2

I'm working on Fedora 29 Server. SELinux is in Enforcing mode. I'm having trouble getting Nginx to serve documents from a subdirectory below root. I need to know how to troubleshot it further because the Nginx log entries are not accurate with respect to what I am seeing when inspecting permissions.

Accessing documents from root at http://172.16.2.1/ are fine, like index.html. Accessing documents in a subdirectory http://172.16.2.1/ftc-data/ results in 403. The error.log shows:

2019/03/27 08:45:24 [error] 18589#0: *5 directory index of "/var/www/html/ftc-data/"
is forbidden, client: 172.16.4.8, server: _, request: "GET /ftc-data/ HTTP/1.1",
host: "172.16.2.1"

From /var/www/html permissions look OK to me:

# ls -Al
total 64
...
-rw-r-----. 1 root nginx  7822 Mar 27 08:09 index.html
lrwxrwxrwx. 1 root nginx    22 Mar 27 07:57 ftc-data -> /var/ftc/ftc-data
...

And again from /var/www/html:

# ls -Al ftc-data/
total 98192
-rw-r-----. 1 root nginx 1411314 Mar 26 06:47 2019-01-28.csv
-rw-r-----. 1 root nginx 3105895 Mar 26 06:47 2019-01-29.csv
-rw-r-----. 1 root nginx 2782858 Mar 26 06:47 2019-01-30.csv
...

And:

# ls -Al /var/ftc/
total 4
drwxr-x---. 2 root nginx 4096 Mar 27 07:16 ftc-data

symlinks off is not present in nginx.conf. The server has been restarted with systemctl restart nginx. I've also run restorecon -r /var/www/ and restorecon -r /var/ftc/ to fix SELinux labels.

I'm at a loss to where to search next. 0777 is not an acceptable answer even though it is popular among developers on Stack Overflow.

How do I troubleshoot the permission problem further?

In case it matters, trying to fetch a file http://172.16.2.1/ftc-data/2019-01-28.csv results in:

2019/03/27 09:02:39 [error] 18589#0: *13 open() "/var/www/html/ftc-data/2019-01-28.csv"
failed (13: Permission denied), client: 172.16.4.8, server: _, request: "GET /ftc-data/2019-01-28.csv HTTP/1.1",
host: "172.16.2.1"

And:

# namei -l /var/ftc/
f: /var/ftc/
dr-xr-xr-x root root  /
drwxr-xr-x root root  var
drwxr-xr-x root nginx ftc

# namei -l /var/www/
f: /var/www/
dr-xr-xr-x root root  /
drwxr-xr-x root root  var
drwxr-x--- root nginx www

I'm fairly certain there are no permission problems. Something else is wrong.

  • As which user is your nginx server running? Is that user member of the nginx group? – Sjoerd Mar 27 '19 at 13:13
  • @Sjoerd, the server is run as user `nginx`. –  Mar 27 '19 at 13:24
  • 1
    Check this answer: https://stackoverflow.com/questions/22586166/why-does-nginx-return-a-403-even-though-all-permissions-are-set-properly – rush Mar 27 '19 at 13:28
  • "directory index of ... is forbidden" error is not related to permissions. It simply means that there is not an `index.html` file in that directory. – Richard Smith Mar 27 '19 at 13:34

1 Answers1

1

As you mentioned this is most likely related to SELinux configuration. As suggested in this answer, please execute following command to fix the issue:

chcon -R -t httpd_sys_content_t /var/ftc/

# ls -Zd /var/www/html/ /var/ftc/
              unconfined_u:object_r:var_t:s0 /var/ftc/
unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/

# chcon -R -t httpd_sys_content_t /var/ftc/

# ls -Zd /var/www/html/ /var/ftc/
unconfined_u:object_r:httpd_sys_content_t:s0 /var/ftc/
unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/
rush
  • 27,055
  • 7
  • 87
  • 112