Ask Your Question

Apache 'Symbolic link not allowed' error on Fedora 25

asked 2017-06-13 11:29:45 -0500

ferdn4ndo gravatar image

updated 2017-06-14 18:53:37 -0500

sergiomb gravatar image


I got stuck on 'Symbolic link not allowed or link target not accessible' error and after a whole morning trying to fix it, still nothing. So, here I am.

So, server is running (Fedora Test Page opens with localhost on browser). And this is my ll for /var/www/html:

[root@unknown74e543af57bc html]# ll
total 4
-rw-r--r--. 1 root root 20 jun 13 11:49 test.php
lrwxrwxrwx. 1 root root 19 jun 13 11:40 web -> /home/fernando/html

As well, when I navigate to localhost/test.php the file is executed and I get my Hello World test.

However, when I try to access localhost/web, it leads me 403 error page. And this is my ll for /home/fernando/html:

[root@unknown74e543af57bc html]# ll /home/fernando/html  
total 12
-rwxr-xr-x.  1 fernando www-data    2 jun 13 11:13 index.html
drwxr-xr-x. 11 fernando fernando 4096 jun 13 11:34
-rwxr-xr-x.  1 fernando www-data   31 jun 13 11:10 test.php

And, inside /etc/httpd/conf/httpd.conf:

<Directory />
    AllowOverride none
    Require all denied
DocumentRoot "/var/www/html"
<Directory "/var/www">
    Options Indexes FollowSymLinks
    AllowOverride None
    Require all granted
<Directory "/var/www/html">
   Options Indexes FollowSymLinks
   AllowOverride All
    Require all granted

And in /var/log/httpd/error_log:

[Tue Jun 13 13:08:50.222612 2017] [core:error] [pid 8860] [client ::1:57328] AH00037: Symbolic link not allowed or link target not accessible: /var/www/html/web

Any ideas? Thanks, Fernando

edit retag flag offensive close merge delete

4 Answers

Sort by » oldest newest most voted

answered 2017-06-16 09:58:22 -0500

muep gravatar image

As an alternative to adjusting SELinux so that httpd is allowed to read the home directories, I would often prefer just making placing the web content under /var/www so that the SELinux policy permits access out of the box. The content can still be chowned for the user who is managing it, and httpd should be able to read it as long as it has the necessary read permissions.

Keeping the default SELinux setup has a security advantage, because it gives you an extra mechanism for ensuring that buggy web code can not unexpectedly give out e.g. ssh keys or other sensitive data from your home directory.

edit flag offensive delete link more


Plus, you don’t need to maintain and micromanage SELinux policies. That alone is reason enough to stick with the defaults. However, the user has the options to adjust the policies to fit their needs.

Aeyoun gravatar imageAeyoun ( 2017-06-16 10:29:14 -0500 )edit

how someone could read ssh keys with 711 permissions on home ? /home/user/.ssh permissions are 700 selinux give us extras problems not extra security

sergiomb gravatar imagesergiomb ( 2017-06-16 13:07:08 -0500 )edit

answered 2017-06-15 19:36:00 -0500

Aeyoun gravatar image

Is the destination labelled as a directory readable by Apache? Otherwise SELinux will block Apache from reading outside its default directories.

To identify the label run ls -laZ /your/folder. It should read httpd_sys_content_t to be readable by Apache. If it’s not then you need to change the label, which you can do with the following command: chcon -R -t httpd_sys_content_t /your/folder.

You specifically want to read from inside home directory as well? This is generally considered insecure because of the increeased risk of exposing private files. You’ll need to enable the following command/option as well setsebool -P httpd_enable_homedirs 1.

edit flag offensive delete link more

answered 2017-06-14 15:48:36 -0500

capt gravatar image

Use the allow localhost in the .conf . Allow as suggested, at line 13 and 34.

edit flag offensive delete link more

answered 2017-06-13 15:15:50 -0500

sergiomb gravatar image

updated 2017-06-13 19:29:55 -0500

ll -d /home/ferndo/ must have execution permissions

chmod 711 /home/fernando/

and ?
chmod 755 /home/fernando/html

for /home/fernando/html maybe 755 is better than 711 because here you need read permission I guess.

edit flag offensive delete link more


ll -d /home/:

drwx--x--x. 18 fernando fernando 4096 jun 13 18:11 /home/fernando/

And still getting 403 for every file inside /localhost/web that exists on /home/fernando/html

ferdn4ndo gravatar imageferdn4ndo ( 2017-06-13 16:25:24 -0500 )edit

Is the symbolic link supposed to point to html or htmltotal?

villykruse gravatar imagevillykruse ( 2017-06-14 07:41:35 -0500 )edit

Question Tools

1 follower


Asked: 2017-06-13 11:29:45 -0500

Seen: 773 times

Last updated: Jun 16 '17