httpd permission on /var/www/html/

[codingsafari]

IHi,

'm trying to set up apache on centos 8. The service is running. When i test with wget, I get 403:

Code: Select all

$ wget 127.0.0.1:9000        
--2020-02-21 11:27:42--  http://127.0.0.1:9000/
Connecting to 127.0.0.1:9000... connected.
HTTP request sent, awaiting response... 403 Forbidden
2020-02-21 11:27:42 ERROR 403: Forbidden.

I changed the owner of /var/www/html/ to the apache usergroup but I didn't help:

Code: Select all

$ ls -laZ /var/www/htm;
drwxr-xr-x. 2 apache root system_u:object_r:httpd_sys_content_t:s0 4096 Dec 23 20:47 .
drwxr-xr-x. 4 root   root system_u:object_r:httpd_sys_content_t:s0 4096 Feb 21 10:27 ..

When I run the auto report I see this:

Code: Select all

$ sudo aureport -a
AVC Report
===============================================================
# date time comm subj syscall class permission obj result event
===============================================================
1. 02/16/2020 20:52:51 ? (null) 0 (null) (null) (null) unset 745
2. 02/16/2020 22:35:35 ? (null) 0 (null) (null) (null) unset 1391
3. 02/21/2020 10:29:41 httpd system_u:system_r:httpd_t:s0 49 tcp_socket name_bind system_u:object_r:websm_port_t:s0 denied 1144
4. 02/21/2020 10:29:41 httpd system_u:system_r:httpd_t:s0 49 tcp_socket name_bind system_u:object_r:websm_port_t:s0 denied 1145

At this point I dont know how to proceed. It looks like I should allow name_bind. I didnt had to do this for tomcat. I was also expecting that /var/www can be accessed by apache with no issue.

Am I missing something here?

[summitflier]

https://wiki.centos.org/HowTos/SELinux

Usually this is the first thing you have to look at.

Also remember the firewall.

[TrevorH]

You do not need to and nor should you change the ownership of that directory. For a start, it will be reset every time there is a package update installed. With the owner that you've given it, now your httpd process has write access to the docroot so if you are compromised, it can change the files installed there. That is precisely why it is owned by root and should be.

And the aureport output you posted shows that it has nothing to do with the directory anyway. It's denying you access to the port not the files or directories. You need to use semanage to default the port you want to use as being acceptable to selinux.

[codingsafari]

I thought it was running on an allowed port. I picked particularly port 9000 as I found this listed in the below output. First I had it set to 9090 which prevented the service to start at all. Now looking back, those lines from the aureport could be from that actually.

Now on port 9000 the HTTP service itself is running fine. It only has trouble serving content from that directory. I have tomcat running on 8080 and that works. It seems like this port is classified as cache_port, maybe I should try to use one of those cache ports for httpd as well.

Not sure If the firewall would do something if this is like an internal request? It is kind of inside the server itself, In my understanding the firewall should not intercept this.

Code: Select all

~ » sudo semanage port -l | grep http
http_cache_port_t              tcp      8080, 8118, 8123, 10001-10010
http_cache_port_t              udp      3130
http_port_t                    tcp      80, 81, 443, 488, 8008, 8009, 8443, 9000
pegasus_http_port_t            tcp      5988
pegasus_https_port_t           tcp      5989

Edit:
Here I see that those aureport lines come actually from attempting to use port 9090

Code: Select all

tmp » sudo cat /var/log/audit/audit.log | grep httpd | grep denied
type=AVC msg=audit(1582280981.256:1144): avc:  denied  { name_bind } for  pid=8642 comm="httpd" src=9090 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:websm_port_t:s0 tclass=tcp_socket permissive=0
type=AVC msg=audit(1582280981.256:1145): avc:  denied  { name_bind } for  pid=8642 comm="httpd" src=9090 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:websm_port_t:s0 tclass=tcp_socket permissive=0