Fedora Ambushes Apache

The Scenario starts with your having a box running Fedora Core under your control, and, for whatever reason, you want to keep some web-visible files in your /home partition. (I’m trying to keep long-term stuff in /home so that I can reinstall the OS without having having to move stuff onto another box and back.)

Following the oft-published recipe, you add the following to httpd.conf

  Alias /stuff /home/me/stuff
  <Directory /home/me/stuff>
    Options ExecCGI
    AllowOverride All
    Order allow,deny
    Allow from all

and you create /home/me/stuff and make sure that’s it’s readable by the apache user.

Now the fun starts. You try “http://mybox/stuff” in your browser of choice, but get a “Forbidden. You don’t have permission to access /stuff/ on this server.” response. Checking /var/log/httpd/error_log you find something like

  [Fri Mar 25 11:16:15 2005] [error] [client]
    (13)Permission denied: access to /test/ denied

You double-check permissions, try again, fail again, and google for help. You find posts from number of folks having the same problem, all getting told that their permissions are wrong. (Which is the right answer, but not at all in the obvious way.)

You might get the inspiration to instead try the approach of adding a symbolic link from /var/www/html/stuff to /home/me/stuff (after verifying that Options FollowSymLinks is in effect). This also fails, and the error log shows

  [Fri Mar 25 11:22:09 2005] [error] [client]
    Symbolic link not allowed: /var/www/html/stuff

Googling for help shows others with the same problem, all being told to check permissions or verify that FollowSymLinks is on. Many posts begging for help are unanswered. No help there.

So what’s going on?

The Clue is in /var/log/messages, which will say something like

 Mar 25 11:16:15 mybox kernel: audit(1111778175.632:0):
    avc:  denied  { getattr } for  pid=16778
    exe=/usr/sbin/httpd path=/home/me/stuff dev=hda5 ino=4440065
    scontext=root:system_r:httpd_t tcontext=user_u:object_r:user_home_t tclass=dir


The Punchline is that Fedora Core includes an entirely separate, parallel security mechanism called SELinux (Security-enhanced Linux), which is configured out-of-the-box to restrict which directories httpd has access to. (Dig through /etc/selinux/ for hints about what’s going on.) So despite following the published advice on how to configure Apache to let you use a directory outside of the normal hierarchy, and despite applying your hard-earned Unix skills, Fedora is yanking the rug out from under you when your back is turned, and then arranging to have Apache blame you.

Armed with this knowledge, googling for “selinux apache” will get you to Understanding and Customizing the Apache HTTP SELinux Policy (Beta Document), which is right where you though to look in the first place, right?

When I asked for a show of hands at work, two people knew about SELinux, and one had just learned about it the day before. The other had been following Fedora a lot more closely than the rest of us.

There went three hours of my life that I’ll never get back.