CentOS - Dec 2015 - Solved - Re: C7 apache file access

On 12/23/2015 02:36 PM, Paul Heinlein wrote:
> On Wed, 23 Dec 2015, Robert Moskowitz wrote:
>
>> Pulling out what little hair I have here, but stumbled onto a 
>> possible problem.
>>
>> I have a server running C6 apache that is set up with personal 
>> directories and no problem showing the files.
>>
>> You can see it at: medon.htt-consult.com/~rgm/pogo
>>
>> So I have a C7 apache server I am building.  Files I create on the 
>> new server are listing fine.  Files I have copied (with cp -avr ...) 
>> get permission error e.g.:
>>
>> [Wed Dec 23 12:32:49.359323 2015] [negotiation:error] [pid 3208] 
>> (13)Permission denied: [client 192.168.160.20:38708] AH00686: cannot 
>> read directory for multi: /home/rgm/public_html/biby/
>
> If SELinux is working, then do
>
>   setsebool -P httpd_enable_homedirs on
Did not help.

in messages I see:

Dec 23 14:54:04 medon dbus-daemon: dbus[444]: avc:  received policyload 
notice (seqno=3)
Dec 23 14:54:04 medon dbus[444]: avc:  received policyload notice (seqno=3)
Dec 23 14:54:04 medon dbus-daemon: dbus[444]: [system] Reloaded 
configuration
Dec 23 14:54:04 medon dbus[444]: [system] Reloaded configuration
Dec 23 14:54:11 medon setsebool: The httpd_enable_homedirs policy 
boolean was changed to on by root

BUt still get the access error:

[Wed Dec 23 14:55:26.579402 2015] [negotiation:error] [pid 3212] 
(13)Permission denied: [client 192.168.160.20:38836] AH00686: cannot 
read directory for multi: /home/rgm/public_html/biby/

i should say that this system is build with the Centos7-arm build that 
we are testing out.  So this could be a problem with the selinux build 
for armv7.  But I thought this was a general C7/apache issue...

On 12/23/2015 12:05 PM, Robert Moskowitz wrote:
>> If SELinux is working, then do
>>
>>   setsebool -P httpd_enable_homedirs on
>
> Did not help.
>
> in messages I see:
>
> Dec 23 14:54:04 medon dbus-daemon: dbus[444]: avc:  received 
> policyload notice (seqno=3)
> Dec 23 14:54:04 medon dbus[444]: avc:  received policyload notice 
> (seqno=3)
> Dec 23 14:54:04 medon dbus-daemon: dbus[444]: [system] Reloaded 
> configuration
> Dec 23 14:54:04 medon dbus[444]: [system] Reloaded configuration
> Dec 23 14:54:11 medon setsebool: The httpd_enable_homedirs policy 
> boolean was changed to on by root
>
> BUt still get the access error:
>
> [Wed Dec 23 14:55:26.579402 2015] [negotiation:error] [pid 3212] 
> (13)Permission denied: [client 192.168.160.20:38836] AH00686: cannot 
> read directory for multi: /home/rgm/public_html/biby/
>
> i should say that this system is build with the Centos7-arm build that 
> we are testing out.  So this could be a problem with the selinux build 
> for armv7.  But I thought this was a general C7/apache issue... 
did you verify it /is/ selinux by running with `setenforce permissive` ?




-- 
john r pierce, recycling bits in santa cruz

On 12/23/2015 03:26 PM, John R Pierce wrote:
> On 12/23/2015 12:05 PM, Robert Moskowitz wrote:
>>> If SELinux is working, then do
>>>
>>>   setsebool -P httpd_enable_homedirs on
>>
>> Did not help.
>>
>> in messages I see:
>>
>> Dec 23 14:54:04 medon dbus-daemon: dbus[444]: avc:  received 
>> policyload notice (seqno=3)
>> Dec 23 14:54:04 medon dbus[444]: avc:  received policyload notice 
>> (seqno=3)
>> Dec 23 14:54:04 medon dbus-daemon: dbus[444]: [system] Reloaded 
>> configuration
>> Dec 23 14:54:04 medon dbus[444]: [system] Reloaded configuration
>> Dec 23 14:54:11 medon setsebool: The httpd_enable_homedirs policy 
>> boolean was changed to on by root
>>
>> BUt still get the access error:
>>
>> [Wed Dec 23 14:55:26.579402 2015] [negotiation:error] [pid 3212] 
>> (13)Permission denied: [client 192.168.160.20:38836] AH00686: cannot 
>> read directory for multi: /home/rgm/public_html/biby/
>>
>> i should say that this system is build with the Centos7-arm build 
>> that we are testing out.  So this could be a problem with the selinux 
>> build for armv7.  But I thought this was a general C7/apache issue... 
>
> did you verify it /is/ selinux by running with `setenforce permissive` ?
Thank you for that reminder.  I did that and the directory was displayed.

switch back to enforcing and get the permissions error.

So what do I try next.  My current server is also an ARMv7 that is 
running the Centos6 port of Redsleeve6.  This port does not support 
selinux which is one of the many reasons I want to move all my ARMv7 
servers over to C7-arm as soon as I can.  Thus I suspect I am going to 
be learning (relearning in some cases) a lot about selinux...

thanks

On 12/23/2015 04:36 PM, ????????? ???????? wrote:
> Robert Moskowitz ????? 2015-12-23 23:56:
>> On 12/23/2015 03:26 PM, John R Pierce wrote:
>>> On 12/23/2015 12:05 PM, Robert Moskowitz wrote:
>>>>> If SELinux is working, then do
>>>>>
>>>>>   setsebool -P httpd_enable_homedirs on
>>>>
>>>> Did not help.
>>>>
>>>> in messages I see:
>>>>
>>>> Dec 23 14:54:04 medon dbus-daemon: dbus[444]: avc:  received 
>>>> policyload notice (seqno=3)
>>>> Dec 23 14:54:04 medon dbus[444]: avc:  received policyload
notice
>>>> (seqno=3)
>>>> Dec 23 14:54:04 medon dbus-daemon: dbus[444]: [system] Reloaded
>>>> configuration
>>>> Dec 23 14:54:04 medon dbus[444]: [system] Reloaded
configuration
>>>> Dec 23 14:54:11 medon setsebool: The httpd_enable_homedirs
policy
>>>> boolean was changed to on by root
>>>>
>>>> BUt still get the access error:
>>>>
>>>> [Wed Dec 23 14:55:26.579402 2015] [negotiation:error] [pid
3212]
>>>> (13)Permission denied: [client 192.168.160.20:38836] AH00686: 
>>>> cannot read directory for multi: /home/rgm/public_html/biby/
>>>>
>>>> i should say that this system is build with the Centos7-arm
build
>>>> that we are testing out.  So this could be a problem with the 
>>>> selinux build for armv7.  But I thought this was a general 
>>>> C7/apache issue...
>>>
>>> did you verify it /is/ selinux by running with `setenforce 
>>> permissive` ?
>>
>> Thank you for that reminder.  I did that and the directory was 
>> displayed.
>>
>> switch back to enforcing and get the permissions error.
>>
>> So what do I try next.  My current server is also an ARMv7 that is
>> running the Centos6 port of Redsleeve6.  This port does not support
>> selinux which is one of the many reasons I want to move all my ARMv7
>> servers over to C7-arm as soon as I can.  Thus I suspect I am going to
>> be learning (relearning in some cases) a lot about selinux...
>
> Have you tried restorecon -Rv /home ?
>
>
No, as I did not know this command existed and what it might be used for.

I can now access the files.  Thanks