I have a file:
js/jquery.terminal-src.js: symbolic link to ../../repo/js/jquery.terminal-src.js
and when I try to open it with browser using:
http://localhost/projects/jcubic/terminal/test/js/jquery.terminal-src.js
I've got 403 error forbidden, the file have permission
-rw-rw----. 1 kuba kuba 291604 08-27 22:20 ../../repo/js/jquery.terminal-src.js
and apache2 can't open that file, I have installed SeLinux and I'm using Fedora Distro.
I've got this in /var/log/audit/audit.log
type=AVC msg=audit(1503868547.512:625): avc: denied { getattr } for
pid=519 comm="httpd" path="/home/kuba/projects/jcubic/terminal/test/css/jquery.
terminal-src.css" dev="sda3" ino=26608576 scontext=system_u:system_r:
httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=lnk_file
permissive=0
I've added apache user to kuba
group and projects
is symlink in /var/www/html
directory. Other files, even symlinks that are directories, are working fine.
I've also try to set kuba group to each directory even /home but that didn't work (and all directories already belong to kuba
group)
What do I need to configure to make apache open symlink files?
I don't want to disable SeLinux because it's installed on Fedora for a reason is there other way?
Best Answer
You can use
audit2why
to find out why access was denied, and possibly if a SELinux boolean exists to allow access.SELinux boolean
httpd_enable_homedirs
allows Apache to read home directories, and should be enough in your case. You can enable it using (as root)setsebool -P httpd_enable_homedirs 1
.In case you need to alter SELinux policy, you can use
audit2allow
to generate a policy module to allow access.SELinux rules are checked after Unix permissions. SELinux rules only add stricter access control rules and won't ever make existing file permissions less restrictive.
Apache has FollowSymLinks and SymLinksIfOwnerMatch options which affects how symbolic links are treated. By default FollowSymlinks is enabled and Apache follows symbolic links, but these options can be altered in
<Directory>
sections of configuration file or in.htaccess
files.