Forbidden You don’t have permission to access /repos/ on this server.
So you get the following message when installing and configuring your HTTPD server? Despite the right configuration you still receive the following:
Forbidden
You don't have permission to access /repos/ on this server.
Config:
[root@awx01 audit]# cat /etc/httpd/conf.d/repos.conf
<VirtualHost *:80>
DocumentRoot /var/www/html/repos/
RewriteEngine On
RewriteOptions inherit
<Directory /var/www/html/repos/ >
Options +FollowSymLinks +Indexes +MultiViews
AllowOverride All
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
[root@awx01 audit]#
Checking the audit logs we see this:
type=AVC msg=audit(1528086151.719:2706): avc: denied { read } for pid=30031 comm="httpd" name="repos" dev="fuse" ino=13515921556188523676 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:fusefs_t:s0 tclass=dir
The solution is to adjus the SELinux permissions:
[root@awx02 audit]# grep AVC /var/log/audit/audit.log | audit2allow -M systemd-allow
******************** IMPORTANT ***********************
To make this policy package active, execute:
semodule -i systemd-allow.pp
[root@awx02 audit]# semodule -i systemd-allow.pp
libsemanage.add_user: user ipauser not in password file
[root@awx02 audit]#
And the ultimate solution for resolving the above error is: to follow these instructions:
#
# This configuration file enables the default "Welcome" page if there
# is no default index page present for the root URL. To disable the
# Welcome page, comment out all the lines below.
#
# NOTE: if this file is removed, it will be restored on upgrades.
#
# <LocationMatch "^/+$">
# Options -Indexes
# ErrorDocument 403 /.noindex.html
# </LocationMatch>
# <Directory /usr/share/httpd/noindex>
# AllowOverride None
# Require all granted
# </Directory>
# Alias /.noindex.html /usr/share/httpd/noindex/index.html
# Alias /noindex/css/bootstrap.min.css /usr/share/httpd/noindex/css/bootstrap.min.css
# Alias /noindex/css/open-sans.css /usr/share/httpd/noindex/css/open-sans.css
# Alias /images/apache_pb.gif /usr/share/httpd/noindex/images/apache_pb.gif
# Alias /images/poweredby.png /usr/share/httpd/noindex/images/poweredby.png
And the ultimate and final solution ensuring you can list all the files in the directories is to redo the SE Linux permissions:
type=AVC msg=audit(1528114247.764:3123): avc: denied { getattr } for pid=884 comm="httpd" path="/ansible/repos/mysql-5.7.22-1.el7.x86_64.rpm-bundle.tar" dev="fuse" ino=10184044638700995813 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:fusefs_t:s0 tclass=file
with:
grep AVC /var/log/audit/audit.log | audit2allow -M systemd-allow
semodule -i systemd-allow.pp
And repeat again for every denied in the audit.log .
Cheers,
Tom K.