SELinux access denied

When access is denied to certain files folders it might be SELinux. You can check this in the /var/log/audit/audit.log
In this example we have changed the html folder in /var/www/ for the Apache HTTP server.

sudo cat /var/log/audit/audit.log | grep denied

In the log:

type=AVC msg=audit(1489911451.999:62): avc:  denied  { open } for  pid=870 comm="httpd" path="/var/www/html/index.html" dev="xvda1" ino=18607560 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file

View the SELinux rights with:

ls -Z /var/www/

You can now fix this with:

semanage fcontext -a -t httpd_sys_content_t "/var/www/html(/.*)?"
restorecon -R -v /var/www/html

The last statement is to make the change permanent. If you also want to change the unconfined_u:object_r into system_u:object_r you need to do:

restorecon -R -F -v /var/www/html

This is the result:

[root@ip-10-0-0-232 www]# ls -Z
drwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 cgi-bin
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 html

No Comments

Post a Comment