SOLVED - Re: Fedora-Server-armhfp-25-1.3-sda - httpd userdir and selinux probem

Robert Moskowitz <rgm@xxxxxxxxxxxxxxx> · Sat, 4 Feb 2017 23:52:41 -0500

I just found out that now I need to do:

chcon -R -t httpd_sys_content_t ~rgm/public_html

Which was not required back in the earlier days.

But I have added this to my cookbook.

On 02/04/2017 11:34 PM, Robert Moskowitz wrote:
I did all of my steps to build a Fedora Server with updates and 
installed httpd.

I edited the /etc/httpd/conf.d/userdir.conf to enable userdir.  I kept 
all of the rest of this conf file unchanged.

I added my z00-init.conf file:

ServerAdmin rgm@xxxxxxxxxxxxxxx
ServerName medon.htt-consult.com:80
# NameVirtualHost *:80
# NameVirtualHost *:443

I followed the permission instructions in the userdir.conf file, 
copied some files into my public_html

set my IP addr and all the rest, put the Cubie on my DMZ and tried to 
access a file:

http://medon.htt-consult.com/~rgm/cubieboard/cubietower-2.JPG

This works.  You can try this also, as the server is public.

But I cannot access just a directory:

http://medon.htt-consult.com/~rgm/cubieboard/

I get:

=====

Forbidden

You don't have permission to access /~rgm/cubieboard/ on this server.

=====

If I disable SELinux with 'setenforce 0'  I get the listing of files 
in this directory.

The userdir.conf default is:

<Directory "/home/*/public_html">
    AllowOverride FileInfo AuthConfig Limit Indexes
    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
    Require method GET POST OPTIONS
</Directory>

So this should work.  /var/log/httpd/error.log reports:

[Sat Feb 04 23:24:13.289963 2017] [negotiation:error] [pid 865] 
(13)Permission denied: [client 192.168.160.12:56918] AH00686: cannot 
read directory for multi: /home/rgm/public_html/cubieboard/

permissions are:

# ls -ls /home/rgm/public_html/
total 4
0 drwxrwxr-x. 2 rgm rgm  54 Feb  4 22:51 cubieboard
0 drwxrwxr-x. 2 rgm rgm 203 Feb  4 22:51 Harpsichord
0 drwxrwxr-x. 2 rgm rgm  73 Feb  4 22:51 ietf
4 -rw-rw-r--. 1 rgm rgm  12 Jan 21  2013 index.html

# ls -ls /home/rgm/public_html/cubieboard/
total 3504
1420 -rw-rw-r--. 1 rgm rgm 1450256 Aug 27  2014 cubietower-2.JPG
2084 -rw-r--r--. 1 rgm rgm 2131328 Sep  4  2014 cubietower-3.JPG

Why did I suspect SELinux you ask?  Well I get all these warnings when 
I do any SELinux command.  What follows is everything I could gather 
from the console.

So please tell me what is the problem and how to fix it.  I really 
want to get this simple server up and in production already...

  Upgrading   : 
selinux-policy-targeted-3.13.1-225.6.fc25.noarch        310/844
[ 8981.136506] SELinux:  Permission validate_trans in class security 
not defined in policy.
[ 8981.144734] SELinux:  Permission module_load in class system not 
defined in policy.
[ 8981.152998] SELinux: the above unknown classes and permissions will 
be allowed
[ 8985.835670] SELinux:  Context 
unconfined_u:unconfined_r:sandbox_t:s0-s0:c0.c1023 became invalid 
(unmapped).
[ 8987.072186] SELinux:  Context 
system_u:unconfined_r:sandbox_t:s0-s0:c0.c1023 became invalid (unmapped).

/var/lib/selinux/targeted/active/policy.kern: read error
(tried to read 8192 bytes from offset 3848760)
cannot reconstruct rpm from disk files

[    0.006234] SELinux:  Initializing.
[    6.113236] systemd[1]: systemd 231 running in system mode. (+PAM 
+AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP 
+GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN)
[   17.446033] SELinux:  Permission validate_trans in class security 
not defined in policy.
[   17.454298] SELinux:  Permission module_load in class system not 
defined in policy.
[   17.462557] SELinux: the above unknown classes and permissions will 
be allowed
[   17.544762] systemd[1]: Successfully loaded SELinux policy in 
910.703ms.

  Upgrading   : 
container-selinux-2:2.5-1.fc25.noarch                   179/500
[11840.708423] SELinux:  Permission validate_trans in class security 
not defined in policy.
[11840.716674] SELinux:  Permission module_load in class system not 
defined in policy.
[11840.725023] SELinux: the above unknown classes and permissions will 
be allowed
[11841.999564] SELinux:  Context 
system_u:system_r:gear_t:s0-s0:c0.c1023 became invalid (unmapped).
[11847.589662] SELinux:  Context 
unconfined_u:system_r:gear_t:s0-s0:c0.c1023 became invalid (unmapped).
libsemanage.semanage_direct_remove_key: Removing last container module 
(no other container module exists at another priority).

# semanage port -a -t ssh_port_t -p tcp 1234   /* not the real port 
number
[116454.082753] SELinux:  Permission validate_trans in class security 
not defined in policy.
[116454.091093] SELinux:  Permission module_load in class system not 
defined in policy.
[116454.099465] SELinux: the above unknown classes and permissions 
will be allowed

# setsebool -P httpd_enable_homedirs on
[120049.339391] SELinux:  Permission validate_trans in class security 
not defined in policy.
[120049.347700] SELinux:  Permission module_load in class system not 
defined in policy.
[120049.356072] SELinux: the above unknown classes and permissions 
will be allowed

thanks
_______________________________________________
arm mailing list -- arm@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to arm-leave@xxxxxxxxxxxxxxxxxxxxxxx
_______________________________________________
arm mailing list -- arm@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to arm-leave@xxxxxxxxxxxxxxxxxxxxxxx