Include directive in httpd.conf giving a Permission denied error.

Hello,

I am getting an error trying to use the Include directive in my
httpd.conf. I am running apache2 on Fedora 9. My ServerRoot is
/etc/httpd, and my apache install is not chrooted.

I have a program that sends some servers a new httpd.virts every time we
have a dns change or a new domain. This file gets uploaded to
/home/backups/httpd.virts. I have added the line Include
/home/backups/httpd.virts to the end of my httpd.conf. httpd.virts is
readable by everyone, and /home/backups/ is executable by everyone.
However, when I try to restart apache, I get this error:

Starting httpd: httpd: Syntax error on line 349 of
/etc/httpd/conf/httpd.conf: Could not open configuration file
/home/backups/httpd.virts: Permission denied

If I copy /home/backups/httpd.virts to /etc/httpd/conf/httpd.virts, and
change the include line to Include /etc/httpd/conf/httpd.virts.. it
works fine. If I create a symbolic link to the
/home/backups/httpd.virts, apache still gives me the permission denied
error. I can't create a hard link as /home is a different partition from
/etc.

Also, I can read the file as another user, who shouldn't normally have
access to a file in someone else's home dir, but does because of the +x
on the dir and the +r on the file. So I don't think it's a permissions
problem..?

Is there a reason this is happening? Searching google hasn't given me
any results and the error logs aren't showing anything. There must be
something I am not thinking of. Any help is greatly appreciated!

Thanks in advance!

Laura

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Include directive in httpd.conf giving a Permissiondenied error.

Laura Speck wrote:
> Hello,
>
> I am getting an error trying to use the Include directive in my
> httpd.conf. I am running apache2 on Fedora 9. My ServerRoot is
> /etc/httpd, and my apache install is not chrooted.
>
> I have a program that sends some servers a new httpd.virts every time
> we have a dns change or a new domain. This file gets uploaded to
> /home/backups/httpd.virts. I have added the line Include
> /home/backups/httpd.virts to the end of my httpd.conf. httpd.virts is
> readable by everyone, and /home/backups/ is executable by everyone.
> However, when I try to restart apache, I get this error:
>
> Starting httpd: httpd: Syntax error on line 349 of
> /etc/httpd/conf/httpd.conf: Could not open configuration file
> /home/backups/httpd.virts: Permission denied
>
> If I copy /home/backups/httpd.virts to /etc/httpd/conf/httpd.virts,
> and change the include line to Include /etc/httpd/conf/httpd.virts..
> it works fine. If I create a symbolic link to the
> /home/backups/httpd.virts, apache still gives me the permission denied
> error. I can't create a hard link as /home is a different partition
> from /etc.

Sounds like an SElinux problem that is denying the daemon access. Run
"sestatus" to see if it says it's enabled. You can try disabling it
temporarily by running "setenforce 0". If the problem goes away, you
have your answer. As far as how to get around it without disabling
SElinux, that would be more appropriate for an SElinux mailing list (and
beyond my expertise).

--
Justin Pasher

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Include directive in httpd.conf giving a Permissiondenied error.

Justin Pasher wrote:
> Laura Speck wrote:
>> Hello,
>>
>> I am getting an error trying to use the Include directive in my
>> httpd.conf. I am running apache2 on Fedora 9. My ServerRoot is
>> /etc/httpd, and my apache install is not chrooted.
>>
>> I have a program that sends some servers a new httpd.virts every time
>> we have a dns change or a new domain. This file gets uploaded to
>> /home/backups/httpd.virts. I have added the line Include
>> /home/backups/httpd.virts to the end of my httpd.conf. httpd.virts is
>> readable by everyone, and /home/backups/ is executable by everyone.
>> However, when I try to restart apache, I get this error:
>>
>> Starting httpd: httpd: Syntax error on line 349 of
>> /etc/httpd/conf/httpd.conf: Could not open configuration file
>> /home/backups/httpd.virts: Permission denied
>>
>> If I copy /home/backups/httpd.virts to /etc/httpd/conf/httpd.virts,
>> and change the include line to Include /etc/httpd/conf/httpd.virts..
>> it works fine. If I create a symbolic link to the
>> /home/backups/httpd.virts, apache still gives me the permission
>> denied error. I can't create a hard link as /home is a different
>> partition from /etc.
>
> Sounds like an SElinux problem that is denying the daemon access. Run
> "sestatus" to see if it says it's enabled. You can try disabling it
> temporarily by running "setenforce 0". If the problem goes away, you
> have your answer. As far as how to get around it without disabling
> SElinux, that would be more appropriate for an SElinux mailing list
> (and beyond my expertise).
Thanks for the help - SELinux is enabled. Temporarily disabling it did
fix the problem, but I would like to keep it enabled. I am headed to
find an SELinux list, thank you :)

Laura

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Include directive in httpd.conf giving a Permissiondenied error.

