今天在使用 httpd 做文件服务器的时候,发现 png 图像没有打开,但是原本www/html 文件夹内部的文件就可以打开。后来猜测是selinux 的问题,之前一直想写一篇关于selinux 的博文,现在先在这里提到一点吧。

欲详细解决  (13) Permission Denied 问题, 可以参考apache 官方文档 (13) Permission Denied

我们可以首先使用 setenforce 0 让selinux 暂时关闭,定位到是否是selinux 权限的问题。如果 关闭后,可以正常访问,我们可以进一步来进行解决:

用过 ls -Z 查看 selinux 权限:

root@yaowenxu /v/w/html# ls -alZ

total

drwxr-xrwx.  root     root     system_u:object_r:httpd_sys_content_t:s0       Aug  :  ./

drwxr-xr-x.  root     root     system_u:object_r:httpd_sys_content_t:s0       Jul  :  ../

-rw-r--r--.  xuyaowen xuyaowen unconfined_u:object_r:httpd_sys_content_t:s0  Aug  : 'Screenshot from 2018-08-19 17-50-59.png'

-rw-r--r--.  xuyaowen xuyaowen unconfined_u:object_r:httpd_sys_content_t:s0  Aug  : 'Screenshot from 2018-08-20 11-32-51.png'

-rw-r--r--.  xuyaowen xuyaowen unconfined_u:object_r:httpd_sys_content_t:s0  Aug  : 'Screenshot from 2018-08-20 13-24-10.png'

-rw----r--.  root     root     unconfined_u:object_r:httpd_sys_content_t:s0      Aug  :  xuyaowen

查看是否是 httpd_sys_content_t 权限,如果不是,通过命令进行设置权限,我这里让http 所有文件设置为上述默认权限:

root@yaowenxu /v/w/html# chmod -R -t httpd_sys_content_t html

这样便能保持 selinux 的权限的一致性。不用多次修改了。

当然你也可以禁止 selinux : 暂时禁止使用 setenforce 命令,永久禁止修改配置文件,如下所示:

vi /etc/sysconfig/selinux

    SELINUX=enforcing --> SELINUX=disabled

不保护apache:

setsebool -P httpd_disable_trans

更多配置相关,请通过man命令,参考 selinux 说明和 selinux/apache说明。

httpd_selinux()      httpd Selinux Policy documentation      httpd_selinux()

NAME

httpd_selinux - Security Enhanced Linux Policy for the httpd daemon

DESCRIPTION

Security-Enhanced Linux secures the httpd server via flexible mandatory

access control.

FILE_CONTEXTS

SELinux requires files to have an extended attribute to define the file

type.   Policy governs the access daemons have to these files.  SELinux

httpd policy is very flexible allowing users to setup  their  web  ser-

vices in as secure a method as possible.

The following file contexts types are defined for httpd:

httpd_sys_content_t

- Set files with httpd_sys_content_t for content which is avail-

able from all httpd scripts and the daemon.

httpd_sys_script_exec_t

- Set cgi scripts with httpd_sys_script_exec_t to allow them  to

run with access to all sys types.

httpd_sys_script_ro_t

-   Set   files   with   httpd_sys_script_ro_t   if   you   want

httpd_sys_script_exec_t scripts to read the data,  and  disallow

other sys scripts from access.

httpd_sys_script_rw_t

-   Set   files   with   httpd_sys_script_rw_t   if   you   want

httpd_sys_script_exec_t scripts to read/write the data, and dis-

allow other non sys scripts from access.

httpd_sys_script_ra_t

-   Set   files   with   httpd_sys_script_ra_t   if   you   want

httpd_sys_script_exec_t scripts to read/append to the file,  and

disallow other non sys scripts from access.

httpd_unconfined_script_exec_t

-  Set  cgi scripts with httpd_unconfined_script_exec_t to allow

them to run without any SELinux protection. This should only  be

used  for  a  very  complex  httpd scripts, after exhausting all

other options.  It is better to  use  this  script  rather  than

turning off SELinux protection for httpd.

NOTE

With  certain  policies  you can define addional file contexts based on

roles like user or  staff.   httpd_user_script_exec_t  can  be  defined

where it would only have access to "user" contexts.

