CentOS - Dec 2015 - C7 apache file access

Pulling out what little hair I have here, but stumbled onto a possible 
problem.

I have a server running C6 apache that is set up with personal 
directories and no problem showing the files.

You can see it at: medon.htt-consult.com/~rgm/pogo

So I have a C7 apache server I am building.  Files I create on the new 
server are listing fine.  Files I have copied (with cp -avr ...) get 
permission error e.g.:

[Wed Dec 23 12:32:49.359323 2015] [negotiation:error] [pid 3208] 
(13)Permission denied: [client 192.168.160.20:38708] AH00686: cannot 
read directory for multi: /home/rgm/public_html/biby/

File permissions are the same.  So in frustation I try using stat and it 
shows a different picture:

$ stat test/testit
   File: ?test/testit?
   Size: 6             Blocks: 8          IO Block: 4096 regular file
Device: 803h/2051d    Inode: 524296      Links: 1
Access: (0664/-rw-rw-r--)  Uid: ( 1000/     rgm)   Gid: ( 1000/     rgm)
Context: unconfined_u:object_r:httpd_user_content_t:s0
Access: 2015-12-23 13:53:04.212993088 -0500
Modify: 2015-12-23 13:53:06.313000584 -0500
Change: 2015-12-23 13:53:06.313000584 -0500
  Birth: -


$ stat biby/MishnahBerurah-2015-12-18.amr
   File: ?biby/MishnahBerurah-2015-12-18.amr?
   Size: 2290374       Blocks: 4480       IO Block: 4096 regular file
Device: 803h/2051d    Inode: 136295      Links: 1
Access: (0664/-rw-rw-r--)  Uid: ( 1000/     rgm)   Gid: ( 1000/     rgm)
Context: system_u:object_r:unlabeled_t:s0
Access: 2015-12-18 06:54:01.000000000 -0500
Modify: 2015-12-18 06:54:01.000000000 -0500
Change: 2015-12-23 13:56:57.273824913 -0500
  Birth: -


Notice the difference with Context.  Wiaht is this 
httpd_user_content_t?  Why on files I create on this system and not 
those I cp from a USB drive?  And is this the problem or something else?


thanks

On Wed, 23 Dec 2015, Robert Moskowitz wrote:
> Pulling out what little hair I have here, but stumbled onto a possible 
> problem.
>
> I have a server running C6 apache that is set up with personal directories 
> and no problem showing the files.
>
> You can see it at: medon.htt-consult.com/~rgm/pogo
>
> So I have a C7 apache server I am building.  Files I create on the new
server
> are listing fine.  Files I have copied (with cp -avr ...) get permission 
> error e.g.:
>
> [Wed Dec 23 12:32:49.359323 2015] [negotiation:error] [pid 3208] 
> (13)Permission denied: [client 192.168.160.20:38708] AH00686: cannot read 
> directory for multi: /home/rgm/public_html/biby/
If SELinux is working, then do

   setsebool -P httpd_enable_homedirs on

-- 
Paul Heinlein
heinlein at madboa.com
45?38' N, 122?6' W

On 12/23/2015 02:36 PM, Paul Heinlein wrote:
> On Wed, 23 Dec 2015, Robert Moskowitz wrote:
>
>> Pulling out what little hair I have here, but stumbled onto a 
>> possible problem.
>>
>> I have a server running C6 apache that is set up with personal 
>> directories and no problem showing the files.
>>
>> You can see it at: medon.htt-consult.com/~rgm/pogo
>>
>> So I have a C7 apache server I am building.  Files I create on the 
>> new server are listing fine.  Files I have copied (with cp -avr ...) 
>> get permission error e.g.:
>>
>> [Wed Dec 23 12:32:49.359323 2015] [negotiation:error] [pid 3208] 
>> (13)Permission denied: [client 192.168.160.20:38708] AH00686: cannot 
>> read directory for multi: /home/rgm/public_html/biby/
>
> If SELinux is working, then do
>
>   setsebool -P httpd_enable_homedirs on
Did not help.

in messages I see:

Dec 23 14:54:04 medon dbus-daemon: dbus[444]: avc:  received policyload 
notice (seqno=3)
Dec 23 14:54:04 medon dbus[444]: avc:  received policyload notice (seqno=3)
Dec 23 14:54:04 medon dbus-daemon: dbus[444]: [system] Reloaded 
configuration
Dec 23 14:54:04 medon dbus[444]: [system] Reloaded configuration
Dec 23 14:54:11 medon setsebool: The httpd_enable_homedirs policy 
boolean was changed to on by root

BUt still get the access error:

[Wed Dec 23 14:55:26.579402 2015] [negotiation:error] [pid 3212] 
(13)Permission denied: [client 192.168.160.20:38836] AH00686: cannot 
read directory for multi: /home/rgm/public_html/biby/

i should say that this system is build with the Centos7-arm build that 
we are testing out.  So this could be a problem with the selinux build 
for armv7.  But I thought this was a general C7/apache issue...

On 12/23/2015 11:15 AM, Robert Moskowitz wrote:
> Wiaht is this httpd_user_content_t?
That is an selinux context which httpd is allowed to access.  It is 
defined as the label for files matching the regex 
/home/[^/]*/((www)|(web)|(public_html))(/.+)? in 
/etc/selinux/targeted/contexts/files/

"restorecon" can be used to reset contexts to those defined in that 
directory.
> Why on files I create on this system and not those I cp from a USB drive?
Because you used cp -a, which preserves permissions and labels, among 
other attributes.  Normally, files inherit a context from their parent 
directory.

On 12/24/2015 01:08 AM, Gordon Messmer wrote:
> On 12/23/2015 11:15 AM, Robert Moskowitz wrote:
>> Wiaht is this httpd_user_content_t?
>
> That is an selinux context which httpd is allowed to access.  It is 
> defined as the label for files matching the regex 
> /home/[^/]*/((www)|(web)|(public_html))(/.+)? in 
> /etc/selinux/targeted/contexts/files/
>
> "restorecon" can be used to reset contexts to those defined in
that
> directory.
>
>> Why on files I create on this system and not those I cp from a USB 
>> drive?
>
> Because you used cp -a, which preserves permissions and labels, among 
> other attributes.  Normally, files inherit a context from their parent 
> directory.
Ah yes.  I was lazy, as 'all' I really wanted was to maintain timestamps
on those files.  Serves me right...

thanks for the explaination.

New server is more solid than current, so I am going to launch it 
tomorrow.  Then on to BIND testing.