前言:本文主要介绍了因为SELinux对网站目录权限控制的不当而引起网站无法正常操作和访问的问题。
正文开始:今天下午闲着没有事做于是突然兴起想尝试安装下Drupal。以前用Wordpress做博客久了,总想着尝尝新。
按照Installtion Guide提示的安装步骤进行操作如下:
wget http://drupal.org/files/projects/drupal-7.12.tar.gz
tar -zxvf drupal-7.12.tar.gz
mv drupal-7.12 /var/www/html/home_start
cd /var/www/html/home_start
cp sites/default/default.settings.php sites/default/settings.php
chmod a+w sites/default/settings.php
chmod a+w sites/default
mysqladmin -u username -p create databasename #用正确的字符串代替username和databasename
一切准备就绪!就等着进网站目录进行下一步配置了!
不幸的是,在浏览器中打开网站的目录后就遭遇了httpd的403拒绝访问提示。
这很显然,根据以往的经验可以判断是目录权限存在问题。
为了验证这一说法,我们可以检查httpd的错误日志。默认情况下日志就存在在/var/log/httpd/目录中。
[root@localhost ~]# grep Permission /var/log/httpd/error_log
[Tue Apr 10 09:07:04 2012] [error] [client 127.0.0.1] (13)Permission denied: access to /start denied
[Tue Apr 10 09:07:50 2012] [error] [client 127.0.0.1] (13)Permission denied: access to /start/ denied
[Tue Apr 10 09:08:07 2012] [error] [client 127.0.0.1] (13)Permission denied: access to /start/ denied
[Tue Apr 10 09:10:06 2012] [error] [client 127.0.0.1] (13)Permission denied: access to /start/ denied
[Tue Apr 10 09:11:08 2012] [error] [client 127.0.0.1] (13)Permission denied: access to /start/ denied
[Tue Apr 10 09:11:17 2012] [error] [client 127.0.0.1] (13)Permission denied: access to /start denied
[Tue Apr 10 09:11:34 2012] [error] [client ::1] (13)Permission denied: access to /start denied
[Tue Apr 10 09:13:35 2012] [error] [client ::1] (13)Permission denied: access to /start denied
[Tue Apr 10 09:13:51 2012] [error] [client ::1] (13)Permission denied: access to /start/site/default/ denied
[Tue Apr 10 09:13:57 2012] [error] [client ::1] (13)Permission denied: access to /start/sites denied
[Tue Apr 10 09:14:51 2012] [error] [client ::1] (13)Permission denied: access to /start/install.php denied
[Tue Apr 10 09:18:57 2012] [error] [client ::1] (13)Permission denied: access to /start/install.php denied
[Tue Apr 10 09:19:01 2012] [error] [client ::1] (13)Permission denied: access to /start/ denied
[Tue Apr 10 09:22:03 2012] [error] [client ::1] (13)Permission denied: access to /start denied
[Tue Apr 10 09:22:21 2012] [error] [client ::1] (13)Permission denied: access to /start denied
[Tue Apr 10 09:22:24 2012] [error] [client ::1] (13)Permission denied: access to /start denied
[Tue Apr 10 09:22:27 2012] [error] [client 127.0.0.1] (13)Permission denied: access to /start denied
[Tue Apr 10 09:27:02 2012] [error] [client 127.0.0.1] (13)Permission denied: access to /start denied
[Tue Apr 10 09:27:05 2012] [error] [client 127.0.0.1] (13)Permission denied: access to /start denied
[Tue Apr 10 09:27:07 2012] [error] [client 127.0.0.1] (13)Permission denied: access to /start denied
[Tue Apr 10 12:09:58 2012] [error] [client 127.0.0.1] (13)Permission denied: access to /home_start denied
[Tue Apr 10 12:42:38 2012] [error] [client 127.0.0.1] (13)Permission denied: access to /home_start denied
[Tue Apr 10 12:42:40 2012] [error] [client 127.0.0.1] (13)Permission denied: access to /home_start denied
[Tue Apr 10 12:44:15 2012] [error] [client 127.0.0.1] (13)Permission denied: access to /home_start denied
[Tue Apr 10 12:44:20 2012] [error] [client 127.0.0.1] (13)Permission denied: access to /home_start denied
[Tue Apr 10 20:53:21 2012] [error] [client ::1] (13)Permission denied: access to /home_start denied
[Tue Apr 10 21:07:21 2012] [error] [client ::1] (13)Permission denied: access to /home_start denied
[Tue Apr 10 21:14:48 2012] [error] [client ::1] (13)Permission denied: access to /home_start denied
[root@localhost ~]#
再检查网站目录和文件的权限。为方便起见直接用-lZ选项。用于显示详细信息和SELinux权限信息
[root@localhost html]# ls -lZ
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 archive.html
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 blog
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 blog_backup
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 blog.htm
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 blog.html
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 css
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 home_page
drwxr-xr-x. root root unconfined_u:object_r:admin_home_t:s0 home_start #问题行
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 images
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 index.htm
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 index.html
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 info_php.php
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 js
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 log
drwxr-xr-x. root root unconfined_u:object_r:admin_home_t:s0 php #以前的遗留问题
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 phpMyAdmin-3.4.10.1-all-languages
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 PSDs
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 readme.txt
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 style.htm
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 style.html
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 wiki
显然上面显示的结果中的09、16两行的权限与其他网站目录不同。
再查看selinx的工作状态,判断是不是SELinux引起的。
[root@localhost httpd]# sestatus
SELinux status: enabled
SELinuxfs mount:/selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 24
Policy from config file:targeted
这就是导致网站权限不正确的原因。
我猜测可能是在selinux启用时对目录或文件进行操作导致的。因为最近我对SELinux进行了升级(以前没有遇到)。
所以使用chcon更改SELinux权限以及显示结果如下:
setenforce 0 #必须暂时停止SELinux,否则可能导致操作失败。
chcon -t httpd_sys_content_t -R /var/www/html/home_start/ #R参数是递归操作的意思
经过修改就会发现SELinux的对应权限已经和其他目录相同了!都是httpd_sys_content_t。
[root@localhost html]# setenforce --help
usage: setenforce [ Enforcing | Permissive | 1 | 0 ]
[root@localhost html]# setenforce 0
[root@localhost html]# cd
[root@localhost ~]# ls /var/www/html/ -Z
……
drwxr-xr-x. root root unconfined_u:object_r:admin_home_t:s0 home_start
……
[root@localhost ~]# chcon -t httpd_sys_content_t -R /var/www/html/home_start/
[root@localhost ~]# ls /var/www/html/home_start/ -Z
……
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 authorize.php
……
然后,再次打开浏览器输入地址,验证能否访问,如果可以访问就可以进行下一步配置了!
最后,还是那句话,遇到问题一定要仔细分析,尽可能的通过自己的努力和分析发现问题所在,这样才能体会到解决问题的快乐!