Selinux prevents httpd from accessing home directory

I tried to share files via httpd(Apache originally), however it wouldn’t work, saying 403 forbidden.
Apparently we need to set options to permit httpd to follow symbolic links. In /etc/httpd/conf/httpd.conf, ensure there is text below:

(Under <Directory “/var/www/html”>, there should be)
Options Indexes FollowSymLinks MultiViews

But the problem remained. After quite a while I noticed there were some Selinux alerts saying “SELinux is preventing the http daemon from reading users’ home directories.”

Then I disabled selinux(command “setenforce 0” to make it sleep temporarily) and it worked. As Selinux is a kernel-level security mechanism on your system, not a some antivirus or firewall software thing, it may not be wise to throw it away. Check Joshua Brindle (an SELinux developer) ‘s  comments on disabling SELinux here, which states clearly that applications should be fixed to work with SELinux, rather than disabling the OS security mechanism.

So what I do is:

1. According to Selinux log(you can generate it with command “sealert -a /var/log/audit/audit.log”, run “setsebool -P httpd_enable_homedirs on” to enable the literal option(this command takes 20 secs to be done I don’t know why).
2. Still doesn’t work, after some googling I found this, run “chcon -t httpd_user_content_t /home/Viaxl/Music -R” to authorize world rx permissions to apache access (recursively) .

Now they all work right. I found this kind of multi-layer protection, though very complex, is really handful. In this case I only permit http daemon(as a “Target” of Selinux’s conception) to access my Music folder, and this can’t be done precisely by chmod or something.





过程如下(断断续续弄了好几天…): Read More