28 November 2013

Forbidden 403 when running RHEL Web Services (HTTPd) caused by "setenforce 1"

Been wasting most of my morning trying to figure out why a basic Apache Web Server won't run properly on my RHEL box.

/var/www/html/ default index.html works fine but when I try to access a UserDir (e.g. www.example.com/~user) it throws a 403 Forbidden error.

All permissions are set correctly and httpd.conf is configured right.

chmod 701 /home/*
chmod 705 /home/*/public_html
chmod 604 /home/*/public_html/*.html

Checking the error_log file in /var/log/httpd shows that the client requests are being pushed to /var/www/html/ and won't check the /home/*/public_html location.

After doing some digging, I discovered that this error can be caused either by the server permissions being set incorrectly for each directory (most common), or by "Enforcing" mode blocking standard suexec calls.

Running "setenforce 0" I was then able to browse to the ~user home page.

The following information was derived from http://www.brennan.id.au/13-Apache_Web_Server.html:

Forbidden Errors (SELinux)
You may experience a "forbidden error" when attempting to access a users public web site (http://localhost/~alice), this is generally because the permissions are either set incorrectly, or SELinux is set to "Enforcing" mode which blocks the standard suexec call needed by the Apache server. Common error is the "/home/username" permissions.

To temporarily disable SELinux so you can test the access permissions, type "setenforce 0" at the command prompt. Typing "setenforce 1" sets SELinux back to Enforcing mode.

Use the following commands to permanently adjust the SELinux file security context so Apache can access user's public web sites.

### SELinux ONLY - Enable User Website
[bash]# setsebool -P httpd_enable_homedirs true
[bash]# chcon -v -R -h -u user_u -t httpd_user_content_t /home/*/public_html
### SELinux ONLY - Disable User Website
[bash]# setsebool -P httpd_enable_homedirs false
[bash]# chcon -v -R -h -u user_u -t user_home_t /home/*/public_html