Why won't apache allow symbolic links, with SELinux?

Question

I have a simple scenario: I want to symlink /home/leonard/apache/sandbox/markdown to /home/leonard/github/markdown-editor, so that the markdown-editor can be viewed from my browser.

I setup the link with ln -s /home/leonard/github/markdown-editor /home/leonard/apache/sandbox/public/markdown and it shows up and can be navigated fine.

When I view in the browser, however, I get 403 Forbidden. My audit.log shows the following:

type=AVC msg=audit(1461759062.021:1232192): avc:  denied  { read } for  pid=30107 comm="httpd" name="markdown" dev=md2 ino=25300345 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1461759062.021:1232192): arch=c000003e syscall=4 success=no exit=-13 a0=7f88e34cff28 a1=7ffc036e2dd0 a2=7ffc036e2dd0 a3=7f88dec032e0 items=0 ppid=36009 pid=30107 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=88286 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1461759062.022:1232193): avc:  denied  { getattr } for  pid=30107 comm="httpd" path="/home/leonard/apache/sandbox/public/markdown" dev=md2 ino=25300345 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1461759062.022:1232193): arch=c000003e syscall=6 success=no exit=-13 a0=7f88e34d0018 a1=7ffc036e2dd0 a2=7ffc036e2dd0 a3=1 items=0 ppid=36009 pid=30107 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=88286 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

I've seen other questions here asking how to set the context for symbolic links, but I'm not sure if they're related, because the link is the same as other (perfectly viewable in the browser) adjacent directories:

[leonard@ombrelle public]$ ls -alZ
drwxr-xr-x. leonard developers unconfined_u:object_r:user_home_t:s0 .
drwxr-xr-x. leonard developers unconfined_u:object_r:user_home_t:s0 ..
-rw-r--r--. leonard developers unconfined_u:object_r:user_home_t:s0 .htaccess
-rw-r--r--. leonard developers unconfined_u:object_r:user_home_t:s0 index.php
lrwxrwxrwx. leonard developers unconfined_u:object_r:user_home_t:s0 markdown -> /home/leonard/github/markdown-editor
drwxr-xr-x. leonard developers unconfined_u:object_r:user_home_t:s0 notes

How can I get symbolic links to work in this way?

Update

Using Ian's answer, I ran audit2why < /var/log/audit/audit.log and was given:

type=AVC msg=audit(1461761590.750:1232443): avc:  denied  { getattr } for  pid=37683 comm="httpd" path="/home/leonard/apache/sandbox/public/markdown" dev=md2 ino=25300345 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=lnk_file

        Was caused by:
        The boolean httpd_enable_homedirs was set incorrectly.
        Description:
        Allow httpd to read home directories

        Allow access by executing:
        # setsebool -P httpd_enable_homedirs 1

Running the setsebool command magically made it work. I am just unsure how all the other sites we have (/home/*/apache/sitename.tld) were working without this being enabled?

score 2 · Accepted Answer · answered Apr 27 '16 at 12:49

2

You don't say what distro/release you are using which may be relevant. I only have Centos 6 and 7 to hand but the tools to use should be available on other distros.

The tools you should familiarise yourself with are audit2why and audit2allow.

Running your denial messages through the tools will point you in the right direction.

On the CentOS 6 sytem I have to hand the tools suggest that the current policy should allow this ( so I guess you're not using this) but that setting a particular SELinux boolean will help solve the issue.

On the CentOS 7 system I have to hand the tools suggest that setting a particular SELinux boolean will help solve theproblem.

answered Apr 27 '16 at 12:49

user9517

114,104
20
206
289

Silly me - added my version to the question. But CentOS 6.7. I'll get some further output thanks for the hints – Leonard Challis Apr 27 '16 at 12:50
`audit2allow` is great! This helped my fix it. But I'm curious, why were (many) other sites in `~/user/apache/sitename.tld` working if this was switched off? – Leonard Challis Apr 27 '16 at 12:56
`/home/*/apache/sitename.tld/` that should read. Updated my question, but this is the answer - thanks a lot @Ian, particularly for pointing me towards finding out _how_ to find the answer. – Leonard Challis Apr 27 '16 at 13:03
It solved my symbolic link problem in my apache server. I am using AlmaLinux 8.5 – Hasanuzzaman Sattar Jun 15 '22 at 10:21

score 0 · Answer 2 · answered Apr 12 '21 at 22:49

0

Based on the information I found, here is how to allow an exception:

Run:

sealert -a /var/log/audit/audit.log

Then follow the instructions given. Source: https://wiki.centos.org/HowTos/SELinux/

answered Apr 12 '21 at 22:49

Mark Stewart

101
2

Why won't apache allow symbolic links, with SELinux?

Update

2 Answers2