前言:本文主要介绍了因为SELinux对网站目录权限控制的不当而引起网站无法正常操作和访问的问题。
正文开始:今天下午闲着没有事做于是突然兴起想尝试安装下Drupal。以前用Wordpress做博客久了,总想着尝尝新。
按照Installtion Guide提示的安装步骤进行操作如下:
wgethttp://drupal.org/files/projects/drupal-7.12.tar.gztar-zxvfdrupal-7.12.tar.gzmvdrupal-7.12/var/www/html/home_startcd /var/www/html/home_startcpsites/default/default.settings.phpsites/default/settings.phpchmoda+wsites/default/settings.phpchmoda+wsites/defaultmysqladmin-uusername-pcreatedatabasename #用正确的字符串代替username和databasename
一切准备就绪!就等着进网站目录进行下一步配置了!
不幸的是,在浏览器中打开网站的目录后就遭遇了httpd的403拒绝访问提示。
这很显然,根据以往的经验可以判断是目录权限存在问题。
为了验证这一说法,我们可以检查httpd的错误日志。默认情况下日志就存在在/var/log/httpd/目录中。
[root@localhost~]#grep Permission /var/log/httpd/error_log[TueApr1009:07:042012][error][client127.0.0.1](13)Permissiondenied:accessto/startdenied[TueApr1009:07:502012][error][client127.0.0.1](13)Permissiondenied:accessto/start/denied[TueApr1009:08:072012][error][client127.0.0.1](13)Permissiondenied:accessto/start/denied[TueApr1009:10:062012][error][client127.0.0.1](13)Permissiondenied:accessto/start/denied[TueApr1009:11:082012][error][client127.0.0.1](13)Permissiondenied:accessto/start/denied[TueApr1009:11:172012][error][client127.0.0.1](13)Permissiondenied:accessto/startdenied[TueApr1009:11:342012][error][client::1](13)Permissiondenied:accessto/startdenied[TueApr1009:13:352012][error][client::1](13)Permissiondenied:accessto/startdenied[TueApr1009:13:512012][error][client::1](13)Permissiondenied:accessto/start/site/default/denied[TueApr1009:13:572012][error][client::1](13)Permissiondenied:accessto/start/sitesdenied[TueApr1009:14:512012][error][client::1](13)Permissiondenied:accessto/start/install.phpdenied[TueApr1009:18:572012][error][client::1](13)Permissiondenied:accessto/start/install.phpdenied[TueApr1009:19:012012][error][client::1](13)Permissiondenied:accessto/start/denied[TueApr1009:22:032012][error][client::1](13)Permissiondenied:accessto/startdenied[TueApr1009:22:212012][error][client::1](13)Permissiondenied:accessto/startdenied[TueApr1009:22:242012][error][client::1](13)Permissiondenied:accessto/startdenied[TueApr1009:22:272012][error][client127.0.0.1](13)Permissiondenied:accessto/startdenied[TueApr1009:27:022012][error][client127.0.0.1](13)Permissiondenied:accessto/startdenied[TueApr1009:27:052012][error][client127.0.0.1](13)Permissiondenied:accessto/startdenied[TueApr1009:27:072012][error][client127.0.0.1](13)Permissiondenied:accessto/startdenied[TueApr1012:09:582012][error][client127.0.0.1](13)Permissiondenied:accessto/home_startdenied[TueApr1012:42:382012][error][client127.0.0.1](13)Permissiondenied:accessto/home_startdenied[TueApr1012:42:402012][error][client127.0.0.1](13)Permissiondenied:accessto/home_startdenied[TueApr1012:44:152012][error][client127.0.0.1](13)Permissiondenied:accessto/home_startdenied[TueApr1012:44:202012][error][client127.0.0.1](13)Permissiondenied:accessto/home_startdenied[TueApr1020:53:212012][error][client::1](13)Permissiondenied:accessto/home_startdenied[TueApr1021:07:212012][error][client::1](13)Permissiondenied:accessto/home_startdenied[TueApr1021:14:482012][error][client::1](13)Permissiondenied:accessto/home_startdenied[root@localhost~]#
