If Not True Then False

Apache Userdir with SELinux on Fedora 26/25, CentOS/RHEL 7.4/6.9 - Comment Page: 2

This is quick guide howto enable Apache userdirs with SELinux on Fedora 26/25/24/23/22, CentOS 7.4/6.9 and Red Hat (RHEL) 7.4/6.9. This guide assumes that you have Apache (httpd) server installed on your system. This guide uses separeted userdir.conf without touching httpd.conf so later default httpd.conf can be overrided or whole configuration moved simply. This guide uses user called testuser...
Categories:

54 Comments

Leave a Comment

Your email address will not be published. Required fields are marked *

Input your comment.
help

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Input your name.

ReynierPM

I’ve read and follow the all tutorial step from step and get a 404 Error every time I want to access a user dir. I created three users: guillermo, reynierpm and tomas and inside each home create a directory public_html, set the proper permissions and run the commands one by one but didn’t know why isn’t working. The ouput of command running above by others is this:

[root@devserver ~]# sed ‘/^ *#/d;s/#.*//’ /etc/httpd/conf.d/{php,userdir}.conf

LoadModule php5_module modules/libphp5.so

LoadModule php5_module modules/libphp5-zts.so

AddHandler php5-script .php
AddType text/html .php

DirectoryIndex index.php

UserDir enabled guillermo reynierpm tomas

Options Indexes Includes FollowSymLinks

AllowOverride All
Allow from all

Order deny,allow

Any help?
Cheers and thanks in advance

reply Reply
JR

Hi,

Could you tell your Linux distro?

Do you get any SELinux errors, when you try to access userdir?

Could you post output of following commands:


ls -la /home
 
ls -la ~/ |grep public_html

ls -laZ ~/ |grep public_html
 
ls -laZ ~/public_html/
reply Reply
ReynierPM

nevermind was my bad, I miss the parameter “UserDir public_html” under IfModule directive. Also I notice that I can write the same in two flavours, one is the suggested by you in the post and the second one is what I’m using right now ins including the directive Directory inside the IfModule so my userdir.conf is as follow:

UserDir enabled testuser
UserDir public_html

Options Indexes Includes FollowSymLinks

AllowOverride All
Allow from all

Order deny,allow

Cheers and thanks for your time

reply Reply
Drayana

hi, i can’t access dir in my root direcotory..
i follow all tutorial in this web, but i have problem..
when i using this CLI

chcon -R -t httpd_sys_content_t /home/testuser/public_html
my OS show message
ls: cannot access /root/public_html/: No such file or directory

and when i using
chcon -R -t httpd_sys_content_t /home/thinkger/public_html/
my system show message :
chcon: can’t apply partial context to unlabeled file

please help me, i’am sory if my english is bad. i’am from Indoneisa :D

reply Reply
B

I have tried everything and I am getting Forbidden 403: You don’t have permission to access /~testfolder/ on this server.

I have tried everything. This worked when I was using Fedora17, but I did a clean install of F18, and this is driving me crazy… I ALREADY CHANGED PERMISSIONS wtf…. so frustrating…

reply Reply
B

[brad@localhost public_html]$ ls -la /home
total 28
drwxr-xr-x. 4 root root 4096 Mar 28 08:38 .
dr-xr-xr-x. 18 root root 4096 Mar 30 11:57 ..
drwx--x--x. 19 brad brad 4096 Mar 30 11:58 brad
drwx------. 2 root root 16384 Mar 28 08:21 lost+found

[brad@localhost public_html]$ ls -la ~/ |grep public_html
drwx--x--x. 3 brad brad 4096 Mar 30 11:58 public_html

[brad@localhost public_html]$ ls -laZ ~/public_html/
drwx--x--x. brad brad unconfined_u:object_r:httpd_sys_content_t:s0 .
drwx--x--x. brad brad unconfined_u:object_r:user_home_dir_t:s0 ..
drwxr-xr-x. brad brad unconfined_u:object_r:httpd_sys_content_t:s0 cryptothawte
-rwxr-xr-x. brad brad unconfined_u:object_r:httpd_sys_content_t:s0 test.html

reply Reply
B

This is where it works, in the default directories (/var/www/html)

