今天在使用 httpd 做文件服务器的时候,发现 png 图像没有打开,但是原本www/html 文件夹内部的文件就可以打开。后来猜测是selinux 的问题,之前一直想写一篇关于selinux 的博文,现在先在这里提到一点吧。

欲详细解决  (13) Permission Denied 问题, 可以参考apache 官方文档 (13) Permission Denied

我们可以首先使用 setenforce 0 让selinux 暂时关闭,定位到是否是selinux 权限的问题。如果 关闭后,可以正常访问,我们可以进一步来进行解决:

用过 ls -Z 查看 selinux 权限:

root@yaowenxu /v/w/html# ls -alZ
total
drwxr-xrwx. root root system_u:object_r:httpd_sys_content_t:s0 Aug : ./
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 Jul : ../
-rw-r--r--. xuyaowen xuyaowen unconfined_u:object_r:httpd_sys_content_t:s0 Aug : 'Screenshot from 2018-08-19 17-50-59.png'
-rw-r--r--. xuyaowen xuyaowen unconfined_u:object_r:httpd_sys_content_t:s0 Aug : 'Screenshot from 2018-08-20 11-32-51.png'
-rw-r--r--. xuyaowen xuyaowen unconfined_u:object_r:httpd_sys_content_t:s0 Aug : 'Screenshot from 2018-08-20 13-24-10.png'
-rw----r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 Aug : xuyaowen

查看是否是 httpd_sys_content_t 权限,如果不是,通过命令进行设置权限,我这里让http 所有文件设置为上述默认权限:

root@yaowenxu /v/w/html# chmod -R -t httpd_sys_content_t html

这样便能保持 selinux 的权限的一致性。不用多次修改了。

当然你也可以禁止 selinux : 暂时禁止使用 setenforce 命令,永久禁止修改配置文件,如下所示:

vi /etc/sysconfig/selinux
SELINUX=enforcing --> SELINUX=disabled

不保护apache:

setsebool -P httpd_disable_trans   

更多配置相关,请通过man命令,参考 selinux 说明和 selinux/apache说明。

httpd_selinux()      httpd Selinux Policy documentation      httpd_selinux()

