linux 403错误,Apache 403错误解决方法

今天安装了SELinux,然后Apache就出问题了，403错误。

以前Apache都没出过问题，现在解决了。原来是SELinux的问题。

解决方法：

chcon -R -t httpd_sys_content_t 具体原因如下：Apache (httpd) 403 errors & SELinux in FC3

Posted by jwigdahl @ 17 Nov 2004 10:38 am

Quick fix:

chcon -R -t httpd_sys_content_t

Now for the meat:

So in Fedora Core 3 we now have SELinux enabled by default in the

installation. I decided to leave it enabled because security is a “Good

Thing” (right?) and I knew I was going to have to get familiar with it

at some point. So this was all fine and good until I ran into the first

piece of the system I wanted to work with that was affected by the

default policy that’s called “targeted”.

The “targeted” policy confines certain network daemons to run in their

own specific “security domain”. These daemons include dhcpd, httpd

(apache), named, nscd, ntpd, portmap, snmpd, squid, and syslogd.

When I setup apache on a system where it wil be utilized, I have a

habit of not using /var/www/html as my starting point for document

roots, but rather create a dir at /home/websites and place my document

roots in there. In the good ol’ days of Discretionary Access Controls

(DAC) just making sure that apache had the perms it needed to read the

documents in there was enough (using chmod, chown, and the like).

Not so with SELinux enabled. In addition to the regular DAC we’re

all used to, we now have Mandatory Access Controls (MAC) that define

security contexts for files/directories etc. Turns out it looks like by

default, apache only has access to /var/www/html when it’s fired up….

I’m guessing that and probably /var/log/httpd (which is exactly as it

should be). To enable apache to view my files in /home/websites, I had

to apply a new security context to these files. The answer to this is

the chcon command. To be brief, the full command I executed was:

chcon -R -t httpd_sys_content_t /home/websites

After executing this, apache could read my files.

Important links I found in troubleshooting:

I like where this SELinux thing is going. Permissions done right,

for sure. This doesn’t come with out growing pains though. It’s complex

(or so it seems to me after only working with it for a couple days) and

will take some time to learn. I’m prepared for some frustration….

Now many of you are probably asking yourself why would anyone (let

alone me) want to bother with this? Well I think a simple example of

one of the cool things is that even though something like /etc/passwd

has DAC octal perms of 644 (rw-r–r–), apache still can’t read it

because that file is not with in apache’s security context. So any

users on your system can’t write a little script that reads your

/etc/passwd file and basically posts it on a web page for the world to

see (giving potential crackers a list of valid user accounts on the

system).

UPDATE: Thanks for the updated link Bob.