[brad@localhost html]$ ls -la /var/www
total 16
drwxr-xr-x. 4 root root 4096 Mar 30 10:08 .
drwxr-xr-x. 21 root root 4096 Mar 30 10:08 ..
drwxr-xr-x. 2 root root 4096 Jan 8 05:47 cgi-bin
drwxr-xr-x. 2 root root 4096 Mar 30 10:10 html


[brad@localhost html]$ ls -la /var/www | grep html
drwxr-xr-x. 2 root root 4096 Mar 30 10:10 html


[brad@localhost html]$ ls -laZ /var/www/html/
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 .
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 ..
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 test.php

reply Reply
JR

Hi B,

Sorry it take a while to check this. I updated this configuration working better with Apache 2.4, so try following config instead:


...


        Options Indexes Includes FollowSymLinks
 
        ## Apache 2.4 users use following ##
        Require all granted
 

Then restart Apache and try again. Is it working then?

reply Reply
JR

Hi Xavier,

Yes this is possible, you can just set that address to /etc/hosts file (pointing to right ip address) and add same address to your apache virtual host, like following:



ServerName testuser.project.net

# Other directives here

reply Reply
Xavier

Ok, then I have to setup a virtual for each user? Is there a way to setup apache to read the testuser in the url and redirect it to his specific userdir, so when a testuser02 is created his url http://testuser02.project.net is automatically redirected to his own userdir?

reply Reply
JR

Hi Xavier,

You can do this first catching all subdomains with your virtual host, like:



ServerName testuser.project.net
ServerAlias *.project.net
 
# Other directives here

Then create .htaccess with something like following content:


RewriteEngine On
RewriteBase /

#### URL Rewrite Handler for Subdomains (by Randall Krause) ####

RewriteCond %{ENV:REDIRECT_SUBDOMAIN} ="" 
RewriteCond %{HTTP_HOST} ^([a-z0-9][-a-z0-9]+)\.project\.net\.?(:80)?$ [NC] 
RewriteCond %{DOCUMENT_ROOT}/subdomains/%1 -d 
RewriteRule ^(.*) subdomains/%1/$1 [E=SUBDOMAIN:%1,L] 
RewriteRule ^ - [E=SUBDOMAIN:%{ENV:REDIRECT_SUBDOMAIN},L] 

Another way is setup virtual hosts for each user, example using some simple bash script, which create folders and virtual host files.

reply Reply
Matthew

I got everything working I just can’t get it to abide by my modrewrite rules set by the .htacess file, this is my userdir.conf


# All users
UserDir public_html

Options Indexes Includes FollowSymLinks
Require all granted

reply Reply
JR

Hi Matthew,

Simply add AllowOverride FileInfo line to your userdir.conf:



        Options Indexes Includes FollowSymLinks
 
        ## Apache 2.4 users use following ##
        Require all granted
 
        AllowOverride FileInfo

And then restart apache:


service httpd restart
reply Reply
Chris

Thanks for the setsebool command. That is what solved my problem. I have used Apache for many years and this was the only time I needed to use this command.

reply Reply
thorty

Great tutorial! But I have to add the following in my /etc/httpd/conf.d

/userdir.conf

[...]
Satisfy Any
[...]

Fault in the

/var/log/httpd/error_log
configuration error: couldn't perform authentication. AuthType not set!: ...

System: CentOS 6.5 / Apache 2.2

reply Reply
roel

I run on centos 6.5 and got this message:

Internal Server Error

The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator, root@localhost and inform them of the time the error occurred, and anything you might have done that may have caused the error.

More information about this error may be available in the server error log.

Apache/2.2.15 (CentOS) Server at 192.168.1.212 Port 80

reply Reply
JB

I store my web content in an external NTFS device, and it turns out that NTFS can’t be mounted with a provided context (bug: https://bugzilla.redhat.com/show_bug.cgi?id=631616). So in my case I needed to:

1) mount the device w/ group/owner set to me: –options defaults,auto,uid=1000,gid=1000,umask=002
2) needed to set read/exec permissions on /home/me

reply Reply