I have a simple Flask/Nginx server and 3 files in location /opt/hosting/files:
[adam@localhost]$ namei -om /opt/hosting/files
f: /opt/hosting/files
dr-xr-xr-x root root /
drwxr-xr-x root root opt
drwxr-xr-x root root hosting
drwxr-xr-x nginx nginx files
In the folder files I have 3 files: two images and a bigger zip file:
[adam@localhost]$ ls -lh /opt/hosting/files/
total 424M
-rwx-----x. 1 nginx nginx 19K 03-06 01:29 file1.jpg
-rwx-----x. 1 nginx nginx 18M 03-06 03:34 file2.png
-rwxr-xr-x. 1 nginx nginx 406M 07-07 13:07 file3.zip
I am serving these files and while the first two appear without a problem, I get 403 Forbidden for the zip file both through www and using wget. I think directories permissions are set correctly, since the two other files are fine. Zip file properties are even higher so this shouldn't be an issue as well.
I tried using chown root:root and chown 777 for file and folders and couldn't access the file anyway. After making changes I'm restarting nginx with sudo systemctl restart uwsgi. SELinux shows Enforcing.
What is the problem here?
Got it. Reading a comment by tinesoft here made me check SELinux context of files (yes, I'm running CentOS, forgot to mention that) and it was:
[adam@localhost]$ ls -lZ /opt/hosting/files
-rwx-----x. nginx nginx unconfined_u:object_r:httpd_sys_content_t:s0 file1.jpg
-rwx-----x. nginx nginx unconfined_u:object_r:httpd_sys_content_t:s0 file2.png
-rwxr-xr-x. nginx nginx unconfined_u:object_r:user_home_t:s0 file3.zip
Then, following SELinux documentation from RedHat I managed to change the type of SELinux context from user_home_t to httpd_sys_content_t using
sudo chcon -t httpd_sys_content_t file3.zip
That was it.