Hello! My fedorapeople.org web page can not access, it give me 403 error!Any files uploaded can not access through http! Please check, my web page is http://hien.fedorapeople.org/ Thank in advance!
Wrong selinux context by default! fixed!
Default : hien@hien-laptop ~$ ssh hien@fedorapeople.org "ls -Z public_html/ " drwxrwxr-x. hien hien system_u:object_r:var_t:s0 images -rw-rw-r--. hien hien system_u:object_r:var_t:s0 index.html
I fix by "restorecon -Rv public_html/"
So, in order to make a bit of sense for the infra guys who weren't on IRC today, the problem is that hien's files had theis SELinux context: {{{ -rw-rw-r--. hien hien system_u:object_r:var_t:s0 index.html }}}
On my FedoraPeople, I have: {{{ -rw-rw-r--. bochecha bochecha unconfined_u:object_r:httpd_user_content_t:s0 index.html }}}
So I told hien to run the following command, which "fixed" his issue: {{{ restorecon -Rv public_html }}}
He doesn't get the 403 error anymore.
However, it still seems weird that his files don't have the appropriate SELinux context by default, as he says he only copied them via scp, and created one directly on the server with vim.
I never did anything special to mine, and they end up created with the correct context, so something might be wrong with his user/account/home/...
Note: I am not part of the infra team, just a random guy who happened to be there in #fedora-admin. :)
Thanks for debugging and figuring this out :-)
Unfortunately, I can't reproduce this issue myself - I tried scping a new public_html directory to my account without any special options, and the contexts ended up correct.
hien: Are you still able to reproduce this problem if you try removing your public_html and re-uploading your files? If so, can you give us the exact commands that you are using to upload them?
Yes, I can reproduce this problem! See detail: {{{ [hien@people02 ~]$ ls -Z drwxrwxr-x. hien hien unconfined_u:object_r:httpd_user_content_t:s0 public_html [hien@people02 ~]$ mv public_html/ public_html_bk/ [hien@people02 ~]$ mkdir public_html/ [hien@people02 ~]$ ls -Z drwxrwxr-x. hien hien system_u:object_r:var_t:s0 public_html drwxrwxr-x. hien hien unconfined_u:object_r:httpd_user_content_t:s0 public_html_bk [hien@people02 ~]$ touch public_html/index.html [hien@people02 ~]$ ls -Z public_html/ -rw-rw-r--. hien hien system_u:object_r:var_t:s0 index.html [hien@people02 ~]$ curl -I http://hien.fedorapeople.org/ HTTP/1.1 403 Forbidden Date: Tue, 24 May 2011 16:44:44 GMT Server: Apache/2.2.15 Connection: close Content-Type: text/html; charset=iso-8859-1
[hien@people02 ~]$ restorecon -Rv public_html/ restorecon reset /home/fedora/hien/public_html context system_u:object_r:var_t:s0->unconfined_u:object_r:httpd_user_content_t:s0 restorecon reset /home/fedora/hien/public_html/index.html context system_u:object_r:var_t:s0->unconfined_u:object_r:httpd_user_content_t:s0 [hien@people02 ~]$ curl -I http://hien.fedorapeople.org/ HTTP/1.1 200 OK Date: Tue, 24 May 2011 16:45:25 GMT Server: Apache/2.2.15 Accept-Ranges: bytes Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=UTF-8
[hien@people02 ~]$ }}}
Ah, it turns out that this issue only affected new users, which is why I could not reproduce. I've fixed the context on your home directory, as well as made some changes to ensure that new accounts won't run into this same issue.
Thanks for reporting and debugging this issue!
Login to comment on this ticket.