0

I have problem with my centos 7 server and httpd. I have already install http, but i need change home dir from /var/www/html to /home/pawel/domains. I added vhost:

<VirtualHost *:80>
    ServerName local.nauka
    ServerAlias www.local.nauka
    DocumentRoot /home/pawel/domains/nauka
    <Directory "/home/pawel/domains/nauka">
        AllowOverride All
        Require all granted
    </Directory>
    ErrorLog /home/pawel/domains/nauka/error.log
    CustomLog /home/pawel/domains/nauka/requests.log combined
</VirtualHost>

I execute this command:

 systemctl enable httpd && systemctl start httpd
 firewall-cmd --permanent --add-service={http,https}
 firewall-cmd --reload
 sudo setsebool -P httpd_enable_homedirs on
 sudo chcon -R -t httpd_sys_content_t ~/domains/
 sudo semanage fcontext -a -t httpd_sys_content_t "/home/pawel/domains(/.*)?"
 sudo restorecon -R ~/domains/
 setsebool -P httpd_can_network_connect 1

When i execute

ls -lZ ~/domains/

i got

drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 nauka

But when i open webrowser with url local.nauka i have
Forbidden

You don't have permission to access / on this server.

What i do wrong?

PawelC
  • 149
  • 8

1 Answers1

2

By default, SELinux will prevent web server access to user home directories. If you really need the web server to access files in a user home directory, you can set the boolean httpd_read_user_content.

# setsebool -P httpd_read_user_content 1

You apparently set the boolean httpd_enable_homedirs, which does something else entirely.

It's not a good idea to host websites in user home directories though. For example, an exploit of the web server could allow other files than the web site files to be read if you used the above boolean. Also, while you can use that boolean to allow read access, SELinux will never allow the web server to write files to a user home directory. Better to place them elsewhere in the filesystem, such as a subdirectory of /srv/www, where SELinux already permits access with the type httpd_sys_content_t, and directories which will contain uploaded files can be given the type httpd_sys_rw_content_t. This can't be done with user home directories without potentially breaking things.

For example, you can create the directory /srv/www/local.nauka, set its ownership to the user you want, and make any upload directories writable by the web server user with the SELinux context to allow uploads shown above.

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
  • Hi, thanks for reply :) I understand, better solution is stay root directory to /var/www/html? – PawelC Jun 21 '20 at 21:10
  • 1
    @PawelC I would not use `/var/www` because this directory is used by the default documents shipped with the httpd RPM, and updating that RPM might affect that directory. You can use `/srv/www` which is reserved for that purpose and will have the correct SELinux default context. – Michael Hampton Jun 21 '20 at 21:12
  • Ok :) Thanks for reply, because your answer solved my issue. And in addition I learned a new thing. – PawelC Jun 21 '20 at 21:18