SHARING FILES

If  you  want to share files with multiple domains (Apache, FTP, rsync,

Samba), you can set a file context of public_content_t and  public_con-

tent_rw_t.   These  context  allow any of the above domains to read the

content.  If you want a particular domain to write to  the  public_con-

tent_rw_t    domain,    you   must   set   the   appropriate   boolean.

allow_DOMAIN_anon_write.  So for httpd you would execute:

setsebool -P allow_httpd_anon_write=

or

setsebool -P allow_httpd_sys_script_anon_write=

BOOLEANS

SELinux policy is customizable based on least access required.   So  by

default SElinux prevents certain http scripts from working.  httpd pol-

icy is extremely flexible and has several booleans that  allow  you  to

manipulate  the policy and run httpd with the tightest access possible.

httpd  can  be  setup  to  allow  cgi  scripts  to  be  executed,   set

httpd_enable_cgi to allow this

setsebool -P httpd_enable_cgi 

httpd by default is not allowed to access users home  directories.   If

you  want to allow access to users home directories you need to set the

httpd_enable_homedirs boolean and change the context of the files  that

you want people to access off the home dir.

setsebool -P httpd_enable_homedirs

chcon -R -t httpd_sys_content_t ~user/public_html

httpd by default is not allowed access to the controling terminal.   In

most  cases  this is prefered, because an intruder might be able to use

the access to the terminal to gain privileges. But  in  certain  situa-

tions  httpd needs to prompt for a password to open a certificate file,

in these cases, terminal access is required.   Set  the  httpd_tty_comm

boolean to allow terminal access.

setsebool -P httpd_tty_comm 

httpd can be configured to not differentiate  file  controls  based  on

context, i.e. all files labeled as httpd context can be read/write/exe-

cute.  Setting this boolean to false allows you to setup  the  security

policy such that one httpd service can not interfere with another.

setsebool -P httpd_unified 

httpd can be configured to turn off internal scripting (PHP).  PHP  and

other

loadable modules run under the same context as httpd.  Therefore

several  policy  rules  allow httpd greater access to the system

then is needed if you only use external cgi scripts.

setsebool -P httpd_builtin_scripting 

httpd scripts by default are not allowed to connect out to the network.

This would prevent a hacker from breaking into you httpd  server

and attacking other machines.  If you need scripts to be able to

connect you can set the httpd_can_network_connect boolean on.

setsebool -P httpd_can_network_connect 

You can disable suexec transition, set httpd_suexec_disable_trans  deny

this

setsebool -P httpd_suexec_disable_trans 

You can disable SELinux protection for the httpd daemon by executing:

setsebool -P httpd_disable_trans

service httpd restart

system-config-securitylevel  is  a  GUI  tool  available  to  customize

SELinux policy settings.

AUTHOR

This manual page was written by Dan Walsh <dwalsh@redhat.com>.

SEE ALSO

selinux(), httpd(), chcon(), setsebool()

dwalsh@redhat.com                  Jan                  httpd_selinux()

保持更新,转载请注明出处。如果对你有帮助,请点击右下角推荐。

apache 访问权限出错,apache selinux 权限问题, (13) Permission Denied的更多相关文章

  1. linux挂载windows共享文件夹出错,提示mount error(13): Permission denied

    完整的可以工作的命令行: mount -v -t cifs -o username=clouder,password=123456,iocharset=utf8,sec=ntlm //172.28.1 ...

  2. 在apache环境中使用 python stock 请求遇到error: [Errno 13] Permission denied

    一个python 项目运行在linux 环境下,使用apache做为web容器. 调用urllib2.urlopen(your url) 或者 xmlrpclib.ServerProxy()请求某个服 ...

  3. nginx权限问题failed(13:Permission denied)

    nginx权限问题failed(13:Permission denied) 环境配置  nginx Permission denied 问题: 使用nginx代理uwsgi,出现500错误,查看ngi ...

  4. nginx的权限问题(13: Permission denied)解决办法

    一个nginx带多个tomcat集群环境,老是报如下错误:   2012/03/07 15:30:39 /opt/nginx/proxy_temp/4/31/0000000314" fail ...

