[SOLVED] (13)Permission denied: access to /~user/ denied -- SElinux?

General support questions
Post Reply
hm2k
Posts: 24
Joined: 2006/08/17 10:03:24
Contact:

[SOLVED] (13)Permission denied: access to /~user/ denied --

Post by hm2k » 2012/01/18 18:16:24

Hi there,

I've setup a server for local development on CentOS6.

I'm trying to keep it fairly secure so I'm keeping SElinux enabled for now, however I seem to be having a problem.

I've setup apache with UserDir public_html so I'm able to access the user's public_html directory as follows:

http://server.ip/~user/

This however results in:

[quote]
Forbidden

You don't have permission to access /~user/ on this server.

Apache Server at server.ip Port 80
[/quote]

Checking the error log (/var/log/httpd/error_log) shows the following:

[quote]
[Wed Jan 18 18:01:02 2012] [error] [client server.ip] (13)Permission denied: access to /~user/ denied
[/quote]

What I've tried:

I've RTFM, specifically the [url=http://wiki.apache.org/httpd/13PermissionDenied]apache manual suggests it's a file permissions issue[/url]...

It's not a file permissions issue as the apache user can access the files of the above mentioned "user":

[code]
[root@elite home]# su apache -s /bin/bash
bash-4.1$ cat /home/user/public_html/test.txt
Just a test.
bash-4.1$ exit
exit
[/code]

This results in being able to see the contents of test.txt, so we know that's OK.

I can only assume it's an [url=http://fedoraproject.org/wiki/SELinux/apache]SElinux issue and RTFM[/url]...

[code]
setsebool -P httpd_enable_homedirs 1
chcon -R -t httpd_sys_content_t /home/user/public_html
[/code]

Here's a bunch of other SElinux/httpd related settings I have set:

[code]
[root@elite home]# getsebool -a | grep httpd
allow_httpd_anon_write --> on
allow_httpd_mod_auth_ntlm_winbind --> off
allow_httpd_mod_auth_pam --> off
allow_httpd_sys_script_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_check_spam --> off
httpd_can_network_connect --> on
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> off
httpd_can_network_memcache --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> off
httpd_dbus_avahi --> on
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> on
httpd_execmem --> off
httpd_read_user_content --> on
httpd_setrlimit --> off
httpd_ssi_exec --> off
httpd_tmp_exec --> off
httpd_tty_comm --> on
httpd_unified --> on
httpd_use_cifs --> off
httpd_use_gpg --> off
httpd_use_nfs --> off
[/code]

Finally I disabled selinux enforcing:
[code]
echo 0 >/selinux/enforce
[/code]

A modest workaround, but not a solution.

I feel like I've done and tried everything and now I'm not sure what else to try...

Any suggestions?

User avatar
TrevorH
Forum Moderator
Posts: 22983
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: (13)Permission denied: access to /~user/ denied -- SElinux?

Post by TrevorH » 2012/01/18 19:35:40

You don't actually say if running `setenforce 0` fixed the problem or not. If it did then that does mean that it's an selinux issue and the next place to look is in the logs to find out what is being denied. If you have the 'audit' package installed and the auditd daemon running then it logs to /var/log/audit/audit.log. The contents of that file can be analyzed by running `aureport -a` and more detailed information about interesting looking lines can be gathered by running `ausearch -a NN` where NN is the number at the end of the aureport line in question.

hm2k
Posts: 24
Joined: 2006/08/17 10:03:24
Contact:

Re: (13)Permission denied: access to /~user/ denied -- SElinux?

Post by hm2k » 2012/01/19 13:47:00

Yes SElinux is the problem as `setenforce 0` does fix it.

It's a workaround to the problem, but it doesn't solve it.

It seems I had totally overlooked this:

[code][root@elite user]# semanage fcontext -a -t public_content_rw_t '/home/user(/.*)?'
[root@elite user]# restorecon -R /home/user
[/code]

Doing this solved the problem.

I thought I'd tried but, but looking back, I hadn't applied it.

Thanks for the pointers.

I've now set `setenforce 1` and all is well.

pschaff
Retired Moderator
Posts: 18276
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America
Contact:

Re: [SOLVED] (13)Permission denied: access to /~user/ denied -- SElinux?

Post by pschaff » 2012/01/19 15:34:05

Thanks for reporting back. Marking this thread [SOLVED] for posterity.

Post Reply