CentOS - Sep 2010 - Forbidden: can't access *.html files in /var/www/html

Hello,

I'm using the latest CentOS with phpBB 3.0.x + postgreSQL + sendmail
(relayed through gmail.com) - all those programs working fine,
with no big modifications of the CentOS defaults (i.e. SELinux is on).

Now I'm struggling with the seemingly simple problem, that when
I put an .html file into /var/www/html/ then Apache won't serve it.

In the browser I see:

"Forbidden

You don't have permission to access /Alex.html on this server.
Apache/2.2.3 (CentOS) Server at XXXX Port 80"

In the  /var/log/httpd/error_log (I've set "LogLevel debug") I
only see:

"[error] [client 10.216.40.68] (13)Permission denied: access to
/Alex.html denied
[error] [client 10.216.40.68] (13)Permission denied: access to
/Alex.html denied"

The other filetypes like crossdomain.xml and index.php or
hello-world.php are served just fine. Also, if I move my *.html
files under /var/www/html/test/ - then they are served ok.

The permissions are ok in my book:

# ls -al Alex.html index.php hello-world.php
-r--r--r-- 1 root    root     599 Sep 29 15:49 Alex.html
-rw-r--r-- 1 afarber afarber   33 Jul 29 11:32 hello-world.php
-rw-r--r-- 1 root    root    5631 Jun 27 09:38 index.php

#  ls -ald / /var /var/www /var/www/html
drwxr-xr-x 23 root root 4096 Sep 29 15:54 /
drwxr-xr-x 22 root root 4096 Jun 22 15:25 /var
drwxr-xr-x  8 root root 4096 Sep 29 11:45 /var/www
drwxr-xr-x 16 root root 4096 Sep 29 15:59 /var/www/html

# cat /var/www/html/.htaccess (installed by phpBB)
<Files "config.php">
Order Allow,Deny
Deny from All
</Files>

<Files "common.php">
Order Allow,Deny
Deny from All
</Files>

#  /usr/sbin/getsebool -a | grep http
allow_httpd_anon_write --> off
allow_httpd_bugzilla_script_anon_write --> off
allow_httpd_cvs_script_anon_write --> off
allow_httpd_mod_auth_pam --> off
allow_httpd_nagios_script_anon_write --> off
allow_httpd_prewikka_script_anon_write --> off
allow_httpd_squid_script_anon_write --> off
allow_httpd_sys_script_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_network_connect --> off
httpd_can_network_connect_db --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> on
httpd_disable_trans --> off
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> on
httpd_read_user_content --> off
httpd_rotatelogs_disable_trans --> off
httpd_ssi_exec --> off
httpd_suexec_disable_trans --> off
httpd_tty_comm --> on
httpd_unified --> on
httpd_use_cifs --> off
httpd_use_nfs --> off

I've looked into /etc/httpd/conf/httpd.conf and conf.d/ files...

Does anybody know what is wrong, how to find out?

Regards
Alex

> Now I'm struggling with the seemingly simple problem
Sometimes simple problems have simple solutions!

For example:
> # ls -al Alex.html index.php hello-world.php
> -r--r--r-- 1 root    root     599 Sep 29 15:49 Alex.html
> -rw-r--r-- 1 afarber afarber   33 Jul 29 11:32 hello-world.php
> -rw-r--r-- 1 root    root    5631 Jun 27 09:38 index.php
Why is Alex.html only readable and the php files readable *and* writable?
 Did you try making the php files *only readable* and see what happens?

This may not be relevant to the problem, but I have observed in Ubuntu that
the apache server by default likes to make files it serves executable.  Not
sure why, just a simple observation.

Hope this helps,
Rob
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.centos.org/pipermail/centos/attachments/20100929/5efc3ce6/attachment.html>

Alexander Farber wrote:
> Hello,
> 
> I'm using the latest CentOS with phpBB 3.0.x + postgreSQL + sendmail
> (relayed through gmail.com) - all those programs working fine,
> with no big modifications of the CentOS defaults (i.e. SELinux is on).
> 
> Now I'm struggling with the seemingly simple problem, that when
> I put an .html file into /var/www/html/ then Apache won't serve it.
> 
> <SNIP>
> 
> I've looked into /etc/httpd/conf/httpd.conf and conf.d/ files...
> 
> Does anybody know what is wrong, how to find out?
> 
> Regards
> Alex
Did you possibly use mv to put the file in that directory?  If so, it 
will not always set the file context properly.  You can tell if you will 
check to see if SELinux is active (run getenforce and see if it returns 
"Enforcing") and use the -Z switch to ls to see the file context of
the
problem files.  If the context is not "httpd_sys_content_t" or
something
similar you need to fix the context.

Fixing it is easy, just run restorecon:

restorecon -rv /var/www/html

This will walk down the directory tree and fix up the file contexts, 
giving you a message about the files it changes.

Of course, if it isn't an SELinux problem, this won't help.
-- 
Jay Leafey - jay.leafey at mindless.com
Memphis, TN
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5529 bytes
Desc: S/MIME Cryptographic Signature
URL:
<http://lists.centos.org/pipermail/centos/attachments/20100929/837e31b9/attachment.bin>

Nope this doesn't help. I've tried both 444 and 644 for Alex.html
and vice versa: 444 and 644 for the .php and .xml files.

On Wed, Sep 29, 2010 at 4:52 PM, Rob Del Vecchio
<rob.delvecchio at gmail.com> wrote:
>>?# ls -al Alex.html index.php hello-world.php
>> -r--r--r-- 1 root ? ?root ? ? 599 Sep 29 15:49 Alex.html
>> -rw-r--r-- 1 afarber afarber ? 33 Jul 29 11:32 hello-world.php
>> -rw-r--r-- 1 root ? ?root ? ?5631 Jun 27 09:38 index.php
> Why is Alex.html only readable and the php files readable *and* writable?
> ?Did you try making the php files *only readable* and see what happens?

On 30/09/10 12:43 AM, Alexander Farber wrote:
> Hello,
> 
> I'm using the latest CentOS with phpBB 3.0.x + postgreSQL + sendmail
> (relayed through gmail.com) - all those programs working fine,
> with no big modifications of the CentOS defaults (i.e. SELinux is on).
[SNIP
> Does anybody know what is wrong, how to find out?
Yep, it's SELinux picking up that the files have been moved or copied to
that directory.  Run this command:

restorecon -R /var/www/html

The pages should load after that.


Regards,
Ben


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 258 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.centos.org/pipermail/centos/attachments/20100930/19e4b3b1/attachment.sig>

On Wed, 29 Sep 2010, Jay Leafey wrote:
> Fixing it is easy, just run restorecon:
>
> restorecon -rv /var/www/html
Is there any received wisdom about when it is more appropriate to use 
restorecon directly instead of the fixfiles wrapper? I tend to use 
fixfiles, but I haven't really thought it through.

-- 
Paul Heinlein <> heinlein at madboa.com <> http://www.madboa.com/