Laura Speck wrote:
> Thanks for the help - SELinux is enabled. Temporarily disabling it did
> fix the problem, but I would like to keep it enabled. I am headed to
> find an SELinux list, thank you :)

In 5 years they've failed to participate with httpd in addressing such
issues ... If you discover anything useful please do feel free to bring
it back to dev@httpd to be addressed :-)

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Include directive in httpd.conf giving a Permissiondenied error.

William A. Rowe, Jr. wrote:
> Laura Speck wrote:
>> Thanks for the help - SELinux is enabled. Temporarily disabling it did
>> fix the problem, but I would like to keep it enabled. I am headed to
>> find an SELinux list, thank you :)
>
> In 5 years they've failed to participate with httpd in addressing such
> issues ... If you discover anything useful please do feel free to bring
> it back to dev@httpd to be addressed :-)

I didn't get as far as asking on a list, because I decided to try and
figure it out myself..

What I did work out is that the SElinux "permissions" (or whatever you
want to call them?) on the httpd.conf file were set with the type
"httpd_config_t", whereas everything in the home directories is set with
the type "user_home_dir_t"

I found this link:
http://docs.fedoraproject.org/selinux-apache-fc3/sn-user-hom edir.html

That link mentions changing the type of users' public_html dirs so that
httpd can access them. So I ended up changing the type of the
httpd.virts file to be the same as httpd.conf ("httpd_config_t"). It
works, I still have SElinux enabled (which is what I wanted). I am not
sure that this was the right way to do it, but it works and as far as I
can tell, is secure :)

Laura

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Include directive in httpd.conf giving a Permissiondenied error.

William A. Rowe, Jr. wrote:
> Laura Speck wrote:
>> Thanks for the help - SELinux is enabled. Temporarily disabling it did
>> fix the problem, but I would like to keep it enabled. I am headed to
>> find an SELinux list, thank you :)
>
> In 5 years they've failed to participate with httpd in addressing such
> issues ... If you discover anything useful please do feel free to bring
> it back to dev@httpd to be addressed :-)

FWIW, I attended an SELinux talk at FOSDEM last month. The majority of
all his examples were with our httpd. In questions at the end, I
stressed the need for decent tutorial documentation and for meaningful
error messages when something is denied. His reaction was pretty
negative ("unlikely to happen"), and others around the room seemed
pretty negative about any likelihood of anything improving and
supported a "selinux is the enemy" view.

--
Nick Kew

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Include directive in httpd.conf giving a Permissiondenied error.

Nick Kew wrote:
>
> FWIW, I attended an SELinux talk at FOSDEM last month. The majority of
> all his examples were with our httpd. In questions at the end, I
> stressed the need for decent tutorial documentation and for meaningful
> error messages when something is denied. His reaction was pretty
> negative ("unlikely to happen"), and others around the room seemed
> pretty negative about any likelihood of anything improving and
> supported a "selinux is the enemy" view.

On a positive note, the popup information under Fedora 10 bleeding kernels
have become much more interesting than the classic failure messages. But
I have no desire to play 'fetch me a rock' so I haven't had much interest
in fighting with SELinux until someone active with SELinux and httpd comes
forward with recommended changes.

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Include directive in httpd.conf giving a Permissiondenied error.

Nick Kew wrote:

> FWIW, I attended an SELinux talk at FOSDEM last month.

Just to add, I wrote a brief blog entry at the time.
I'd treat that as more reliable than what I wrote here from memory.

http://bahumbug.wordpress.com/2009/02/08/selinux/

--
Nick Kew

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Include directive in httpd.conf giving a Permissiondenied error.

Nick Kew wrote:
> Nick Kew wrote:
>
>> FWIW, I attended an SELinux talk at FOSDEM last month.
>
> Just to add, I wrote a brief blog entry at the time.
> I'd treat that as more reliable than what I wrote here from memory.
>
> http://bahumbug.wordpress.com/2009/02/08/selinux/
>
I pretty much agree with the single comment on the blog :
"I typically just disable it. It’s always been a hassle."

As an off-the-hip comment, admittedly poorly informed because of the
above, I will add that to me SELinux has always looked like some
cover-your-ass addition dreamed up by some big company's marketing
department, so that they could claim to have "improved" Linux and made
it respectable in the corporate world.


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org