Linux CentOs permissions lead to Apache-"DocumentRoot must be a directory" solution

Source: Internet
Author: User

The documentroot must be a directory error is frequently encountered when configuring the Apache service, and it has been a few hours since the first contact with Apache to find the cause of the error, which is generally due to selinux.

SELinux (security-enhanced Linux) is the implementation of the U.S. National Security Agency (NSA) for mandatory access control, which is linux® The most outstanding new security subsystem. The NSA, with the help of the Linux community, has developed an access control system that, under the constraints of the access control system, can access only those files that are needed in his tasks. SELinux is installed on Fedora and Red Hat Enterprise Linux By default and can also be used as an easy-to-install package on other distributions.
Apache-"Document root must be a directory" issue?

It is possible to have problems with this problem and 403 Forbidden forbidden Access.

Description of the phenomenon:

Do not use the system default/var/www/html as the system's document ROOT, after you create a new directory to modify

/etc/httpd/conf/httpd.conf in the configuration, and then re-start Apache daemon, found that Apache can not start, system error:

Check avcmessage, view the/var/log/messages file, and find a paragraph similar to the following:

DEC 17:54:59 hostname kernel:audit (1098222899.827:0): AVC:

denied{GetAttr} forpid=19029 exe=/usr/sbin/httpd

path=/var/www/html/about.html dev=dm-0 ino=373900

scontext=root:system_r:httpd_t tcontext=user_u:object_r:user_home_t

Tclass=file

Use

#semanage Fcontext-l | grep '/var/www '

Learn about the SELinux context of the default/var/www directory:/var/www (/.*)? All files System_u:object_r:httpd_sys_content_t:s0 from which you can see that Apache can only access files that contain httpd_sys_content_t tags.

If you want Apache to use/www as the site file directory, then you need to add httpd_sys_content_t tags to the files in this directory, in two-step implementation.

First, add the default label type to the files in this directory/www:

#semanage fcontext-a-T httpd_sys_content_t '/srv/www (/.*)? '

The existing file is then annotated with the new label type:

#restorecon-rv/srv/www

Apache can then use the files in this directory to build the site.

Workaround 2:

It's easy to change the policy type of the directory or file to httpd_sys_content_t.

# chcon-t httpd_sys_content_t [file_name | dir_name]
# chcon-r-h-t httpd_sys_content_t/www
You can then use the Ls-laz command to view the file directory's policy type. (T002)

Workaround 3:

Turn off SELinux.
#setenforce 0

Workaround 4:
or change the SELinux attribute of the/root/website file to match the requirements of the HTTPD server.
How to change? We can copy the SELinux attribute of this directory/var/www/html
#chcon-R--reference/var/www/html/root/website
And then after restarting the service, you'll see that it didn't get an error.
But when you go to localhost, you will find the access denied. Mainly because your/root permissions are 750,ahache This user does not have permission to access, you need to change the permissions, can be changed
#chmod-R 755/root
And then went to visit and found normal.

Read MORE: SELinux introduction

The biggest security change in RedHat Enterprise Linux as 3.0/4.0 is the integration of SELinux support.

The full name of SELinux is security-enhanced Linux, a access control system developed by NSA.

SELinux maximizes the security of your Linux system. As to the extent of its role, give a simple example to prove that:

Linux without SELinux protection has the same level of security as Windows and is a C2 level, but protected by SELinux protected Linux, the security level

Can reach the B1 level. For example, we set all the file and directory permissions in the/tmp directory to 0777, so that without selinux protection

, anyone can access the content under/tmp. In the SELinux environment, although directory permissions allow you to access the content under/tmp,

However, the SELinux security policy will continue to check if you can access it.

The SELinux security architecture introduced by the NSA is called Flask, where the logic of the security policy and the common interface are encapsulated together with

In an operating system-independent component, this individual component is called a secure server. SELinux security server defines a hybrid security

Policy, consisting of type implementation (TE), role-based access control (RBAC), and multilevel Security (MLS). By replacing the secure server, you can

To support different security policies. SELinux uses the policy configuration language to define the security policy and then compiles it into binary form by CheckPolicy

stored in a file (such as the target policy/etc/selinux/targeted/policy/policy.18) and read to kernel space when the kernel is booted

。 This means that the security policy will be different every time the system boots.

The SELinux strategy is divided into two types, one is the target (targeted) strategy and the other is the strict (strict) strategy. Limited policies are only for partial

The system network services and processes perform selinux policies, while the draconian policy is to perform a global NSA default policy. Limited policy mode, 9 (Can be

More) system services are monitored by selinux, and almost all network services are controlled.

The configuration file is/etc/selinux/config, and the "permissive" mode is used during the general testing process, which only violates the SELinux

And then modify the rules, and finally the user feels that a strict "enforcing" policy is enforced to prohibit violation of the rules policy

Behavior.

The rules determine the working behavior and manner of SELinux, and the policy determines specific security details such as file system, file consistency.



During the installation process, you can select either Activate, Warn, or close SELinux. The default setting is activate.

After installation, you can either "Application"-"System Settings"-"security Level", or enter the "systems" directly in the console window.

-config-securitylevel "To open the Security Level Settings window. On the SELinux Options page, we can not only set the

Enable or disable SELinux, and can also modify the already built-in SELinux policy.

SELinux Related commands:

Ls-z

Ps-z

Id-z

You can see the SELinux properties of files, processes, and users respectively.

Chcon Change the SELinux attribute of the file.

Getenforce/setenforce View and set the current mode of operation for SELinux.

After modifying the configuration file/etc/selinux/config, you need to restart the system to start the SELinux new mode of operation.

http://dadait.blog.163.com/blog/static/3207916201361122548407/

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.