NAME
httpd_selinux - Security Enhanced Linux Policy for the httpd daemon DESCRIPTION
Security-Enhanced Linux secures the httpd server via flexible mandatory
access control. FILE_CONTEXTS
SELinux requires files to have an extended attribute to define the file
type. Policy governs the access daemons have to these files. SELinux
httpd policy is very flexible allowing users to setup their web ser-
vices in as secure a method as possible. The following file contexts types are defined for httpd: httpd_sys_content_t
- Set files with httpd_sys_content_t for content which is avail-
able from all httpd scripts and the daemon. httpd_sys_script_exec_t
- Set cgi scripts with httpd_sys_script_exec_t to allow them to
run with access to all sys types. httpd_sys_script_ro_t
- Set files with httpd_sys_script_ro_t if you want
httpd_sys_script_exec_t scripts to read the data, and disallow
other sys scripts from access. httpd_sys_script_rw_t
- Set files with httpd_sys_script_rw_t if you want
httpd_sys_script_exec_t scripts to read/write the data, and dis-
allow other non sys scripts from access. httpd_sys_script_ra_t
- Set files with httpd_sys_script_ra_t if you want
httpd_sys_script_exec_t scripts to read/append to the file, and
disallow other non sys scripts from access. httpd_unconfined_script_exec_t
- Set cgi scripts with httpd_unconfined_script_exec_t to allow
them to run without any SELinux protection. This should only be
used for a very complex httpd scripts, after exhausting all
other options. It is better to use this script rather than
turning off SELinux protection for httpd. NOTE
With certain policies you can define addional file contexts based on
roles like user or staff. httpd_user_script_exec_t can be defined
where it would only have access to "user" contexts. SHARING FILES
If you want to share files with multiple domains (Apache, FTP, rsync,
Samba), you can set a file context of public_content_t and public_con-
tent_rw_t. These context allow any of the above domains to read the
content. If you want a particular domain to write to the public_con-
tent_rw_t domain, you must set the appropriate boolean.
allow_DOMAIN_anon_write. So for httpd you would execute: setsebool -P allow_httpd_anon_write= or setsebool -P allow_httpd_sys_script_anon_write= BOOLEANS
SELinux policy is customizable based on least access required. So by
default SElinux prevents certain http scripts from working. httpd pol-
icy is extremely flexible and has several booleans that allow you to
manipulate the policy and run httpd with the tightest access possible. httpd can be setup to allow cgi scripts to be executed, set
httpd_enable_cgi to allow this setsebool -P httpd_enable_cgi httpd by default is not allowed to access users home directories. If
you want to allow access to users home directories you need to set the
httpd_enable_homedirs boolean and change the context of the files that
you want people to access off the home dir. setsebool -P httpd_enable_homedirs
chcon -R -t httpd_sys_content_t ~user/public_html httpd by default is not allowed access to the controling terminal. In
most cases this is prefered, because an intruder might be able to use
the access to the terminal to gain privileges. But in certain situa-
tions httpd needs to prompt for a password to open a certificate file,
in these cases, terminal access is required. Set the httpd_tty_comm
boolean to allow terminal access. setsebool -P httpd_tty_comm httpd can be configured to not differentiate file controls based on
context, i.e. all files labeled as httpd context can be read/write/exe-
cute. Setting this boolean to false allows you to setup the security
policy such that one httpd service can not interfere with another. setsebool -P httpd_unified httpd can be configured to turn off internal scripting (PHP). PHP and
other
loadable modules run under the same context as httpd. Therefore
several policy rules allow httpd greater access to the system
then is needed if you only use external cgi scripts. setsebool -P httpd_builtin_scripting httpd scripts by default are not allowed to connect out to the network.
This would prevent a hacker from breaking into you httpd server
and attacking other machines. If you need scripts to be able to
connect you can set the httpd_can_network_connect boolean on. setsebool -P httpd_can_network_connect You can disable suexec transition, set httpd_suexec_disable_trans deny
this setsebool -P httpd_suexec_disable_trans You can disable SELinux protection for the httpd daemon by executing: setsebool -P httpd_disable_trans
service httpd restart system-config-securitylevel is a GUI tool available to customize
SELinux policy settings. AUTHOR
This manual page was written by Dan Walsh <dwalsh@redhat.com>. SEE ALSO
selinux(), httpd(), chcon(), setsebool() dwalsh@redhat.com Jan httpd_selinux()

保持更新,转载请注明出处。如果对你有帮助,请点击右下角推荐。

apache 访问权限出错,apache selinux 权限问题, (13) Permission Denied的更多相关文章

  1. linux挂载windows共享文件夹出错,提示mount error(13): Permission denied

    完整的可以工作的命令行: mount -v -t cifs -o username=clouder,password=123456,iocharset=utf8,sec=ntlm //172.28.1 ...

  2. 在apache环境中使用 python stock 请求遇到error: [Errno 13] Permission denied

    一个python 项目运行在linux 环境下,使用apache做为web容器. 调用urllib2.urlopen(your url) 或者 xmlrpclib.ServerProxy()请求某个服 ...

  3. nginx权限问题failed(13:Permission denied)

    nginx权限问题failed(13:Permission denied) 环境配置  nginx Permission denied 问题: 使用nginx代理uwsgi,出现500错误,查看ngi ...

  4. nginx的权限问题(13: Permission denied)解决办法

    一个nginx带多个tomcat集群环境,老是报如下错误:   2012/03/07 15:30:39 /opt/nginx/proxy_temp/4/31/0000000314" fail ...

  5. 解决nginx访问问题connect() to 127.0.0.1:8080 failed (13: Permission denied) while connecting to upstream,

    问题:搭建好项目之后,用nginx进行代理,进行日常配置之后,发现前端正常访问,但是后端访问出现错误,报502错误,查找nginx日志,发现connect() to 127.0.0.1:8080 fa ...

