[vox-tech] re: selinux woes (Apache issue?)

Cylar Z cylarz at yahoo.com
Thu Jun 22 23:17:19 PDT 2006 

Hey all:

I'm running Apache webserver (duh) on a Fedora Core 5
system.

I admit that I erred slightly in my original post.
Perhaps  SELinux is not guilty after all, perhaps it
is.

I took another look at things last night and here's
the deal. Apache and SELinux will allow me to post
images on the page with <IMG SRC> just fine, *if* the
image is in the same directory as the .html document
calling it. However, if I place images in a separate
directory below the web folder (as I would prefer to
do), I get "broken gif" symbols where my pictures
should be. This holds true even after I've made sure
the image pathname in the <IMG SRC> tag is correct.
Why does the system want to give me a hard time about
this?

I also tried putting a hypertext document in the image
subdirectory, then calling it via a hyperlink from a
page located in the parent web folder. The image
hypertext doc dutifully shows up, but again, I get
broken gif symbols instead of my pictures. WTF?

The image directory and its contents have been
chmod'ed to 755 just to be sure...and what's even
stranger is that this scheme seemed to work fine back
when I used FrontPage to generate my HTML code instead
of writing it manually as I'm currently doing. (Long
story.) Why would that make a lick of difference?

As requested, here is the relevant snippet from
/var/log/httpd/error_log. Parentdocument.html is of
course the one containing the <A HREF="images.html">
images.html </A> link tag, while images.html is the
one inside the images folder itself where I've placed
an <IMG SRC> tag to actually call the picture.

[Thu Jun 22 01:12:57 2006] [error] [client
71.XXX.XXX.XXX] (13)Permission denied: access to
/images/picture012.jpg denied, referer:
http://www.<mydomain.com>/parentdocument.html

[Thu Jun 22 01:18:15 2006] [error] [client
71.XXX.XXX.XXX] File does not exist:
/var/www/html/<mydomain.com>/images/ranch_trip_032,
referer: http://www.<mydomain.com>/images/images.html

Doesn't exist? This is a joke, right?

[Thu Jun 22 01:19:24 2006] [error] [client
71.XXX.XXX.XXX] (13)Permission denied: access to
/images/ranch_trip_032.jpg denied, referer:
http://www.<mydomain.com>/images/images.html

Interesting...first it doesn't exist, now it does
exist but permission is denied.

[Thu Jun 22 01:21:29 2006] [error] [client
71.XXX.XXX.XXX] (13)Permission denied: access to
/images/ranch_trip_032.jpg denied, referer:
http://www.<mydomain.com>/images/images.html

[Thu Jun 22 01:21:30 2006] [error] [client
71.XXX.XXX.XXX] (13)Permission denied: access to
/images/ranch_trip_032.jpg denied, referer:
http://www.<mydomain.com>/images/images.html

[Thu Jun 22 01:21:39 2006] [error] [client
71.XXX.XXX.XXX] (13)Permission denied: access to
/images/ranch_trip_032.jpg denied, referer:
http://www.<mydomain.com>/images/images.html

[Thu Jun 22 01:38:58 2006] [error] [client
71.XXX.XXX.XXX] (13)Permission denied: access to
/images/ranch_trip_032.jpg denied, referer:
http://www.<mydomain.com>/images/images.html

One more detail, in case it's relevant. I chown'ed my
entire web folder to a regular user account I'd
created for the purpose, as I wasn't comfortable
having to log in as root just to work on my website.
Root still owns /var/www/html, but the web admin user
owns the *contents* of html and everything below that.
Why would that matter either, since all the files are
chmod'ed to be world-readable? Would it help to chown
www/html to the web user as well? (Obviously nobody
except root can own /var itself.)

This has GOT to be something having to do with
permissions or paths. Help, please. 

Matt

Message: 5
Date: Wed, 14 Jun 2006 11:53:18 -0700 (PDT)
From: Jan W <jcwynholds at yahoo.com>
Subject: Re: [vox-tech] selinux woes
To: lugod's technical discussion forum
<vox-tech at lists.lugod.org>
Message-ID:
<20060614185318.42324.qmail at web53601.mail.yahoo.com>
Content-Type: text/plain; charset=iso-8859-1

Hi Z:

Check the logs.

The /var/log/messages should have entries about
selinux applying its
policy (if selinux is the problem).

Also, check the apache logs (/var/log/httpd by
default).

The logs should give you an idea if it's standard unix
permissions or
the selinux policy.  If the user that apache runs as
(check your
httpd.conf) does not have permission to read a
directory, or a file in
a directory, it sends 403 forbidden.

If there is something confusing or weird in the logs,
post them (with
hostnames/ip addy's XXXX'd out, of course).

The (meaningful and helpful) logs in *nix are alot of
the reason why I
switched in the first place.

--HTHO

jan

More information about the vox-tech mailing list