Ask Your Question
1

apache not following symlink in /var/www/html

asked 2014-02-13 13:26:52 -0500

neel gravatar image

updated 2014-02-15 04:33:05 -0500

I've a symlink /var/www/html/f2 -> /tmp/f2 But http://localhost/f2 is giving 403 Forbidden

$ ls -hal /var/www
total 16K
drwxr-xr-x.  4 root root   4.0K Feb  1 09:20 .
drwxr-xr-x. 21 root root   4.0K Feb 14  2014 ..
drwxr-xr-x.  2 root root   4.0K Oct 31 22:42 cgi-bin
drwxrwsr-x.  3 root apache 4.0K Feb 13 22:04 html

in /etc/httpd/conf/httpd.conf I've

<Directory "/var/www/html">
    Options Indexes FollowSymLinks
    AllowOverride All
    Require all granted
</Directory>

error_log say

[neel@kochi html]$ sudo tail /var/log/httpd/error_log
[Thu Feb 13 22:40:47.988558 2014] [core:notice] [pid 3971] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
[Thu Feb 13 22:40:47.990567 2014] [suexec:notice] [pid 3971] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
AH00557: httpd: apr_sockaddr_info_get() failed for kochi
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message
[Thu Feb 13 22:40:48.397993 2014] [auth_digest:notice] [pid 3971] AH01757: generating secret for digest authentication ...
[Thu Feb 13 22:40:48.399925 2014] [lbmethod_heartbeat:notice] [pid 3971] AH02282: No slotmem from mod_heartmonitor
[Thu Feb 13 22:40:48.452877 2014] [mpm_prefork:notice] [pid 3971] AH00163: Apache/2.4.6 (Fedora) PHP/5.5.8 configured -- resuming normal operations
[Thu Feb 13 22:40:48.452928 2014] [core:notice] [pid 3971] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[Thu Feb 13 22:40:50.496512 2014] [core:error] [pid 3972] [client 127.0.0.1:50514] AH00037: Symbolic link not allowed or link target not accessible: /var/www/html/f2
[Thu Feb 13 22:53:39.658330 2014] [core:error] [pid 3973] [client 127.0.0.1:50601] AH00037: Symbolic link not allowed or link target not accessible: /var/www/html/f2

I was trying to check selinux

[neel@kochi html]$ cat /selinux/enforce
cat: /selinux/enforce: No such file or directory
[neel@kochi html]$ sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28

I don't know whether my selinux is on or off. s there is no such file /selinux/enforce . But sestatus says its enabled.

here goes my audit.log

[neel@kochi ~]$ sudo tail /var/log/audit/audit.log
type=USER_START msg=audit(1392348954.897:454): pid=2699 uid=0 auid=1000 ses=1  subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_open acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=success'
type=USER_END msg=audit(1392348954.901:455): pid=2699 uid=0 auid=1000 ses=1  subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_close acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=success'
type=USER_CMD ...
(more)
edit retag flag offensive close merge delete

Comments

2

I have very little SELinux knowledge, but have you checked the logs? I had issues with selinux before and the logs were extremely informative, and searching for the selinux error I found gave me a quick way to fix it later. Check /var/log/audit/audit.log. Also, setroubleshoot will show you options to fix the issue

fcoelho gravatar imagefcoelho ( 2014-02-13 14:56:54 -0500 )edit

added /var/log/audit/audit.log output

neel gravatar imageneel ( 2014-02-13 23:59:25 -0500 )edit

that particular piece of /var/log/audit/audit.log only shows you using sudo several times. Read the file, and see if you can find anything related to httpd.

randomuser gravatar imagerandomuser ( 2014-02-14 09:38:52 -0500 )edit

What exactly is/var/www/html/fs? Is it a folder? Is it a script? If it's a simple symlink, where is it pointing to; i.e. what's the target location? You have to be sure that the target location has the proper permissions for apache user; check the fcontext permissions of the target location, **ls -Z /my/target/location**

ILMostro gravatar imageILMostro ( 2014-08-12 16:56:20 -0500 )edit

5 Answers

Sort by » oldest newest most voted
2

answered 2015-11-15 17:00:38 -0500

hdfssk gravatar image

For anyone where this problem was caused by SELinux, and the /var/www/html symlink points to a fuse volume (eg. on an ntfs-3g partition), enabling the linked access will fail:

# sudo chcon -R -t httpd_sys_content_t /var/www/html
chcon: failed to change context of ‘<each file under /var/www/html’s link target>’ to ‘system_u:object_r:httpd_sys_content_t:s0’: Operation not supported
…

