apache.htaccesssrv

Apache Permission denied for /srv/www: unable to check .htaccess file but not for /var/www


I've hit a problem on Centos 6.5:

[Mon Dec 28 12:10:52 2012] [a] [client 127.0.0.1] (13) Permission denied: /srv/www/website/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable

Basically, I was building a brand new server and trying to migrate all of my websites over into /srv/www folder instead of /var/www as it appears to be the future standard (there is a whole discussion about it so just google).

What I did:

1) added a new group (groupadd developers)

2) added users a (gid 501), root, apache, nobody to the above group (usermod -G develoeprs a && usermod -G develoeprs apache && usermod -G develoeprs root && usermod -G develoeprs nobody)

3) copied all folders & files into /srv/www

4) changed ownership of entire /srv/www to apache:developers (chown -R apache:developers /srv/www)

5) changed mode so /srv/www is group readable/writable/searchable (chmod -R 2775 /srv/www)

6) added 'umask 002' to the end of /etc/sysconfig/httpd so it runs in group writable mode

7) added virtual host(s) and to /etc/httpd/conf.d/vhosts.conf (service httpd configtest throws OK)

NameVirtualHost *:80
NameVirtualHost *:443

SSLStrictSNIVHostCheck off

<VirtualHost *:443>
    ServerAdmin webmaster@domain.ext
    DocumentRoot /srv/www/test
    ServerName test.domain.com
    ServerAlias test.domain
    SSLEngine on
    SSLCertificateFile /etc/httpd/certs/domain.com/server.crt
    SSLCertificateKeyFile /etc/httpd/certs/domain.com/server.key
    <Directory /srv/www/test>
        Options Indexes FollowSymLinks MultiViews
        AllowOverride All
        Order allow,deny
        allow from all
    </Directory>
</VirtualHost>

8) restarted the server 9) started httpd manually because it asks for SSL certificate password otherwise autostart fails (need to look into how to start it automatically after rebooting)

I am still getting the same above error message.

Then, I tried changing the home folder in /etc/passwd for apache user to /srv/www (server restart) but still no joy i.e. Permission denied. I even renamed the old /var/www folder and created a symlink in /var/www to /srv/www. Another attempt was to chown back to root:root, apache:apache and :developers group for both.

/srv/www/ [NOT WORKING]

drwxr-xr-x. 2 root root (cgi-bin, error, html,icons)

drwxrwsr-x. 5 apache developers (all other website folders)

-rwxrwsr-x. 1 apache developers (all files)

/srv/

drwxrwsr-x. 4 apache developers www

/var/www [WORKING]

drwxr-xr-x. 2 root root (cgi-bin, error, html,icons)

drwxrwxr-x. 3 apache developers (all other website folders)

-rwxrwxr-x. 1 apache developers (all website files)

Then, as soon as I copy my one of my website's folder into /var/www and point paths in /etc/httpd/conf.d/vhosts.conf it starts to work fine!

DOES ANYONE KNOW WHY IT'S NOT WORKING IN /SRV/WWW folder??


Solution

  • I finally got to the bottom of the problem. It's caused by SELinux policies overriding basic traditional discretionary access control (DAC) methods such as file permissions or access control lists (ACLs) normally used to control the file access of users!

    $ sestatus
    SELinux status:                 enabled
    SELinuxfs mount:                /selinux
    Current mode:                   enforcing
    Mode from config file:          enforcing
    Policy version:                 24
    Policy from config file:        targeted
    
    $ setenforce
    usage:  setenforce [ Enforcing | Permissive | 1 | 0 ]
    
    $ setenforce Permissive
    
    $ sestatus
    SELinux status:                 enabled
    SELinuxfs mount:                /selinux
    Current mode:                   permissive
    Mode from config file:          enforcing
    Policy version:                 24
    Policy from config file:        targeted
    

    More info on SELinux at Centos. As soon as I switched to Permissive mode my /srv/ started working.

    If you know what and why you are doing this then you can permanently disable SELinux in /etc/selinux/config by changing the following line:

    SELINUX=enforcing
    

    to

    SELINUX=disabled
    

    Restart your server and you should have it disabled permanently.

    Note: When switching from Disabled to either Permissive or Enforcing mode, it is highly recommended that the system be rebooted and the filesystem relabeled.