important to understand that with SELinux, when a file is moved, it retains the SELinux context of the original file. When you copy over an existing file, the file will keep the SELinux context of the existing file. When you copy without overwriting an existing file, the new file will get the SELinux context according to whatever has been configured in the SELinux configuration for that new location.

Just copying the SELinux context of another file in the same directory is not guaranteed to give you the proper SELinux context. So it is safer to restore the SELinux context of a file with the restorecon command. restorecon will restore the SELinux context to whatever is specified in the systems SELinux configuration. So in your case:

Code: Select all

sudo restorecon -v /etc/httpd/conf/httpd.conf
Or, recursively for a directory tree:

Code: Select all

sudo restorecon -r -v /etc/httpd
See also https://wiki.centos.org/HowTos/SELinux

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: [SOLVED] Apache Permission Denied on httpd.conf

Post by TrevorH » 2019/01/09 23:38:56

In CentOS 7 the mv command has a -Z switch that sets the correct label on the target in the same way that cp does.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Post Reply