再检查网站目录和文件的权限。为方便起见直接用-lZ选项。用于显示详细信息和SELinux权限信息
[root@localhosthtml]#ls-lZ-rw-r--r--.rootrootunconfined_u:object_r:httpd_sys_content_t:s0archive.htmldrwxr-xr-x.rootrootunconfined_u:object_r:httpd_sys_content_t:s0blogdrwxr-xr-x.rootrootunconfined_u:object_r:httpd_sys_content_t:s0blog_backup-rw-r--r--.rootrootunconfined_u:object_r:httpd_sys_content_t:s0blog.htm-rw-r--r--.rootrootunconfined_u:object_r:httpd_sys_content_t:s0blog.htmldrwxr-xr-x.rootrootunconfined_u:object_r:httpd_sys_content_t:s0cssdrwxr-xr-x.rootrootunconfined_u:object_r:httpd_sys_content_t:s0home_pagedrwxr-xr-x.rootrootunconfined_u:object_r:admin_home_t:s0home_start #问题行drwxr-xr-x.rootrootunconfined_u:object_r:httpd_sys_content_t:s0images-rw-r--r--.rootrootunconfined_u:object_r:httpd_sys_content_t:s0index.htm-rw-r--r--.rootrootunconfined_u:object_r:httpd_sys_content_t:s0index.html-rw-r--r--.rootrootunconfined_u:object_r:httpd_sys_content_t:s0info_php.phpdrwxr-xr-x.rootrootunconfined_u:object_r:httpd_sys_content_t:s0js-rw-r--r--.rootrootunconfined_u:object_r:httpd_sys_content_t:s0logdrwxr-xr-x.rootrootunconfined_u:object_r:admin_home_t:s0php #以前的遗留问题drwxr-xr-x.rootrootunconfined_u:object_r:httpd_sys_content_t:s0phpMyAdmin-3.4.10.1-all-languagesdrwxr-xr-x.rootrootunconfined_u:object_r:httpd_sys_content_t:s0PSDs-rw-r--r--.rootrootunconfined_u:object_r:httpd_sys_content_t:s0readme.txt-rw-r--r--.rootrootunconfined_u:object_r:httpd_sys_content_t:s0style.htm-rw-r--r--.rootrootunconfined_u:object_r:httpd_sys_content_t:s0style.htmldrwxr-xr-x.rootrootunconfined_u:object_r:httpd_sys_content_t:s0wiki
显然上面显示的结果中的09、16两行的权限与其他网站目录不同。
再查看selinx的工作状态,判断是不是SELinux引起的。
[root@localhosthttpd]#sestatusSELinuxstatus:enabledSELinuxfsmount:/selinuxCurrentmode:enforcingModefromconfigfile:enforcingPolicyversion:24Policyfromconfigfile:targeted
这就是导致网站权限不正确的原因。
我猜测可能是在selinux启用时对目录或文件进行操作导致的。因为最近我对SELinux进行了升级(以前没有遇到)。
PS:最新的原因分析请参见《对SELinux权限发生变化的解释》一文。
所以使用chcon更改SELinux权限以及显示结果如下:
setenforce0 #必须暂时停止SELinux,否则可能导致操作失败。 chcon -t httpd_sys_content_t -R /var/www/html/home_start/ #R参数是递归操作的意思
经过修改就会发现SELinux的对应权限已经和其他目录相同了!都是httpd_sys_content_t。
[root@localhosthtml]#setenforce--helpusage:setenforce[Enforcing|Permissive|1|0][root@localhosthtml]#setenforce0[root@localhosthtml]#cd[root@localhost~]#ls/var/www/html/-Z drwxr-xr-x.rootrootunconfined_u:object_r:admin_home_t:s0home_start [root@localhost~]#chcon-thttpd_sys_content_t-R/var/www/html/home_start/[root@localhost~]#ls/var/www/html/home_start/-Z -rw-r--r--.rootrootunconfined_u:object_r:httpd_sys_content_t:s0authorize.php
然后,再次打开浏览器输入地址,验证能否访问,如果可以访问就可以进行下一步配置了!
最后,还是那句话,遇到问题一定要仔细分析,尽可能的通过自己的努力和分析发现问题所在,这样才能体会到解决问题的快乐!
人总是珍惜未得到的,而遗忘了所拥有的
