I'm installing FosWiki on a Fedora 40 Machine. The FosWiki top directory shall be /home/wikis/foswiki_company
. Underneath that there are various directories for content, as well as the log
directory.
/home
is a separate filesystem (not NFS, just a separate partition on the local machine)
FosWiki is a cheap and cheerful bunch of Perl CGI scripts, so it's just the usual CGI setup.
It turns out that I cannot even get into the setup page of FosWiki because the setup script is unable to create the log file (i.e. Perl's open()
call fails). The apparent problem is that "the filesystem is read-only".
SELinux is enabled and I'm checking the AVC denial messages. There seems to be none.
Below is the relevant structure of the filesystem.
- The orange elements are where the logfile is meant to go, but doing so proves to be impossible. I also tried with the
tmp
subdirectory, same problem. - The brown element are an experiment whereby I modified the CGI script so that the log file would be written to a (suitably permission-ed) directory
/home/tmp
, which fails. - The green elements are an experiment whereby I modified the CGI script so that the log file would be written to a (suitably permission-ed) directory
/var/www/tmp
. This works.
Additionally, the SELinux boolean for allowing httpd access to home directories, usually off, has been switched on, no difference, it seems to be irrelevant to this problem:
# semanage boolean -l -C
SELinux boolean State Default Description
httpd_can_network_connect (on , on) Allow httpd to can network connect
httpd_enable_homedirs (on , on) Allow httpd to enable homedirs
selinuxuser_execmod (on , on) Allow selinuxuser to execmod
Additionally, if I su - apache
(after configuring a shell for user apache
in /etc/passwd
), I can create or write to any of the log files.
So it's a process-related thing, not a user-related thing.
Additionally, I tried disabling SELinux, but got the same problem.
So it's unlikely to be SELinux.
What am I missing? What could stop Apache httpd from writing to the /home
filesystem?
The problem is due to
systemd
, which has recently branched out into controlling process access to/home
. This may be useful, but doesn't contribute to clarity on a system that already has POSIX access control and SELinux access control.Having a sudden brainwave and searching for "have systemd block access to /home" was key.
The option is ProtectHome (added in version 214 and indeed, I am at version 255). The manual says:
etc.
By default this option is
read-only
. We need to change it tono
.So, let's do it. Run
and set up the override file to contain:
After saving that file and restarting Apache httpd:
The process can create and write the files in their respective directories under
/home
.