4

I have a simple scenario: I want to symlink /home/leonard/apache/sandbox/markdown to /home/leonard/github/markdown-editor, so that the markdown-editor can be viewed from my browser.

I setup the link with ln -s /home/leonard/github/markdown-editor /home/leonard/apache/sandbox/public/markdown and it shows up and can be navigated fine.

When I view in the browser, however, I get 403 Forbidden. My audit.log shows the following:

type=AVC msg=audit(1461759062.021:1232192): avc: denied { read } for pid=30107 comm="httpd" name="markdown" dev=md2 ino=25300345 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=lnk_file type=SYSCALL msg=audit(1461759062.021:1232192): arch=c000003e syscall=4 success=no exit=-13 a0=7f88e34cff28 a1=7ffc036e2dd0 a2=7ffc036e2dd0 a3=7f88dec032e0 items=0 ppid=36009 pid=30107 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=88286 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1461759062.022:1232193): avc: denied { getattr } for pid=30107 comm="httpd" path="/home/leonard/apache/sandbox/public/markdown" dev=md2 ino=25300345 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=lnk_file type=SYSCALL msg=audit(1461759062.022:1232193): arch=c000003e syscall=6 success=no exit=-13 a0=7f88e34d0018 a1=7ffc036e2dd0 a2=7ffc036e2dd0 a3=1 items=0 ppid=36009 pid=30107 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=88286 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

I've seen other questions here asking how to set the context for symbolic links, but I'm not sure if they're related, because the link is the same as other (perfectly viewable in the browser) adjacent directories:

[leonard@ombrelle public]$ ls -alZ drwxr-xr-x. leonard developers unconfined_u:object_r:user_home_t:s0 . drwxr-xr-x. leonard developers unconfined_u:object_r:user_home_t:s0 .. -rw-r--r--. leonard developers unconfined_u:object_r:user_home_t:s0 .htaccess -rw-r--r--. leonard developers unconfined_u:object_r:user_home_t:s0 index.php lrwxrwxrwx. leonard developers unconfined_u:object_r:user_home_t:s0 markdown -> /home/leonard/github/markdown-editor drwxr-xr-x. leonard developers unconfined_u:object_r:user_home_t:s0 notes

How can I get symbolic links to work in this way?

Update

Using Ian's answer, I ran audit2why < /var/log/audit/audit.log and was given:

type=AVC msg=audit(1461761590.750:1232443): avc: denied { getattr } for pid=37683 comm="httpd" path="/home/leonard/apache/sandbox/public/markdown" dev=md2 ino=25300345 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=lnk_file Was caused by: The boolean httpd_enable_homedirs was set incorrectly. Description: Allow httpd to read home directories Allow access by executing: # setsebool -P httpd_enable_homedirs 1

Running the setsebool command magically made it work. I am just unsure how all the other sites we have (/home/*/apache/sitename.tld) were working without this being enabled?

Improve this question

2 Answers 2

Reset to default
2

You don't say what distro/release you are using which may be relevant. I only have Centos 6 and 7 to hand but the tools to use should be available on other distros.

The tools you should familiarise yourself with are audit2why and audit2allow.

Running your denial messages through the tools will point you in the right direction.

On the CentOS 6 sytem I have to hand the tools suggest that the current policy should allow this ( so I guess you're not using this) but that setting a particular SELinux boolean will help solve the issue.

On the CentOS 7 system I have to hand the tools suggest that setting a particular SELinux boolean will help solve theproblem.

Improve this answer
4
  • Silly me - added my version to the question. But CentOS 6.7. I'll get some further output thanks for the hints Commented Apr 27, 2016 at 12:50
  • audit2allow is great! This helped my fix it. But I'm curious, why were (many) other sites in ~/user/apache/sitename.tld working if this was switched off? Commented Apr 27, 2016 at 12:56
  • /home/*/apache/sitename.tld/ that should read. Updated my question, but this is the answer - thanks a lot @Ian, particularly for pointing me towards finding out how to find the answer. Commented Apr 27, 2016 at 13:03
  • It solved my symbolic link problem in my apache server. I am using AlmaLinux 8.5 Commented Jun 15, 2022 at 10:21
0

Based on the information I found, here is how to allow an exception:

Run:

sealert -a /var/log/audit/audit.log

Then follow the instructions given. Source: https://wiki.centos.org/HowTos/SELinux/

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.