在 Centos 7 服务器中,我有一个挂载autofs
在 中的目录/mnt/cifs-shares/cone_files
。我可以毫无问题地读取这些文件。
该目录/mnt/cifs-shares/cone_files
归其所有apache:apache
并具有drwxr-xr-x.
权限。
现在,我在中创建了指向该目录的符号链接/var/www/html/
,并希望允许访问这些文件。为此,我在中创建了此配置/etc/httpd/conf/httpd.conf
:
<Directory "/var/www/html/cone_files">
AllowOverride None
Options +Indexes +FollowSymLinks +MultiViews -SymLinksIfOwnerMatch
Require all granted
</Directory>
然后重新启动 apache 服务器。
现在当我尝试时,curl -v "http://127.0.0.1/cone_files/"
我得到了这个:
* About to connect() to 127.0.0.1 port 80 (#0)
* Trying 127.0.0.1...
* Connected to 127.0.0.1 (127.0.0.1) port 80 (#0)
> GET /cone_files/ HTTP/1.1
> User-Agent: curl/7.29.0
> Host: 127.0.0.1
> Accept: */*
>
< HTTP/1.1 403 Forbidden
< Date: Wed, 23 Feb 2022 16:31:26 GMT
< Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16
< Content-Length: 213
< Content-Type: text/html; charset=iso-8859-1
<
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /cone_files/
on this server.</p>
</body></html>
* Connection #0 to host 127.0.0.1 left intact
我/var/log/httpd/error_log
有:
[Wed Feb 23 13:31:26.143733 2022] [core:error] [pid 13996] (13)Permission denied: [client 127.0.0.1:46828] AH00035: access to /cone_files/index.ht
ml denied (filesystem path '/var/www/html/cone_files/index.html') because search permissions are missing on a component of the path
[Wed Feb 23 13:31:26.147968 2022] [negotiation:error] [pid 13996] (13)Permission denied: [client 127.0.0.1:46828] AH00686: cannot read directory f
or multi: /var/www/html/cone_files/
我/var/log/audit/audit.log
有:
type=AVC msg=audit(1645630142.836:569): avc: denied { getattr } for pid=12049 comm="httpd" path="/mnt/cifs-shares/cone_files/557471.13.rar" dev="cifs" ino=56107640 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cifs_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1645630142.836:569): arch=c000003e syscall=6 success=no exit=-13 a0=555bea69c700 a1=7fff8037a4b0 a2=7fff8037a4b0 a3=ffffff00 items=0 ppid=12031 pid=12049 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
谁能帮我这个?。
答案1
我不确定这是更安全的解决方案,但由于该服务器(实际上是一个虚拟机)只公开这些文件,所以我通过执行以下命令解决了我的问题:
semanage permissive -a httpd_t