0

I trying to set up apache on centos 8. The service is running. When i test with wget, I get 403

$ wget 127.0.0.1:9000                                                                                                                                                                                                                            
--2020-02-21 11:27:42--  http://127.0.0.1:9000/
Connecting to 127.0.0.1:9000... connected.
HTTP request sent, awaiting response... 403 Forbidden
2020-02-21 11:27:42 ERROR 403: Forbidden.

I changed the owner of /var/www/html/ to the apache usergroup but I didnt help.

$ ls -laZ /var/www/html                                                                                                                                                                                                                      
total 8
drwxr-xr-x. 2 apache root system_u:object_r:httpd_sys_content_t:s0 4096 Dec 23 20:47 .
drwxr-xr-x. 4 root   root system_u:object_r:httpd_sys_content_t:s0 4096 Feb 21 10:27 ..

When I run the auto report I see this

$ sudo aureport -a                                                                                                                                                                                                                               codingsafari@213

AVC Report
===============================================================
# date time comm subj syscall class permission obj result event
===============================================================
1. 02/16/2020 20:52:51 ? (null) 0 (null) (null) (null) unset 745
2. 02/16/2020 22:35:35 ? (null) 0 (null) (null) (null) unset 1391
3. 02/21/2020 10:29:41 httpd system_u:system_r:httpd_t:s0 49 tcp_socket name_bind system_u:object_r:websm_port_t:s0 denied 1144
4. 02/21/2020 10:29:41 httpd system_u:system_r:httpd_t:s0 49 tcp_socket name_bind system_u:object_r:websm_port_t:s0 denied 1145

At this point I dont know how to proceed. It looks like I should allow name_bind. I didnt had to do this for tomcat. I was also expecting that /var/www can be accessed by apache with no issue.

Am I missing something here?

The Fool
  • 117
  • 1
  • 8

2 Answers2

1

I am sorry, but I think your question doesn't match the actual reality on your system. On a vanilla CentOS 8:

[root@tux ~]# semanage port -l | grep websm_port_t
websm_port_t                   tcp      9090
websm_port_t                   udp      9090
[root@tux ~]#

Port 9090 is labelled as websm_port_t while you're referring to 9000 in your question. Which port are you really looking for? Port 9000 would be labelled for Apache usage by default (so you likely need to correct your Apache configuration as it seems that it tries to use port 9090).

[root@tux ~]# semanage port -l | grep http_port_t
http_port_t                    tcp      80, 81, 443, 488, 8008, 8009, 8443, 9000
pegasus_http_port_t            tcp      5988
[root@tux ~]#

If you insist to use port 9090, then SELinux port “defined in policy, cannot be deleted” gets likely interesting for you, because that port is assigned to websm_port_t by the system policy.

rsc
  • 357
  • 1
  • 6
  • Pretty good catch but there is a bit more to it. Look at the wget, where do I fetch from? Its port 9000. Turns out these lines from the aureport where from my first attempt to run it on 9090 which didn't work for given reason. After I changed the port and httpd would start up. I also found out the issue and its super stupid. The default apache index.html is NOT in `/var/www/html` . Turns there was no permission issue. There was simply no content to serve. When I put some example index there, it worked. – The Fool Feb 22 '20 at 04:46
  • Btw, your answer would not qualify as answer. This would me more of a comment. – The Fool Feb 22 '20 at 04:55
0

Things don't add up here. I didn't notice at first. One thing is the aureport shows logs that are not related.

I wget on port 9000 but in the report we see 9090. Also, If selinux blocks the port for httpd, we can be sure we won't see any 403 or even the initial connection as httpd will not even run.

So, If this report is useless, how can we get more information about the situation? Why not simply check the Apache error logs first? 

sudo cat /var/log/httpd/error_log | grep /www/html/ | tail 5

In my case I see this line:

[Fri Feb 21 19:54:56.715734 2020] [autoindex:error] [pid 803:tid 139796269750016]
  [client 127.0.0.1:51032] AH01276: Cannot serve directory /var/www/html/:
  No matching DirectoryIndex (index.html) found, and server-generated directory
  index forbidden by Options directive

The problem is that the default page of Apache web server is not in /var/wwww/html/. In fact this directory is completely empty.

Apaches permission on this directory are fine and when I put an actual index file there, I get fetch it without issues.

At the end, there is still one open question: why can I not fetch the server generated HTML page that I can see in the browser even though the network tab also gives a 403?

I want to use my own content, so I didn't fully go down that rabbit whole. If someone needs to find out more, I would start here: https://httpd.apache.org/docs/2.4/mod/mod_autoindex.html

The Fool
  • 117
  • 1
  • 8