前言:本文主要介紹了因為selinux對網站目錄權限控制的不當而引起網站無法正常操作和通路的問題。
正文開始:今天下午閑着沒有事做于是突然興起想嘗試安裝下drupal。以前用wordpress做部落格久了,總想着嘗嘗新。
按照installtion guide提示的安裝步驟進行操作如下:
wget http://drupal.org/files/projects/drupal-7.12.tar.gz
tar -zxvf drupal-7.12.tar.gz
mv drupal-7.12 /var/www/html/home_start
cd /var/www/html/home_start
cp sites/default/default.settings.php sites/default/settings.php
chmod a+w sites/default/settings.php
chmod a+w sites/default
mysqladmin -u username -p create databasename #用正确的字元串代替username和databasename
一切準備就緒!就等着進網站目錄進行下一步配置了!
不幸的是,在浏覽器中打開網站的目錄後就遭遇了httpd的403拒絕通路提示。
這很顯然,根據以往的經驗可以判斷是目錄權限存在問題。
為了驗證這一說法,我們可以檢查httpd的錯誤日志。預設情況下日志就存在在/var/log/httpd/目錄中。
[root@localhost ~]# grep permission /var/log/httpd/error_log
[tue apr 10 09:07:04 2012] [error] [client 127.0.0.1] (13)permission denied: access to /start denied
[tue apr 10 09:07:50 2012] [error] [client 127.0.0.1] (13)permission denied: access to /start/ denied
[tue apr 10 09:08:07 2012] [error] [client 127.0.0.1] (13)permission denied: access to /start/ denied
[tue apr 10 09:10:06 2012] [error] [client 127.0.0.1] (13)permission denied: access to /start/ denied
[tue apr 10 09:11:08 2012] [error] [client 127.0.0.1] (13)permission denied: access to /start/ denied
[tue apr 10 09:11:17 2012] [error] [client 127.0.0.1] (13)permission denied: access to /start denied
[tue apr 10 09:11:34 2012] [error] [client ::1] (13)permission denied: access to /start denied
[tue apr 10 09:13:35 2012] [error] [client ::1] (13)permission denied: access to /start denied
[tue apr 10 09:13:51 2012] [error] [client ::1] (13)permission denied: access to /start/site/default/ denied
[tue apr 10 09:13:57 2012] [error] [client ::1] (13)permission denied: access to /start/sites denied
[tue apr 10 09:14:51 2012] [error] [client ::1] (13)permission denied: access to /start/install.php denied
[tue apr 10 09:18:57 2012] [error] [client ::1] (13)permission denied: access to /start/install.php denied
[tue apr 10 09:19:01 2012] [error] [client ::1] (13)permission denied: access to /start/ denied
[tue apr 10 09:22:03 2012] [error] [client ::1] (13)permission denied: access to /start denied
[tue apr 10 09:22:21 2012] [error] [client ::1] (13)permission denied: access to /start denied
[tue apr 10 09:22:24 2012] [error] [client ::1] (13)permission denied: access to /start denied
[tue apr 10 09:22:27 2012] [error] [client 127.0.0.1] (13)permission denied: access to /start denied
[tue apr 10 09:27:02 2012] [error] [client 127.0.0.1] (13)permission denied: access to /start denied
[tue apr 10 09:27:05 2012] [error] [client 127.0.0.1] (13)permission denied: access to /start denied
[tue apr 10 09:27:07 2012] [error] [client 127.0.0.1] (13)permission denied: access to /start denied
[tue apr 10 12:09:58 2012] [error] [client 127.0.0.1] (13)permission denied: access to /home_start denied
[tue apr 10 12:42:38 2012] [error] [client 127.0.0.1] (13)permission denied: access to /home_start denied
[tue apr 10 12:42:40 2012] [error] [client 127.0.0.1] (13)permission denied: access to /home_start denied
[tue apr 10 12:44:15 2012] [error] [client 127.0.0.1] (13)permission denied: access to /home_start denied
[tue apr 10 12:44:20 2012] [error] [client 127.0.0.1] (13)permission denied: access to /home_start denied
[tue apr 10 20:53:21 2012] [error] [client ::1] (13)permission denied: access to /home_start denied
[tue apr 10 21:07:21 2012] [error] [client ::1] (13)permission denied: access to /home_start denied
[tue apr 10 21:14:48 2012] [error] [client ::1] (13)permission denied: access to /home_start denied
[root@localhost ~]#
再檢查網站目錄和檔案的權限。為友善起見直接用-lz選項。用于顯示詳細資訊和selinux權限資訊
[root@localhost html]# ls -lz
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 archive.html
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 blog
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 blog_backup
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 blog.htm
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 blog.html
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 css
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 home_page
drwxr-xr-x. root root unconfined_u:object_r:admin_home_t:s0 home_start #問題行
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 images
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 index.htm
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 index.html
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 info_php.php
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 js
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 log
drwxr-xr-x. root root unconfined_u:object_r:admin_home_t:s0 php #以前的遺留問題
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 phpmyadmin-3.4.10.1-all-languages
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 psds
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 readme.txt
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 style.htm
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 style.html
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 wiki
顯然上面顯示的結果中的09、16兩行的權限與其他網站目錄不同。
再檢視selinx的工作狀态,判斷是不是selinux引起的。
[root@localhost httpd]# sestatus
selinux status: enabled
selinuxfs mount: /selinux
current mode: enforcing
mode from config file: enforcing
policy version: 24
policy from config file: targeted
這就是導緻網站權限不正确的原因。
我猜測可能是在selinux啟用時對目錄或檔案進行操作導緻的。因為最近我對selinux進行了更新(以前沒有遇到)。
是以使用chcon更改selinux權限以及顯示結果如下:
經過修改就會發現selinux的對應權限已經和其他目錄相同了!都是httpd_sys_content_t。
[root@localhost html]# setenforce --help
usage: setenforce [ enforcing | permissive | 1 | 0 ]
[root@localhost html]# setenforce 0
[root@localhost html]# cd
[root@localhost ~]# ls /var/www/html/ -z
……
drwxr-xr-x. root root unconfined_u:object_r:admin_home_t:s0 home_start
[root@localhost ~]# chcon -t httpd_sys_content_t -r /var/www/html/home_start/
[root@localhost ~]# ls /var/www/html/home_start/ -z
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 authorize.php
然後,再次打開浏覽器輸入位址,驗證能否通路,如果可以通路就可以進行下一步配置了!
最後,還是那句話,遇到問題一定要仔細分析,盡可能的通過自己的努力和分析發現問題所在,這樣才能體會到解決問題的快樂!
![龍蜥作業系統将捐贈開放原子開源基金會[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)