Linux – Apache can’t open file that is a symlink

apache-httpdfedoraselinuxsymlink

I have a file:

js/jquery.terminal-src.js: symbolic link to ../../repo/js/jquery.terminal-src.js

and when I try to open it with browser using:

http://localhost/projects/jcubic/terminal/test/js/jquery.terminal-src.js

I've got 403 error forbidden, the file have permission

-rw-rw----. 1 kuba kuba 291604 08-27 22:20 ../../repo/js/jquery.terminal-src.js

and apache2 can't open that file, I have installed SeLinux and I'm using Fedora Distro.

I've got this in /var/log/audit/audit.log

type=AVC msg=audit(1503868547.512:625): avc:  denied  { getattr } for  
pid=519 comm="httpd" path="/home/kuba/projects/jcubic/terminal/test/css/jquery.
terminal-src.css" dev="sda3" ino=26608576 scontext=system_u:system_r:
httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=lnk_file
permissive=0

I've added apache user to kuba group and projects is symlink in /var/www/html directory. Other files, even symlinks that are directories, are working fine.

I've also try to set kuba group to each directory even /home but that didn't work (and all directories already belong to kuba group)

What do I need to configure to make apache open symlink files?

I don't want to disable SeLinux because it's installed on Fedora for a reason is there other way?

Best Answer

You can use audit2why to find out why access was denied, and possibly if a SELinux boolean exists to allow access.

SELinux boolean httpd_enable_homedirs allows Apache to read home directories, and should be enough in your case. You can enable it using (as root) setsebool -P httpd_enable_homedirs 1.

In case you need to alter SELinux policy, you can use audit2allow to generate a policy module to allow access.

SELinux rules are checked after Unix permissions. SELinux rules only add stricter access control rules and won't ever make existing file permissions less restrictive.

Apache has FollowSymLinks and SymLinksIfOwnerMatch options which affects how symbolic links are treated. By default FollowSymlinks is enabled and Apache follows symbolic links, but these options can be altered in <Directory> sections of configuration file or in .htaccess files.

Related Question