  5. 解决nginx访问问题connect() to 127.0.0.1:8080 failed (13: Permission denied) while connecting to upstream,

    问题:搭建好项目之后,用nginx进行代理,进行日常配置之后,发现前端正常访问,但是后端访问出现错误,报502错误,查找nginx日志,发现connect() to 127.0.0.1:8080 fa ...

  6. Apache 403 error, (13)Permission denied: access to / denied问题

    Apache 配置Alias 后,无法访问 CentOS系统 检查了一圈httpd.conf和目录权限,均没有发现问题. 最后,看了这篇文章,发现是因为系统启动了SELINUX导致的. http:// ...

  7. ORA-12546: TNS: 权限被拒绝(ORA - 12546 TNS: Permission Denied)

    这个问题上网一查大都是说权限之类的问题,本人在经过第二次折腾之后发现,其实是自己的Oracle客户端工具在破解过程中被自己用防火墙禁止访问网络了,自己还在另一篇博文里记录过,竟然忘光了,BS一下自己! ...

  8. npm 在安装的时候提示 没有权限操作的解决办法 Error: EACCES: permission denied

    十分感谢https://blog.csdn.net/ldqsxsl/article/details/75059607的帮助! 错误原因:权限错误,需要root用户. 解决办法:就是把用户目录下的 .n ...

  9. 在python中打开文件显示没有权限PermissionError: [Errno 13] Permission denied:

    不多说了,我犯了低级错误 ,文件路径搞错了

随机推荐

  1. java实现网页结构分析列表发现

    现在的网站千奇百怪,什么样格式的都有,需要提取网页中的列表数据,有时候挨个分析处理很头疼,本文是一个页面结构分析的程序,可以分析处理页面大致列表结构. 废话不多说,我也不会说,show me code ...

  2. 调试工具Chisel-LLDB插件

    Chisel-LLDB命令插件 相信每个人或多或少都在用LLDB来调试,比如po一个对象.LLDB的是非常强大的,且有内建的,完整的 Python 支持.今天我们主要介绍一个 facebook 开源的 ...

  3. JCE cannot authenticate the provider BC

    报错原因: 在使用oracle的JDK时,JAR包必须签署特殊的证书才能使用.(具体是什么协议没查出来,惭愧) 方案一: 使用openJDK或者非oracle的JDK,这样就可以绕开证书的限制.该方案 ...

  4. Jenkins : 安装 master 和 slave

    目录 安装 master 安装 slave 设置 master 与 slave 的通信方式 添加 slave 配置 在 salve 上安装 jre 安装并配置 Jenkins salve Jenkin ...

  5. springboot+cloud 学习(二)应用间通信Feign(伪RPC,实则HTTP)

    在微服务中,使用什么协议来构建服务体系,一直是个热门话题. 争论的焦点集中在两个候选技术:  RPC or Restful Restful架构是基于Http应用层协议的产物,RPC架构是基于TCP传输 ...

  6. flask数据库迁移理解及命令

    前言: 使用数据库迁移,可以直接建表,而不用我们自己写sql语句用来建表.就是将关系型数据库的一张张表转化成了Python的一个个类. 在开发中经常会遇到需要修改原来的数据库模型,修改之后更新数据库, ...

  7. 【手记】sql报“聚合或其他set操作消除了null值”处理

    这个警告在常规场景中没什么影响,但如果是用excel跑SQL,它会因为该警告阻止你的后续操作~事实上excel执行sql限制多多,需要更多的奇技淫巧,之前我就写过一篇.言归正传,要解决这个警告,一种当 ...

  8. c# API接受图片文件以文件格式上传图片

    /// 文件图片上传 /// </summary> /// <returns>成功上传返回上传后的文件名</returns> [HttpPost] public a ...

  9. SqlServer 登录和卸载

    一.数据库简介 SQLServer环境配置 安装好数据库以后怎么启用sa账号来访问数据库. 1.先用windows账号登录数据库. 2.启用windows身份验证方式和sql server身份验证方式 ...

  10. maven详细配置

    Eclipse上Maven环境配置使用 (全) 1. 安装配置Maven: 1.1 从Apache网站 http://maven.apache.org/ 下载并且解压缩安装Apache Maven. ...