CentOS + Virtualmin -> 403 Forbidden on every virtual server

Question

I just installed centos & virtual min on a VPS (the VPS is mounted on Proxmox) I thought I configured it all right until i'm trying to access the first site I uploaded. It gives me a 403 Forbidden You don't have permission to access / on this server.

the error_log is as follow:

[Sun Sep 20 13:24:20.963516 2015] [mpm_prefork:notice] [pid 5042] AH00170: caught SIGWINCH, shutting down gracefully
[Sun Sep 20 13:24:22.079077 2015] [core:notice] [pid 1178] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
[Sun Sep 20 13:24:22.080101 2015] [suexec:notice] [pid 1178] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Sun Sep 20 13:24:22.110637 2015] [auth_digest:notice] [pid 1178] AH01757: generating secret for digest authentication ...
[Sun Sep 20 13:24:22.111244 2015] [lbmethod_heartbeat:notice] [pid 1178] AH02282: No slotmem from mod_heartmonitor

I tried to chown the file to the right user, but it didnt change anything. At this point I have no idea of here to start looking.

I tried

# restorecon -Rv /home/mysite/public_html/

as mentionned, but it won't change anything

# grep avc /var/log/audit/audit.log

last line result in :

type=AVC msg=audit(1442837687.255:16918): avc:  denied  { signal } for  pid=22714 comm="httpd" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_suexec_t:s0 tclass=process

and

# tail -20 /var/log/audit/audit.log


type=CRED_REFR msg=audit(1442840401.448:581): pid=4324 uid=0 auid=0 ses=17 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=USER_START msg=audit(1442840401.449:582): pid=4325 uid=0 auid=41 ses=15 msg='op=PAM:session_open grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="mailman" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_REFR msg=audit(1442840401.449:583): pid=4325 uid=0 auid=41 ses=15 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="mailman" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_DISP msg=audit(1442840401.586:584): pid=4325 uid=0 auid=41 ses=15 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="mailman" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=USER_END msg=audit(1442840401.589:585): pid=4325 uid=0 auid=41 ses=15 msg='op=PAM:session_close grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="mailman" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=USER_AUTH msg=audit(1442840401.871:586): pid=4347 uid=0 auid=0 ses=16 msg='op=PAM:authentication grantors=pam_rootok acct="postgres" exe="/usr/bin/su" hostname=? addr=? terminal=? res=success'
type=USER_ACCT msg=audit(1442840401.871:587): pid=4347 uid=0 auid=0 ses=16 msg='op=PAM:accounting grantors=pam_succeed_if acct="postgres" exe="/usr/bin/su" hostname=? addr=? terminal=? res=success'
type=CRED_ACQ msg=audit(1442840401.872:588): pid=4347 uid=0 auid=0 ses=16 msg='op=PAM:setcred grantors=pam_rootok acct="postgres" exe="/usr/bin/su" hostname=? addr=? terminal=? res=success'
type=USER_START msg=audit(1442840401.873:589): pid=4347 uid=0 auid=0 ses=16 msg='op=PAM:session_open grantors=pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_xauth acct="postgres" exe="/usr/bin/su" hostname=? addr=? terminal=? res=success'
type=USER_END msg=audit(1442840401.878:590): pid=4347 uid=0 auid=0 ses=16 msg='op=PAM:session_close grantors=pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_xauth acct="postgres" exe="/usr/bin/su" hostname=? addr=? terminal=? res=success'
type=CRED_DISP msg=audit(1442840401.878:591): pid=4347 uid=0 auid=0 ses=16 msg='op=PAM:setcred grantors=pam_rootok acct="postgres" exe="/usr/bin/su" hostname=? addr=? terminal=? res=success'
type=CRED_DISP msg=audit(1442840401.971:592): pid=4326 uid=0 auid=0 ses=16 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=USER_END msg=audit(1442840401.972:593): pid=4326 uid=0 auid=0 ses=16 msg='op=PAM:session_close grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=USER_ACCT msg=audit(1442840461.975:594): pid=4357 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_access,pam_unix,pam_localuser acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_ACQ msg=audit(1442840461.975:595): pid=4357 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=LOGIN msg=audit(1442840461.975:596): pid=4357 uid=0 old-auid=4294967295 auid=0 old-ses=4294967295 ses=18 res=1
type=USER_START msg=audit(1442840461.978:597): pid=4357 uid=0 auid=0 ses=18 msg='op=PAM:session_open grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_REFR msg=audit(1442840461.978:598): pid=4357 uid=0 auid=0 ses=18 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_DISP msg=audit(1442840462.084:599): pid=4357 uid=0 auid=0 ses=18 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=USER_END msg=audit(1442840462.085:600): pid=4357 uid=0 auid=0 ses=18 msg='op=PAM:session_close grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'

The solution, and I apologize was quite simple:

chmod -R 755 /home/site/public_html/

instead of

chmod -R 755 /home/site/public_html

score 0 · Answer 1 · answered Sep 21 '15 at 12:36

0

Check for SELinux denials in /var/log/audit.log, you might find that your newly uploaded website doesn't have the correctly labelled file contexts to allow the httpd process to read.

If you're unsure, you could post the recent entries shown from the command:

grep avc /var/log/audit/audit.log

You could run restorecon -Rv /path/to/webroot, it might get re-labelled properly.

Additionally, apache needs to have at least read access on the files and directories. Which will require you having ownership as user:apache and file/directory permissions as 640/750, or if you're set on the user owning those files, then you'd need 644/755 on files and directories respectively.

answered Sep 21 '15 at 12:36

dcr226

76
2

Thanks for the help. I included the grep in my post, but the time doesn't fit with the last call to the page, so I just pasted the last line. – None Sep 21 '15 at 13:04
to get rid of the denial, you want to create a SELinux policy as such: allow httpd_t httpd_suexec_t:process signal; Also..with your chmod, you've set executable permissions on *everything* inside the webroot..you almost certainly do not want this. find /home/site/public_html -type d -exec chmod 755 {} \; find /home/site/public_html -type f -exec chmod 644 {} \; – dcr226 Sep 21 '15 at 16:45

CentOS + Virtualmin -> 403 Forbidden on every virtual server

1 Answers1