Header Shadow Image

«
»

Forbidden You don’t have permission to access /repos/ on this server.

So you get the following message when installing and configuring your HTTPD server?  Despite the right configuration you still receive the following:

Forbidden

You don't have permission to access /repos/ on this server.

Config:

[root@awx01 audit]# cat /etc/httpd/conf.d/repos.conf
<VirtualHost *:80>
        DocumentRoot /var/www/html/repos/
        RewriteEngine On
        RewriteOptions inherit
        <Directory /var/www/html/repos/ >
                Options +FollowSymLinks +Indexes +MultiViews
                AllowOverride All
                Order allow,deny
                Allow from all
        </Directory>
</VirtualHost>
[root@awx01 audit]#

 

Checking the audit logs we see this:

type=AVC msg=audit(1528086151.719:2706): avc:  denied  { read } for  pid=30031 comm="httpd" name="repos" dev="fuse" ino=13515921556188523676 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:fusefs_t:s0 tclass=dir

The solution is to adjus the SELinux permissions:

[root@awx02 audit]# grep AVC /var/log/audit/audit.log | audit2allow -M systemd-allow
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i systemd-allow.pp

[root@awx02 audit]# semodule -i systemd-allow.pp
libsemanage.add_user: user ipauser not in password file
[root@awx02 audit]#

And the ultimate solution for resolving the above error is: to follow these instructions:

#
# This configuration file enables the default "Welcome" page if there
# is no default index page present for the root URL.  To disable the
# Welcome page, comment out all the lines below.
#
# NOTE: if this file is removed, it will be restored on upgrades.
#
# <LocationMatch "^/+$">
#     Options -Indexes
#     ErrorDocument 403 /.noindex.html
# </LocationMatch>

# <Directory /usr/share/httpd/noindex>
#     AllowOverride None
#     Require all granted
# </Directory>

# Alias /.noindex.html /usr/share/httpd/noindex/index.html
# Alias /noindex/css/bootstrap.min.css /usr/share/httpd/noindex/css/bootstrap.min.css
# Alias /noindex/css/open-sans.css /usr/share/httpd/noindex/css/open-sans.css
# Alias /images/apache_pb.gif /usr/share/httpd/noindex/images/apache_pb.gif
# Alias /images/poweredby.png /usr/share/httpd/noindex/images/poweredby.png

And the ultimate and final solution ensuring you can list all the files in the directories is to redo the SE Linux permissions:

type=AVC msg=audit(1528114247.764:3123): avc:  denied  { getattr } for  pid=884 comm="httpd" path="/ansible/repos/mysql-5.7.22-1.el7.x86_64.rpm-bundle.tar" dev="fuse" ino=10184044638700995813 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:fusefs_t:s0 tclass=file

with:

grep AVC /var/log/audit/audit.log | audit2allow -M systemd-allow
semodule -i systemd-allow.pp

And repeat again for every denied in the audit.log .

Cheers,
Tom K.

 

This entry was posted on Monday, June 4th, 2018 at 12:29 am and is filed under NIX Posts. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

Comments are closed.

     
  Copyright © 2003 - 2025 Tom Kacperski (microdevsys.com). All rights reserved.

Creative Commons License
This work is licensed under a Creative Commons Attribution 3.0 Unported License

  

The IT Development and Technology Mini Vault | MicroDevSys.com
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.