apache httpd 가 web contents 를 읽지 못할 경우(13 - Permission denied or 2 - No such file or directory) error

증상

apache httpd 가 web contents 를 읽지 못하고 다음과 같은 log가 발생

type=USER_START msg=audit(1380189661.507:213209): user pid=28699 uid=0 auid=0 ses=24593 subj=unconfined_u:system_r:crond_t:s0-s0:c0.c1023 msg
='op=PAM:session_open acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'

원인

a.log 로 저장하고 audit2why 로 메시지 번역

$ audit2why  < a.log
 
type=AVC msg=audit(1380187927.301:213167): avc:  denied  { getattr } for  pid=28352 comm="httpd" path="/var/www/wordpress/index.php" dev=dm-4 ino=1181571 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=file
        Was caused by:
                Missing type enforcement (TE) allow rule.
                You can use audit2allow to generate a loadable module to allow this access.

BASH

apache httpd의 file context 조회

:> semanage fcontext -l|grep httpd_sys_content_t

/etc/htdig(/.*)?                                   all files          system_u:object_r:httpd_sys_content_t:s0 
/srv/([^/]*/)?www(/.*)?                            all files          system_u:object_r:httpd_sys_content_t:s0 
/srv/gallery2(/.*)?                                all files          system_u:object_r:httpd_sys_content_t:s0 
/usr/share/drupal.*                                all files          system_u:object_r:httpd_sys_content_t:s0 
/usr/share/htdig(/.*)?                             all files          system_u:object_r:httpd_sys_content_t:s0 
/usr/share/icecast(/.*)?                           all files          system_u:object_r:httpd_sys_content_t:s0 
/usr/share/mythtv/data(/.*)?                       all files          system_u:object_r:httpd_sys_content_t:s0 
/usr/share/mythweb(/.*)?                           all files          system_u:object_r:httpd_sys_content_t:s0 
/usr/share/ntop/html(/.*)?                         all files          system_u:object_r:httpd_sys_content_t:s0 
/usr/share/openca/htdocs(/.*)?                     all files          system_u:object_r:httpd_sys_content_t:s0 
/usr/share/selinux-policy[^/]*/html(/.*)?          all files          system_u:object_r:httpd_sys_content_t:s0 
/var/lib/cacti/rra(/.*)?                           all files          system_u:object_r:httpd_sys_content_t:s0 
/var/lib/htdig(/.*)?                               all files          system_u:object_r:httpd_sys_content_t:s0 
/var/lib/trac(/.*)?                                all files          system_u:object_r:httpd_sys_content_t:s0 
/var/www(/.*)?                                     all files          system_u:object_r:httpd_sys_content_t:s0 
/var/www/icons(/.*)?                               all files          system_u:object_r:httpd_sys_content_t:s0 
/var/www/svn/conf(/.*)?                            all files          system_u:object_r:httpd_sys_content_t:s0

BASH

context가 httpd_sys_content_t 여야 apache 가 읽을수 있음.

ls -lZ 로 해당 폴더의 context 를 확인

ls -lZd /var/www/wordpress/
drwxr-xr-x. apache apache unconfined_u:object_r:home_root_t:s0 /var/www/wordpress/

BASH

home_root_t context 때문에 읽을수가 없었고 chcon 으로 httpd_sys_content_t 를 할당
```
chcon -R -t httpd_sys_content_t  /var/www/wordpress
```
BASH