  6. Apache 403 error, (13)Permission denied: access to / denied问题

    Apache 配置Alias 后,无法访问 CentOS系统 检查了一圈httpd.conf和目录权限,均没有发现问题. 最后,看了这篇文章,发现是因为系统启动了SELINUX导致的. http:// ...

  7. ORA-12546: TNS: 权限被拒绝(ORA - 12546 TNS: Permission Denied)

    这个问题上网一查大都是说权限之类的问题,本人在经过第二次折腾之后发现,其实是自己的Oracle客户端工具在破解过程中被自己用防火墙禁止访问网络了,自己还在另一篇博文里记录过,竟然忘光了,BS一下自己! ...

  8. npm 在安装的时候提示 没有权限操作的解决办法 Error: EACCES: permission denied

    十分感谢https://blog.csdn.net/ldqsxsl/article/details/75059607的帮助! 错误原因:权限错误,需要root用户. 解决办法:就是把用户目录下的 .n ...

  9. 在python中打开文件显示没有权限PermissionError: [Errno 13] Permission denied:

    不多说了,我犯了低级错误 ,文件路径搞错了

随机推荐

  1. SpringBoot初体验及原理解析

    一.前言 ​ 上篇文章,我们聊到了SpringBoot得以实现的幕后推手,这次我们来用SpringBoot开始HelloWorld之旅.SpringBoot是Spring框架对“约定大于配置(Conv ...

  2. Docker容器绑定外部IP和端口

    Docker允许通过外部访问容器或者容器之间互联的方式来提供网络服务. 以下操作通过myfirstapp镜像模拟,如何制作myfirstapp镜像请点击此处. 1.外部访问容器容器启动之后,容器中可以 ...

  3. Angularjs 通过asp.net web api认证登录

    Angularjs 通过asp.net web api认证登录 Angularjs利用asp.net mvc提供的asp.net identity,membership实现居于数据库的用户名/密码的认 ...

  4. WebSocket原理与实践

    开题思考:如何实现客户端及时获取服务端数据? Polling 指客户端每隔一段时间(周期性)请求服务端获取数据,可能有更新数据返回,也可能什么都没有,它并不在乎服务端数据有无更新.(Web端一般采用a ...

  5. hiveServer2 和 metastore的一点解读。

    刚看了hive官网的文档,对于一些概念结合自己的经验,似乎又多了一些理解,想一想还是记下来的好,一来我是个有些健忘的人,过一段时间即便忘了,循着这个帖子,也能快速把知识点抓起来:二来或许对别人也有些启 ...

  6. [转]JS实现千分位

    本文转自:https://www.cnblogs.com/lvmylife/p/8287247.html 方法一:正则实现 function format (num) { var reg=/\d{1, ...

  7. 【转】Win10年度更新开发必备:VS2015 Update 3正式版下载汇总

    微软在06月27日发布了Visual Studio 2015 Update 3 .在MSDN中微软也提供下载,而且MSDN的Visual Studio 2015 Update 3与官方免费下载的文件是 ...

  8. Java学习笔记之——变量与数据类型、运算符

    一.变量 1.变量:变化的值 变量在代码运行期间,开辟了一块空间 .这块空间是有地址的,给这块取了个名字, 这个名字就叫做变量名,这块空间放的东西叫做变量值 2.变量的初始化: (1)先声明再赋值: ...

  9. Web前端基础——jQuery(二)

    一.jQuery 中的常用函数 1) $.map(Array,fn); 对数组中的每个元素,都用fn进行处理,fn将处理后的结果返回,最后得到一个数组 //因为这些操作,没有与dom元素相关的,所以可 ...

  10. SSM实现简单后台分页

    1.简单思路 这是最常见的分页格式,分析一下我们需要传什么数据给前端吧! 首先是左边下面的总共几条记录,然后是右边的当前页面,然后就是一些你所需要展示的数据.对了每页显示多少条是不也得控制下,下面的显 ...