Finally! I took some time out, with a big road trip to America and various other activities going on, I'd not had the time to keep the blog going. Anyway, things are back to normal now and after a recent hard disk failure I unexpectedly found myself setting up a new secure web server using CentOS 5.2 x64 and Apache Httpd 2.2.3 and PHP5. Later I'll add in a Java EE application server for more dynamic/web app stuff.
Thought that I'd type up some small notes on a problem I'd come across before, when trying to setup Mercurial HG-WEB in directories (or sym links) to directories outside of the usual /var/www
One of the problems may come from SELinux. Whilst it's tempting to turn it off, for something facing the public on the web - this would be a real last resort!
Security Contexts: - a quick explanation
Files and directories have security contexts. These can be seen using ls, e.g.
By default Apache Httpd cannot access all files, it can access those with httpd_sys_content_t context types.
For example user home directories come with the context home_root_t which will give a permission denied type error if httpd tries to serve up files from there (or anywhere below!). Another common security context is default_t which will be assigned as the default for new files and folders.
An important difference between mv and cp
cp creates a new context (inherits), wheras mv actually moves it (unmodified). So a common gotcha is to create files in the user home directory and mv them to /var/www/... but this keeps the home context home_root_t - hence this creates the permission denied error.
Some handy commands:
chcon -R -h -t httpd_sys_content_t /test/
change the directory /test/ to httpd_sys_content security context type, recursively but not following sym-links.
i.e. the above would enable /test/ to be served by a documentroot in Httpd
If SELinux is suspected for the permissions problems (as opposed to httpd configuration), the SELinux restrictions will appear in the message log:
tail -f /var/log/messages
SELinux boolean flags:
can be read with
and set with
setsebool httpd_enable_cgi true
Invoke the simple GUI configurator with: system-config-securitylevel
Restore the file context (say after an mv command):
restorecon -R -v ./folderwithwrongcontext/
Additional SE Linux parameters:
Enable Samba to access home dirs:
setsebool -P samba_enable_home_dirs=1
Good overview in this link: http://docs.fedoraproject.org/selinux-apache-fc3/sn-simple-setup.html