Apache2 and SELinux

errigour · November 18, 2025, 4:59am

I ran those commands and now http://localhost wont render the index.html. Is there a way to fix it to work?
I know nothing about SeLinux stuff but I wanted my scripts to be able to write to that directory and I wanted it to render my html pages.

Errigour@DELL-7050:/srv/http/cgi-bin> sudo semanage fcontext -a -t httpd_sys_content_t "/srv/http"
File context for /srv/http already defined, modifying instead
Errigour@DELL-7050:/srv/http/cgi-bin> sudo restorecon -Rv /srv/http
Errigour@DELL-7050:/srv/http/cgi-bin> sudo semanage fcontext -a -t httpd_sys_rw_content_t "/srv/http"
File context for /srv/http already defined, modifying instead
Errigour@DELL-7050:/srv/http/cgi-bin> sudo restorecon -Rv /srv/http
Relabeled /srv/http from unconfined_u:object_r:httpd_sys_content_t:s0 to unconfined_u:object_r:httpd_sys_rw_co
ntent_t:s0
Errigour@DELL-7050:/srv/http/cgi-bin>

errigour · November 18, 2025, 5:19am

Now I did this and it still wont let me browse my index.html.

Errigour@DELL-7050:/srv/http/cgi-bin> sudo semanage fcontext -D
Errigour@DELL-7050:/srv/http/cgi-bin> sudo restorecon -Rv /srv/http
Relabeled /srv/http from unconfined_u:object_r:httpd_sys_rw_content_t:s0 to unconfined_u:object_r:var_t:s0
Errigour@DELL-7050:/srv/http/cgi-bin>

errigour · November 18, 2025, 5:54am

Ok here’ss some info, it was working before I ran the commands above now I can’t load the index.html page and I think it has to do with SELinux stuff.

Errigour@DELL-7050:~> ls /srv/ -lZ
total 0
drwxr-xr-x. 1 root     root system_u:object_r:public_content_t:s0  0 Aug 25 05:01 ftp
drwxrwxr-x. 1 Errigour http unconfined_u:object_r:var_t:s0        58 Nov 17 23:47 http
drwxr-xr-x. 1 svn      svn  system_u:object_r:var_t:s0             0 Oct 31 16:49 svn
drwxr-xr-x. 1 tftp     tftp system_u:object_r:tftpdir_rw_t:s0      0 Jul 29 03:19 tftpboot
Errigour@DELL-7050:~> cat /etc/apache2/uid.conf
        User wwwrun
        Group http
Errigour@DELL-7050:~> 
Errigour@DELL-7050:~> sudo grep \<Directory /\> /etc/apache2/httpd.conf -A 10
grep: />: No such file or directory
/etc/apache2/httpd.conf:<Directory />
/etc/apache2/httpd.conf-         Options None
/etc/apache2/httpd.conf-         AllowOverride None
/etc/apache2/httpd.conf-         <IfModule !mod_access_compat.c>
/etc/apache2/httpd.conf-                 Require all granted
/etc/apache2/httpd.conf-         </IfModule>
/etc/apache2/httpd.conf-         <IfModule mod_access_compat.c>
/etc/apache2/httpd.conf-                 Order allow,deny
/etc/apache2/httpd.conf-                 Allow from all
/etc/apache2/httpd.conf-         </IfModule>
/etc/apache2/httpd.conf-</Directory>
Errigour@DELL-7050:~>

errigour · November 18, 2025, 6:01am

[Tue Nov 18 00:58:17.833310 2025] [core:error] [pid 1142:tid 1142] (13)Permission denied: [client 127.0.0.1:36182] AH00035: access to /index.html denied (filesystem path '/srv/http/index.html') because search permissions are missing on a component of the path

But the directory is exectuable and readable?

errigour · November 18, 2025, 6:04am

The following fixed it but I think it is only temporary.

sudo chcon -t httpd_sys_content_t /srv/http/index.html

errigour · November 18, 2025, 6:26am

Also I would have to do that for every file I want apache to run, is there an easy fix for that?

phil524 · November 18, 2025, 11:31am

AFAIK if you want all filles be accessible (read) in a directory you need to execute semanage command

semanage fcontext -a -t httpd_sys_content_t '/srv/http(/.*)'
restorecon -R -v '/srv/http'

if you want read and write access then use ‘httpd_sys_rw_content_t’ as context

Regards
Philippe

errigour · November 18, 2025, 9:11pm

Do I have to use semanage? I rebooted after chcon and it is still working and the files kept the parameters.

errigour · November 18, 2025, 10:10pm

I think my problem before was I used this command on my http root directory: restorecon -Rv '/srv/http'
It restored index.html because it was recursive. That is why I had to chcon the index again. Pros more security, cons more commands to setup. I like SELinux but I saw a post talking about using apparmor. I don’t even think apparmor is installed on my system. Am I fixing this the right way?

phil524 · November 19, 2025, 7:30am

AFAIK The changes made with chcon are temporary but with semanage it is permanent. A relabel due to a update in selinux should remove the changesdone with chcon.

See chcon vs semanage

Regards
Philippe

arvidjaar · November 19, 2025, 8:31am

No, they are not. chcon modifies file attributes which are stored permanently. But if SELinux policy has different definition for the file security label, it will be overwritten next time relabel is triggered (usually on SELinux packages update).

If the file in question is not referenced (directly or indirectly) in the SELinux policy, chcon is as permanent as you can get.

One can use matchpathcon to see what label is defined in the policy and will be set by the restorecon (which is invoked during relabel).

system · December 19, 2025, 8:31am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.