Tuesday, October 17, 2017

Changing the default Apache web directory(document root) on RHEL without disabling SE Linux

Default document root of Apache in RHEL is "/var/www/html". if you have tried changing it to something else like "/web/apps" then you would get 403 forbidden error.
If you google it, I am sure you will find a solution to include /web/apps into <Directory> directive and you will be asked to set +x permissions on /web & /web/apps folder (using chmod 755)
And your Apache vhost will look similar to it

<VirtualHost *:80>
 ServerName  www.example.com
 DocumentRoot /web/apps
  <Directory "/web/apps" >
   Options Indexes FollowSymLinks
   AllowOverride None
   Require all granted
  </Directory>
</VirtualHost>

After doing it if you restart Apache and try you will still get "403 forbidden error"

If you further google, you will find out this is because of SE Linux and steps to disable that.
Basically "sudo setenforce 0", and you can call it a day since everything start to work.

However with "sudo setenforce 0" you are disabling the entire SE Linux security. There is a better way to do that and that is what all this Blog is about.
And here you go.

sudo semanage fcontext -a -t httpd_sys_content_t "/web/apps(/.*)?"
sudo restorecon -R -v /web/apps

That's it folks. If you want to see what magic it does, use the special flag -Z with ls

[ec2-user@ip-10-0-0-1 ~]$ ls -Z /var/www
drwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 cgi-bin

drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 html


[ec2-user@ip-10-0-0-1 ~]$ ls -Z /web
drwxrwxr-x. rxds rxds unconfined_u:object_r:httpd_sys_content_t:s0 apps

drwxrwxr-x. rxds rxds unconfined_u:object_r:default_t:s0 another_directory


httpd_sys_content_t is what makes the Apache to server from /web/apps directory


More info at 
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Troubleshooting-Top_Three_Causes_of_Problems.html