loading...

How to: Apache Userdir with SELinux installed

mvinhas profile image Micael Vinhas Updated on ・3 min read

SELinux

One of the first struggles I had when I started using Fedora as my Linux production environment was to be able to use my /home folder with Apache and SELinux. Initially I had the habit of linking content from home to /var/www/html, and then accessing via browser to my projects.

It turns out that, with SELinux, that’s not an easy task. SELinux’s access control policies, by default, do not allow access to the /home contents, showing the HTTP 403 Forbidden error. I did a lot of searching over the Internet and I was absolutely silly by the amount of responses that suggested that SELinux should be disabled or put in permissive mode. Disabling things is not a thing I like to do, especially when those things are actually important.

According to the NSA Security-enhanced Linux Team:

NSA Security-Enhanced Linux is a set of patches to the Linux kernel and utilities to provide a strong, flexible, mandatory access control (MAC) architecture into the major subsystems of the kernel. It provides an enhanced mechanism to enforce the separation of information based on confidentiality and integrity requirements, which allows threats of tampering, and bypassing of application security mechanisms, to be addressed and enables the confinement of damage that can be caused by malicious or flawed applications. It includes a set of sample security policy configuration files designed to meet common, general-purpose security goals.

That is, its use helps reduce the likelihood that programs will cause an unwanted behavior on the system, especially if they already have a defect that would allow someone to gain unauthorized access to any part of the system.

For those who, like me, like to have their projects in their home directory and still want to access these via Apache, how should they proceed? Based on my research, I will introduce you the one that for me is the best solution, and that does not have major security implications.

NOTE: The process that I’m going to show you was only tested on Fedora 28, but due to the similarities, should work on previous Fedora version as well on Red Hat Linux Enterprise 7.5 and CentOS 7.5.

Enable Apache UserDir

This way we can access a specific directory of our /home as our projects directory. Usually it can be accessed as follows:
http://localhost/~user

1. Edit userdir.conf file

sudo vim /etc/httpd/conf.d/userdir.conf

Now enable UserDir and specify the folder you want to give access to.

NOTE: for this tutorial I will use user mvinhas and folder workspace.

<IfModule mod_userdir.c>
 #
 # UserDir is disabled by default since it can confirm the presence
 # of a username on the system (depending on home directory
 # permissions).
 #
 UserDir enabled mvinhas
#
 # To enable requests to /~user/ to serve the user’s public_html
 # directory, remove the “UserDir disabled” line above, and uncomment
 # the following line instead:
 #
 UserDir workspace
</IfModule>
<Directory /home/*/workspace>
 AllowOverride FileInfo AuthConfig Limit Indexes
 Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
 Require method GET POST OPTIONS
</Directory>

This will enable UserDir to all users on your computer.

If you want to specify the users you show keep UserDir disabled and then enable it to the users you want:


UserDir disabled
UserDir enabled mvinhas user1 user2

Note that you can do the opposite, ie. enable UserDir and then deny access to some users:


UserDir enabled
UserDir disabled mvinhas test1

2. Restart Apache
sudo systemctl start httpd.service

3. Change folder permissions to your folder and /home directory

chmod 711 /home/mvinhas
sudo chown mvinhas:mvinhas /home/mvinhas/workspace
chmod 755 /home/mvinhas/workspace

4. Adjust SELinux to enable Apache homedirs

sudo setsebool -P httpd_enable_homedirs true
sudo chcon -R -t httpd_sys_content_t /home/mvinhas/workspace

Now you should be able to use your folder with SELinux enabled!

You can see the folder and file SELinux context by doing ls -Z in the terminal. You can also combine -Z with the traditional -la argument, so you can see both SELinux policy and traditional file/folder permissions:

As you can see, I checked the SELinux status first, showing me that SELinux is in Enforcing mode, the default and recommended mode.

That’s it. If you have any questions, feel free to ask!

Discussion

pic
Editor guide