[rhn-users] 403 forbidden - you don't have permission to access /home/*/public_html on this server

Kelwin Wylie kwylie at csc.com
Thu Mar 3 19:59:18 UTC 2005 




This problem may be caused by SELinux.  It is installed by default in RHEL
4 and one
of the daemons that is affected is httpd.  The Release Notes have a section
on httpd
where it says:

       A file or directory which is not labeled with a context on the
       Apache's allowable types will generate a 403 Forbidden error.

Here is a full quote of that section of the release notes.

    httpd

     o Under the default SELinux security configuration, httpd is covered
by
       the targeted policy. This increases security and Web server
stability
       by specifically granting or denying httpd access to system objects.
       However, because this has the potential to cause previously-working
       configurations (such as those that use PHP) to no longer function,
you
       must understand how SELinux works in order to ensure that your
       configuration is both secure and functional.

       For example, a Boolean can be set to give specific permission to
httpd
       to read objects in ~/public_html/ as long as they are labeled with
the
       security context httpd_sys_content_t. The Apache daemon cannot
access
       objects (files, applications, devices, and other processes) that
have
       a security context not specifically granted access by SELinux to
       httpd.

       By allowing Apache access to only what it needs to do its function,
       the system is protected from compromised or misconfigured httpd
       daemons.

       Because of the need for both standard Linux directory and file
       permissions as well as SELinux file context labels, adminstrators
and
       users will need to know about relabeling files. Examples of
relabeling
       include the following commands (one for recursively relabeling the
       contents of a directory, and one for relabeling a single file):

 chcon -R -h -t httpd_sys_content_t public_html
 chcon -t httpd_sys_content_t public_html/index.html


       A file or directory which is not labeled with a context on the list
of
       Apache's allowable types will generate a 403 Forbidden error.

       You can configure Boolean values or selectively disable targeted
       policy coverage for just Apache (or any of the covered daemons)
using
       system-config-securitylevel. Under the SELinux tab, within the
Modify
       SELinux Policy area, you can modify the Boolean values for Apache.
If
       you wish, you can select to Disable SELinux protection for httpd
       daemon, which disables the transition from unconfined_t (the default
       type that acts transparently like standard Linux security without
       SELinux) to the specific daemon type, i.e., httpd_t. Disabling this
       transition effectively turns off SELinux coverage for that daemon,
       returning it to standard Linux security only.

   -----------

I don't fully understand SELinux and have not looked at its effect beyond
reading the release
notes, but your description of your problem sounds like it might be this.


Original Message
---------------------------
  Date: Thu, 03 Mar 2005 09:55:00 -0500
 From: Paul Sielis <psielis at facil.umass.edu>
 Subject: [rhn-users] 403 forbidden - you don't have permission to
             access /home/*/public_html on this server
 To: rhn-users at redhat.com
 Message-ID: <002b01c52000$f9188630$41b97780 at facil.umass.edu>
 Content-Type: text/plain; charset="iso-8859-1"

 I just installed Red Hat V4.0AS on my web server this week with apache
v2.0.52
 All my file permissions to and including the directory public_html are 755
including   file index.html.
 My userdir is pointed to /home/*/public.html
 apachectl configtest shows no errors
 Error message is still :
 403 forbidden - you don't have permission to access /home/*/public_html on
this server

 Any ideas or suggestion ?

 Thank You,
 Paul J. Sielis
 Information Technologies Network Administrator
 Physical Plant Department
 University of Massachusetts
 360 Campus Center Way
 Amherst, Ma 01003-6710
 tel:   413-545-4401
 cell: 413-530-6326
 fax:  413-545-4900

--
Kelwin Wylie
CSC - Nortel Account
Phone: (613) 763-2034    ESN: 393-2034
kwylie at csc.com

----------------------------------------------------------------------------------------

Ce message est CONFIDENTIEL. Si vous n'en êtes pas le destinataire,
veuillez le supprimer sans en faire de copies et prévenir l'expéditeur par
messagerie électronique qu'il n'a pas été acheminé à la destination voulue.
NOTA: Quel que soit le contenu du message, il ne lie CSC à aucune commande
ni à aucun contrat à moins que la commande ou le contrat fasse suite à une
entente écrite ou à une initiative gouvernementale explicite prévoyant
expressément l'utilisation de la messagerie électronique à cette fin.


----------------------------------------------------------------------------------------

This is a PRIVATE message. If you are not the intended recipient, please
delete without copying and kindly advise us by e-mail of the mistake in
delivery. NOTE: Regardless of content, this e-mail shall not operate to
bind CSC to any order or other contract unless pursuant to explicit written
agreement or government initiative expressly permitting the use of e-mail
for such purpose.
----------------------------------------------------------------------------------------

More information about the rhn-users mailing list