Apache 'Symbolic link not allowed' error on Fedora 25

asked 2017-06-13 11:29:45 -0500

ferdn4ndo
11 ●1

updated 2017-06-14 18:53:37 -0500

sergiomb

3932 ●13 ●65 ●83 http://www.serjux.com/

Hello,

I got stuck on 'Symbolic link not allowed or link target not accessible' error and after a whole morning trying to fix it, still nothing. So, here I am.

So, server is running (Fedora Test Page opens with localhost on browser). And this is my ll for /var/www/html:

[root@unknown74e543af57bc html]# ll
total 4
-rw-r--r--. 1 root root 20 jun 13 11:49 test.php
lrwxrwxrwx. 1 root root 19 jun 13 11:40 web -> /home/fernando/html

As well, when I navigate to localhost/test.php the file is executed and I get my Hello World test.

However, when I try to access localhost/web, it leads me 403 error page. And this is my ll for /home/fernando/html:

[root@unknown74e543af57bc html]# ll /home/fernando/html  
total 12
-rwxr-xr-x.  1 fernando www-data    2 jun 13 11:13 index.html
drwxr-xr-x. 11 fernando fernando 4096 jun 13 11:34 testsite.com
-rwxr-xr-x.  1 fernando www-data   31 jun 13 11:10 test.php

And, inside /etc/httpd/conf/httpd.conf:

<Directory />
    AllowOverride none
    Require all denied
</Directory>
DocumentRoot "/var/www/html"
<Directory "/var/www">
    Options Indexes FollowSymLinks
    AllowOverride None
    Require all granted
</Directory>
<Directory "/var/www/html">
   Options Indexes FollowSymLinks
   AllowOverride All
    Require all granted
</Directory>

And in /var/log/httpd/error_log:

[Tue Jun 13 13:08:50.222612 2017] [core:error] [pid 8860] [client ::1:57328] AH00037: Symbolic link not allowed or link target not accessible: /var/www/html/web

Any ideas? Thanks, Fernando

edit retag flag offensive close merge delete

add a comment

2

answered 2017-06-16 09:58:22 -0500

muep
870 ●5 ●23 ●24

As an alternative to adjusting SELinux so that httpd is allowed to read the home directories, I would often prefer just making placing the web content under /var/www so that the SELinux policy permits access out of the box. The content can still be chowned for the user who is managing it, and httpd should be able to read it as long as it has the necessary read permissions.

Keeping the default SELinux setup has a security advantage, because it gives you an extra mechanism for ensuring that buggy web code can not unexpectedly give out e.g. ssh keys or other sensitive data from your home directory.

edit flag offensive delete link

Comments

Plus, you don’t need to maintain and micromanage SELinux policies. That alone is reason enough to stick with the defaults. However, the user has the options to adjust the policies to fit their needs.

Aeyoun ( 2017-06-16 10:29:14 -0500 )edit

how someone could read ssh keys with 711 permissions on home ? /home/user/.ssh permissions are 700 selinux give us extras problems not extra security

sergiomb ( 2017-06-16 13:07:08 -0500 )edit

add a comment

1

answered 2017-06-15 19:36:00 -0500

Aeyoun

1390 ●12 ●34 ●55 https://daniel.priv.no/

Is the destination labelled as a directory readable by Apache? Otherwise SELinux will block Apache from reading outside its default directories.

To identify the label run ls -laZ /your/folder. It should read httpd_sys_content_t to be readable by Apache. If it’s not then you need to change the label, which you can do with the following command: chcon -R -t httpd_sys_content_t /your/folder.

You specifically want to read from inside home directory as well? This is generally considered insecure because of the increeased risk of exposing private files. You’ll need to enable the following command/option as well setsebool -P httpd_enable_homedirs 1.