You can fix this by telling SELinux that httpd is allowed use fuse:

# getsebool httpd_use_fusefs
httpd_use_fusefs --> off
# sudo setsebool -P httpd_use_fusefs 1
# getsebool httpd_use_fusefs
httpd_use_fusefs --> on
edit flag offensive delete link more
0

answered 2014-02-13 21:28:42 -0500

FranciscoD_ gravatar image

Firstly, I don't see why you're using a symlink. Selinux and httpd work really well together. Please read https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Confined_Services/chap-Managing_Confined_Services-The_Apache_HTTP_Server.html

If you Google, you'll find more articles explaining how to work it. Please note that the permissions of /tmp/f2 also need to be correct.

To check selinux, you use the command getenforce.

edit flag offensive delete link more

Comments

I'll need to have a symlink. Thats not a problem. The symlink is not working. Thats is the problem. I am experimenting with a symlink to /tmp However I'll have it on different directory.

neel gravatar imageneel ( 2014-02-13 22:05:37 -0500 )edit
1

In the attached log, I can not find any hint about selinux being the issue here.

My (uneducated guess is): Move the dir to a different location than /tmp, as there might have a special handling, such as private tmp.

mrunge gravatar imagemrunge ( 2014-02-14 03:43:41 -0500 )edit
0

answered 2014-02-14 09:18:05 -0500

domg gravatar image

updated 2014-02-14 09:24:25 -0500

Let's just rule out SELinux first. This is really easy to do:

sudo setenforce 0

<< reproduce issue >>

<< did it work? if yes; then it is an SELinux issue, else not an SELinux issue >>

sudo setenforce 1

It may be that the webserver does not have access to the target of the link. Sometimes SELinux silently denies access attempts, but that is speculation for now.

Why link to /tmp/.* ? Is there no more appropriate location? I would not be surprised if SELinux prevents this without some label changes

edit flag offensive delete link more
0

answered 2015-01-22 02:26:56 -0500

Ra gravatar image

There are two common causes of this problem, one being SELinux. You can determine if SELinux is responsible by temporarily turning it off

# getenforce               # tells you if it is currently turned on
Enforcing
# sudo setenforce 0     # turn it off
# getenforce
Permissive

If you still get your Forbidden error when following the link, then it is not SELinux (see other cause below). If does work, then you probably want a more secure solution; re-instate SELinux enforcement but then enable access to the linked directory or file:

# sudo setenforce 1    # turn it back on
# sudo chcon -R -t httpd_sys_content_t /tmp/f2

Note that if /tmp/f2 is a directory, permission is passed onto its contents (thanks to -R).

The other common cause has nothing to do with SELinux. For Apache to follow a link, all directories in the path of the link target must have both read and execute (search) permissions set for the Apache user (or world). This is not typically a problem for /tmp, but it can be for a home directory as many distros will create home directories with this permissions turned off. To solve this problem, you should:

# chmod a+rx /tmp
# chmod a+rx /tmp/f2
edit flag offensive delete link more
-1

answered 2014-02-15 04:08:56 -0500

updated 2014-02-15 04:28:40 -0500

Your answer is in the error log:

AH00557: httpd: apr_sockaddr_info_get() failed for kochi AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message

So...edit your /etc/hosts file, and at the end of the line starting with 127.0.0.1 add your hostname

Alternatively, try also setting your hostname to 127.0.1.1 in the same manner as described above, and then set your servername as 127.0.0.1


Main Problem

Furthermore, as was already pointed out in one of the answers here--it's also contained in your error-log ( AH00037: Symbolic link not allowed or link target not accessible: /var/www/html/f2--creating symbolic links inside your var/www/html directory to some other directory is not the correct way of allowing access to the apache server on that linked-to directory; and, as a result, fails!

Try using an Alias as pointed out in this answer on stackoverflow

Alias /special-project/ /web/vhosts/special-project/

Please see the apache docs for further details, particularly the one titled Mapping URLs to Filesystem Locations

edit flag offensive delete link more

Comments

"symbolic links and aliases may be used to point to other locations." --httpd.conf ... The answers here don't really explain why this happens. SELinux sneaking in problems is a bit baffling to people coming from other distros.

rayfoss gravatar imagerayfoss ( 2014-07-30 14:10:41 -0500 )edit

Question Tools

1 follower

Stats

Asked: 2014-02-13 13:26:52 -0500

Seen: 18,379 times

Last updated: Jan 22 '15