I'm in the process of configuring our new server on RedHat 8.4 and making userdir work with httpd has been bugging me.
I've configured the file /etc/httpd/conf.d/userdir.conf as follows:
<IfModule mod_userdir.c>
#
# UserDir is disabled by default since it can confirm the presence
# of a username on the system (depending on home directory
# permissions).
#
UserDir enabled
#
# To enable requests to /~user/ to serve the user's public_html
# directory, remove the "UserDir disabled" line above, and uncomment
# the following line instead:
#
UserDir public_html
</IfModule>
#
# Control access to UserDir directories. The following is an example
# for a site where these directories are restricted to read-only.
#
<Directory "/user/*/public_html">
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
I've used /user because we don't use the /home directory and I think that is part of the problem.
I read online that SELinux configures the folder with some degree of accessibility and I tried adding the same rule as /home to the /user folder:
/user/[^/]+/.+ all files system_u:object_r:user_home_t:s0
I also ran the command setsebool -P httpd_enable_homedirs 1, but since /user is not the home directory, it did nothing.
I also made sure to give access to the full path leading to /public_html and the folders inside.
If you have any ideas of things I can do that I haven't done already, I'll be happy to hear about it.
after running audit2allow -a
#============= httpd_t ==============
#!!!! This avc can be allowed using one of the these booleans:
# httpd_use_nfs, use_nfs_home_dirs, git_system_use_nfs
allow httpd_t nfs_t:dir read;
#!!!! This avc can be allowed using one of the these booleans:
# httpd_use_nfs, use_nfs_home_dirs, git_system_use_nfs
allow httpd_t nfs_t:file getattr;
#============= init_t ==============
#!!!! This avc is allowed in the current policy
allow init_t portmap_port_t:tcp_socket name_connect;
#============= rhsmcertd_t ==============
allow rhsmcertd_t gpg_exec_t:file execute;
#============= sshd_t ==============
#!!!! This avc can be allowed using the boolean 'use_nfs_home_dirs'
allow sshd_t nfs_t:file read;
#============= system_dbusd_t ==============
#!!!! This avc has a dontaudit rule in the current policy
allow system_dbusd_t hi_reserved_port_t:tcp_socket name_bind;
#!!!! This avc is allowed in the current policy
allow system_dbusd_t portmap_port_t:tcp_socket name_connect;
The needed context is httpd_user_content_t for readonly or httpd_user_content_rw_t for readwrite.
Also, since you have UserDir public_html in your configuration, you only need to label this directory.
Last, you might also need the httpd_read_user_content boolean for apache to access the public_html directory, but you can try without.
This should be enough then:
semanage fcontext -a -t httpd_sys_content_t '/user/[^/]+/public_html(/.*)?'
restorecon -RF /user
setsebool -P httpd_enable_homedirs 1
setsebool -P httpd_read_user_content 1
Edit: based on the result of your audit2allow -a, I guess the /user FS is NFS, so you could need to use the suggested boolean: setsebool -P use_nfs_home_dirs 1