I have a simple scenario: I want to symlink /home/leonard/apache/sandbox/markdown
to /home/leonard/github/markdown-editor
, so that the markdown-editor
can be viewed from my browser.
I setup the link with ln -s /home/leonard/github/markdown-editor /home/leonard/apache/sandbox/public/markdown
and it shows up and can be navigated fine.
When I view in the browser, however, I get 403 Forbidden
. My audit.log
shows the following:
type=AVC msg=audit(1461759062.021:1232192): avc: denied { read } for pid=30107 comm="httpd" name="markdown" dev=md2 ino=25300345 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1461759062.021:1232192): arch=c000003e syscall=4 success=no exit=-13 a0=7f88e34cff28 a1=7ffc036e2dd0 a2=7ffc036e2dd0 a3=7f88dec032e0 items=0 ppid=36009 pid=30107 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=88286 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1461759062.022:1232193): avc: denied { getattr } for pid=30107 comm="httpd" path="/home/leonard/apache/sandbox/public/markdown" dev=md2 ino=25300345 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1461759062.022:1232193): arch=c000003e syscall=6 success=no exit=-13 a0=7f88e34d0018 a1=7ffc036e2dd0 a2=7ffc036e2dd0 a3=1 items=0 ppid=36009 pid=30107 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=88286 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
I've seen other questions here asking how to set the context for symbolic links, but I'm not sure if they're related, because the link is the same as other (perfectly viewable in the browser) adjacent directories:
[leonard@ombrelle public]$ ls -alZ
drwxr-xr-x. leonard developers unconfined_u:object_r:user_home_t:s0 .
drwxr-xr-x. leonard developers unconfined_u:object_r:user_home_t:s0 ..
-rw-r--r--. leonard developers unconfined_u:object_r:user_home_t:s0 .htaccess
-rw-r--r--. leonard developers unconfined_u:object_r:user_home_t:s0 index.php
lrwxrwxrwx. leonard developers unconfined_u:object_r:user_home_t:s0 markdown -> /home/leonard/github/markdown-editor
drwxr-xr-x. leonard developers unconfined_u:object_r:user_home_t:s0 notes
How can I get symbolic links to work in this way?
Update
Using Ian's answer, I ran audit2why < /var/log/audit/audit.log
and was given:
type=AVC msg=audit(1461761590.750:1232443): avc: denied { getattr } for pid=37683 comm="httpd" path="/home/leonard/apache/sandbox/public/markdown" dev=md2 ino=25300345 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=lnk_file
Was caused by:
The boolean httpd_enable_homedirs was set incorrectly.
Description:
Allow httpd to read home directories
Allow access by executing:
# setsebool -P httpd_enable_homedirs 1
Running the setsebool
command magically made it work. I am just unsure how all the other sites we have (/home/*/apache/sitename.tld
) were working without this being enabled?
You don't say what distro/release you are using which may be relevant. I only have Centos 6 and 7 to hand but the tools to use should be available on other distros.
The tools you should familiarise yourself with are audit2why and audit2allow.
Running your denial messages through the tools will point you in the right direction.
On the CentOS 6 sytem I have to hand the tools suggest that the current policy should allow this ( so I guess you're not using this) but that setting a particular SELinux boolean will help solve the issue.
On the CentOS 7 system I have to hand the tools suggest that setting a particular SELinux boolean will help solve theproblem.
Based on the information I found, here is how to allow an exception:
Run:
Then follow the instructions given. Source: https://wiki.centos.org/HowTos/SELinux/