[SOLVED] (13)Permission denied: access to /~user/ denied -- SElinux?

General support questions
Posts: 24
Joined: 2006/08/17 10:03:24

[SOLVED] (13)Permission denied: access to /~user/ denied --

Postby hm2k » 2012/01/18 18:16:24

Hi there,

I've setup a server for local development on CentOS6.

I'm trying to keep it fairly secure so I'm keeping SElinux enabled for now, however I seem to be having a problem.

I've setup apache with UserDir public_html so I'm able to access the user's public_html directory as follows:


This however results in:


You don't have permission to access /~user/ on this server.

Apache Server at server.ip Port 80

Checking the error log (/var/log/httpd/error_log) shows the following:

[Wed Jan 18 18:01:02 2012] [error] [client server.ip] (13)Permission denied: access to /~user/ denied

What I've tried:

I've RTFM, specifically the apache manual suggests it's a file permissions issue...

It's not a file permissions issue as the apache user can access the files of the above mentioned "user":

Code: Select all

[root@elite home]# su apache -s /bin/bash
bash-4.1$ cat /home/user/public_html/test.txt
Just a test.
bash-4.1$ exit

This results in being able to see the contents of test.txt, so we know that's OK.

I can only assume it's an SElinux issue and RTFM...

Code: Select all

setsebool -P httpd_enable_homedirs 1
chcon -R -t httpd_sys_content_t /home/user/public_html

Here's a bunch of other SElinux/httpd related settings I have set:

Code: Select all

[root@elite home]# getsebool -a | grep httpd
allow_httpd_anon_write --> on
allow_httpd_mod_auth_ntlm_winbind --> off
allow_httpd_mod_auth_pam --> off
allow_httpd_sys_script_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_check_spam --> off
httpd_can_network_connect --> on
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> off
httpd_can_network_memcache --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> off
httpd_dbus_avahi --> on
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> on
httpd_execmem --> off
httpd_read_user_content --> on
httpd_setrlimit --> off
httpd_ssi_exec --> off
httpd_tmp_exec --> off
httpd_tty_comm --> on
httpd_unified --> on
httpd_use_cifs --> off
httpd_use_gpg --> off
httpd_use_nfs --> off

Finally I disabled selinux enforcing:

Code: Select all

echo 0 >/selinux/enforce

A modest workaround, but not a solution.

I feel like I've done and tried everything and now I'm not sure what else to try...

Any suggestions?

User avatar
Forum Moderator
Posts: 21520
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: (13)Permission denied: access to /~user/ denied -- SElinux?

Postby TrevorH » 2012/01/18 19:35:40

You don't actually say if running `setenforce 0` fixed the problem or not. If it did then that does mean that it's an selinux issue and the next place to look is in the logs to find out what is being denied. If you have the 'audit' package installed and the auditd daemon running then it logs to /var/log/audit/audit.log. The contents of that file can be analyzed by running `aureport -a` and more detailed information about interesting looking lines can be gathered by running `ausearch -a NN` where NN is the number at the end of the aureport line in question.

Posts: 24
Joined: 2006/08/17 10:03:24

Re: (13)Permission denied: access to /~user/ denied -- SElinux?

Postby hm2k » 2012/01/19 13:47:00

Yes SElinux is the problem as `setenforce 0` does fix it.

It's a workaround to the problem, but it doesn't solve it.

It seems I had totally overlooked this:

Code: Select all

[root@elite user]# semanage fcontext -a -t public_content_rw_t '/home/user(/.*)?'
[root@elite user]# restorecon -R /home/user

Doing this solved the problem.

I thought I'd tried but, but looking back, I hadn't applied it.

Thanks for the pointers.

I've now set `setenforce 1` and all is well.

Retired Moderator
Posts: 18276
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America

Re: [SOLVED] (13)Permission denied: access to /~user/ denied -- SElinux?

Postby pschaff » 2012/01/19 15:34:05

Thanks for reporting back. Marking this thread [SOLVED] for posterity.