Troubleshooting SELinux on Files and Directories

30 minutes
  • 3 Learning Objectives

About this Hands-on Lab

Understanding how to fix potential SELinux issues is important. This lab will present an SELinux problem and allow us to work through the solution, getting us familiar with where to look and how to fix problems.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Identify and Fix the Problem on Startup

Trying to run systemctl start httpd will error. Running journalctl -xe will show lines similar to this:

Jan 09 20:32:46 Server1 httpd[7107]: (13)Permission denied: AH00091: httpd: could not open error log file /etc/httpd/l>
Jan 09 20:32:46 Server1 httpd[7107]: AH00015: Unable to open logs

It looks like a problem with the error log file, which is /var/log/httpd/error_log.

ls -lZ /var/log/httpd/error_log shows:

-rw-r--r--. 1 root root unconfined_u:object_r:admin_home_t:s0 0 Jan  9 20:17 /var/log/httpd/error_log

So let’s use restorecon.

restorecon /var/log/httpd/error_log
systemctl start httpd

The service starts!

Fix the Problem with Home Directories

Based on /etc/httpd/conf.d/userdir.conf we should have a public_html directory in the developer’s home directory. Since we don’t, let’s create it, set the permissions to 755, set the home directory permissions to 711, and see what happens with a test file:

mkdir /home/developer/public_html
chmod 0755 /home/developer/public_html
chmod 0711 /home/developer
touch /home/developer/public_html/file
curl localhost/~developer/file

We’re still getting an error. Looking at /var/log/audit/audit.log, we see an AVC denial for the file we’re trying to load, so it’s SELinux related.

The contexts are correct, but the enable homedir boolean defaults to off.

setsebool httpd_enable_homedirs on

Now the curl should work correctly.

Make Sure the index.html in the Developer’s Home Directory public_html is Able to be Displayed

The instructions say to move the index page, so let’s do it:

 mv /home/developer/index.html /home/developer/public_html/index.html
 curl localhost/~developer/index.html

That failed. Let’s look at SELinux contexts.

Additional Resources

A junior sysadmin was trying to set up a webserver for your development team. He's running into some SELinux issues and he's not sure how to fix them.

First of all, Apache won't start. Once that starts correctly, we need to move the developer's index.html to their UserDir for Apache, and ensure that the page is served correctly.

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?