0

I want to serve docs on my dev server from my home directory. This is a private laptop, so I'm not really concerned with security as far as you are with most servers / web hosting situations.

The httpd.conf looks like this:

DocumentRoot "/home/myuser/www"

#
# Relax access to content within /var/www.
#
<Directory "/home/myuser/www">
    AllowOverride all
    # Allow open access:
    Require all granted
</Directory>

# Further relax access to the default document root:
<Directory "/home/myuser/www">
    #
    # Possible values for the Options directive are "None", "All",
    # or any combination of:
    #   Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
    #
    # Note that "MultiViews" must be named *explicitly* --- "Options All"
    # doesn't give it to you.
    #
    # The Options directive is both complicated and important.  Please see
    # http://httpd.apache.org/docs/2.4/mod/core.html#options
    # for more information.
    #
    Options Indexes FollowSymLinks

    #
    # AllowOverride controls what directives may be placed in .htaccess files.
    # It can be "All", "None", or any combination of the keywords:
    #   Options FileInfo AuthConfig Limit
    #
    AllowOverride None

    #
    # Controls who can get stuff from this server.
    #
    Require all granted
</Directory>

So far it's ok and I can now view the docs in the myuser/www directory at http://localhost/.

However, apache can't write to the directory and I'm getting selinux security warnings.

I tried adding my user to the apache group, and setting the myuser/www directory to 755 permissions, but this didn't work.

How do I allow apache to write to this directory?

EDIT:

After changing the group and permissions on the /home/myuser/www/ directory, the files display, but the app is complaining that apache cannot write to the tmp directory and it throws an selinux error. The recommended fix in the security message is to execute the following commands, which I've done with no change:

# semanage fcontext -a -t httpd_sys_rw_content_t 'tmp'
# restorecon -v 'tmp'
Improve this question
2
  • 1
    I don't see how /tmp/ is related to this. I would just try to test to disable SElinux in order to be sure it is the only problem. And then decide what to do Commented Jan 19, 2016 at 8:25
  • The tmp part should probably be a separate question. Can you ask that as a new question please, including the full AVC denial? Commented Jan 20, 2016 at 20:00

2 Answers 2

Reset to default
0

Do chgrp apache on your home directory (and any files and subdirectories that you want Apache to be able to write to), and do chmod g+w on them.  This will set directories to 775 mode, and files to 664.

Improve this answer
2
  • @G-Man-- thanks. The issue now is that we're not allowed to write to tmp. I did the suggested fix but still getting the error: # semanage fcontext -a -t httpd_sys_rw_content_t 'tmp' # restorecon -v 'tmp' Commented Jan 19, 2016 at 4:51
  • Please edit your question to show what you did and what happened as a result. Commented Jan 19, 2016 at 5:31
0

Check this out from the httpd_selinux man page, available in the selinux-policy-doc package:

If you want to allow httpd to read home directories, you must turn on the httpd_enable_homedirs boolean. Disabled by default.

  setsebool -P httpd_enable_homedirs 1

Your problems with /tmp might depend on what exactly you're trying to do. Note that by default, httpd on Fedora uses a private namespace for /tmp — this might not be what your software wants. What is your application using that for?

Improve this answer
4
  • I think it's the tmp dir set in the php.ini that's causing the issue. I'd expect that the php installation would have set that path appropriately. What should the correct value for the tmp path be? Commented Jan 20, 2016 at 0:03
  • What Fedora release are you on? Commented Jan 20, 2016 at 0:23
  • ~ cat /etc/fedora-release Fedora release 23 (Twenty Three) Commented Jan 20, 2016 at 0:51
  • Hmmm. There was a very old bug about this, but with recent releases including 23, it should just "magically" happen — files written by httpd/php should have a transition to the correct httpd_php_tmp_t. Commented Jan 20, 2016 at 19:56

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.