Header Shadow Image


Forbidden You don’t have permission to access /repos/ on this server.

So you get the following message when installing and configuring your HTTPD server?  Despite the right configuration you still receive the following:

Forbidden

You don't have permission to access /repos/ on this server.

Config:

[root@awx01 audit]# cat /etc/httpd/conf.d/repos.conf
<VirtualHost *:80>
        DocumentRoot /var/www/html/repos/
        RewriteEngine On
        RewriteOptions inherit
        <Directory /var/www/html/repos/ >
                Options +FollowSymLinks +Indexes +MultiViews
                AllowOverride All
                Order allow,deny
                Allow from all
        </Directory>
</VirtualHost>
[root@awx01 audit]#

 

Checking the audit logs we see this:

type=AVC msg=audit(1528086151.719:2706): avc:  denied  { read } for  pid=30031 comm="httpd" name="repos" dev="fuse" ino=13515921556188523676 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:fusefs_t:s0 tclass=dir

The solution is to adjus the SELinux permissions:

[root@awx02 audit]# grep AVC /var/log/audit/audit.log | audit2allow -M systemd-allow
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i systemd-allow.pp

[root@awx02 audit]# semodule -i systemd-allow.pp
libsemanage.add_user: user ipauser not in password file
[root@awx02 audit]#

And the ultimate solution for resolving the above error is: to follow these instructions:

#
# This configuration file enables the default "Welcome" page if there
# is no default index page present for the root URL.  To disable the
# Welcome page, comment out all the lines below.
#
# NOTE: if this file is removed, it will be restored on upgrades.
#
# <LocationMatch "^/+$">
#     Options -Indexes
#     ErrorDocument 403 /.noindex.html
# </LocationMatch>

# <Directory /usr/share/httpd/noindex>
#     AllowOverride None
#     Require all granted
# </Directory>

# Alias /.noindex.html /usr/share/httpd/noindex/index.html
# Alias /noindex/css/bootstrap.min.css /usr/share/httpd/noindex/css/bootstrap.min.css
# Alias /noindex/css/open-sans.css /usr/share/httpd/noindex/css/open-sans.css
# Alias /images/apache_pb.gif /usr/share/httpd/noindex/images/apache_pb.gif
# Alias /images/poweredby.png /usr/share/httpd/noindex/images/poweredby.png

And the ultimate and final solution ensuring you can list all the files in the directories is to redo the SE Linux permissions:

type=AVC msg=audit(1528114247.764:3123): avc:  denied  { getattr } for  pid=884 comm="httpd" path="/ansible/repos/mysql-5.7.22-1.el7.x86_64.rpm-bundle.tar" dev="fuse" ino=10184044638700995813 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:fusefs_t:s0 tclass=file

with:

grep AVC /var/log/audit/audit.log | audit2allow -M systemd-allow
semodule -i systemd-allow.pp

And repeat again for every denied in the audit.log .

Cheers,
Tom K.

 

Comments are closed.


     
  Copyright © 2003 - 2013 Tom Kacperski (microdevsys.com). All rights reserved.

Creative Commons License
This work is licensed under a Creative Commons Attribution 3.0 Unported License