SELinux blocks apache2 from starting and running

GazetaCypr · May 3, 2026, 5:55am

Hello.
I use apache2 to run ZoneMinder.
Everything needed to run it is installed successfully.
But SELinux blocks apache from running.
If I do:
setenforce 0
suddenly apache and zoneminder run.
After switching back to:
setenforce 1
apache stops.

I tried to use chatGPT to solve it, but we run in circles, it’s unhelpful.

How to fix it?
I am completely new to SELinux. Freshly switched to Leap 16.0.
Or is it better to switch from SELinux to AppArmor?

phil524 · May 3, 2026, 10:09am

Hello,
you can see the error with the next command (as root!)

#  ausearch --start boot  -m avc -i

this give a list of the access denied and post it here (can be big).
You can then control the SElinux access for the file which access is denied via the command

# ls -lZ  pathtofile

Regards
Philippe

GazetaCypr · May 3, 2026, 10:49am

Here are output from terminaL

sudo ausearch --start boot  -m avc -i
[sudo] password for root: 
----
type=AVC msg=audit(05/03/2026 05:54:08.562:63) : avc:  denied  { open } for  pid=1783 comm=httpd-prefork path=/var/log/zm/apache-error.log dev="dm-0" ino=1152673 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=0 
----
type=AVC msg=audit(05/03/2026 05:54:09.530:274) : avc:  denied  { open } for  pid=3056 comm=zmpkg.pl path=/var/log/zm/zmpkg.log dev="dm-0" ino=1152724 scontext=system_u:system_r:zoneminder_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=0 
----
type=AVC msg=audit(05/03/2026 05:54:09.851:379) : avc:  denied  { open } for  pid=3443 comm=zmdc.pl path=/var/log/zm/zmdc.log dev="dm-0" ino=1152726 scontext=system_u:system_r:zoneminder_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=0 
----
type=AVC msg=audit(05/03/2026 05:54:09.890:395) : avc:  denied  { open } for  pid=3730 comm=zmdc.pl path=/var/log/zm/zmdc.log dev="dm-0" ino=1152726 scontext=system_u:system_r:zoneminder_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=0 
----
type=AVC msg=audit(05/03/2026 05:54:11.003:461) : avc:  denied  { create } for  pid=3730 comm=zmdc.pl name=zmdc.sock scontext=system_u:system_r:zoneminder_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=0 


sudo ls -Z /var/log/zm
system_u:object_r:var_log_t:s0 apache-error.log     system_u:object_r:var_log_t:s0 zmcontrol_1.log  system_u:object_r:var_log_t:s0 zms_m3.log
system_u:object_r:var_log_t:s0 web_js.log           system_u:object_r:var_log_t:s0 zmdc.log         system_u:object_r:var_log_t:s0 zms_m4.log
system_u:object_r:var_log_t:s0 web_php.log          system_u:object_r:var_log_t:s0 zmfilter_1.log   system_u:object_r:var_log_t:s0 zmstats.log
system_u:object_r:var_log_t:s0 zmc_m1.log           system_u:object_r:var_log_t:s0 zmfilter_2.log   system_u:object_r:var_log_t:s0 zmsystemctl.log
system_u:object_r:var_log_t:s0 zmc_m1.log-20260327  system_u:object_r:var_log_t:s0 zmpkg.log        system_u:object_r:var_log_t:s0 zmtelemetry.log
system_u:object_r:var_log_t:s0 zmc_m2.log           system_u:object_r:var_log_t:s0 zms_e5.log       system_u:object_r:var_log_t:s0 zmupdate.log
system_u:object_r:var_log_t:s0 zmc_m3.log           system_u:object_r:var_log_t:s0 zms_m1.log       system_u:object_r:var_log_t:s0 zmwatch.log
system_u:object_r:var_log_t:s0 zmc_m4.log           system_u:object_r:var_log_t:s0 zms_m2.log

GazetaCypr · May 3, 2026, 11:14am

Then I did:

sudo ausearch -m avc -ts recent -i
<no matches>

sudo systemctl restart httpd

sudo systemctl restart apache2

sudo ausearch -m avc -ts recent -i
----
type=AVC msg=audit(05/03/2026 12:39:33.032:737) : avc:  denied  { execmem } for  pid=36102 comm=httpd-prefork scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process permissive=0 
----
type=AVC msg=audit(05/03/2026 12:39:36.605:738) : avc:  denied  { execmem } for  pid=36106 comm=httpd-prefork scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process permissive=0 
----
type=AVC msg=audit(05/03/2026 12:39:47.095:742) : avc:  denied  { execmem } for  pid=36140 comm=httpd-prefork scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process permissive=0 
----
type=AVC msg=audit(05/03/2026 12:40:23.164:754) : avc:  denied  { execmem } for  pid=36262 comm=httpd-prefork scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process permissive=0 
----
type=AVC msg=audit(05/03/2026 12:40:23.729:755) : avc:  denied  { execmem } for  pid=36264 comm=httpd-prefork scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process permissive=0 
----
type=AVC msg=audit(05/03/2026 12:40:26.320:756) : avc:  denied  { execmem } for  pid=36266 comm=httpd-prefork scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process permissive=0 
boguslaw@localhost:~> sudo setsebool -P httpd_execmem 1
boguslaw@localhost:~> sudo ausearch -m avc -ts recent -i
----
type=AVC msg=audit(05/03/2026 12:39:33.032:737) : avc:  denied  { execmem } for  pid=36102 comm=httpd-prefork scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process permissive=0 
----
type=AVC msg=audit(05/03/2026 12:39:36.605:738) : avc:  denied  { execmem } for  pid=36106 comm=httpd-prefork scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process permissive=0 
----
type=AVC msg=audit(05/03/2026 12:39:47.095:742) : avc:  denied  { execmem } for  pid=36140 comm=httpd-prefork scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process permissive=0 
----
etc

And still problem.

Sauerland · May 3, 2026, 1:07pm

phil524 · May 3, 2026, 2:06pm

As far as I can see the httpd scripts need execmem/execstack. You tried to solve it via setting the boolean which can be correct.

Can you show the output of

#  ausearch -c 'httpd-prefork' --raw | audit2allow

Can you reboot the system and then see if there are still errors after the boot

# ausearch -ts boot -m avc -i

Regards
Philippe

malcolmlewis · May 3, 2026, 3:00pm

@GazetaCypr Hi, you likely need to read the SELinux Portal information and open a bug report (See Forum side panel for links) but probably a similar situation to https://forums.opensuse.org/t/nextcloud-with-leap-16-0/192988

GazetaCypr · May 3, 2026, 4:50pm

Here is:

sudo ausearch -c 'httpd-prefork' --raw | audit2allow 

#============= httpd_t ==============

#!!!! This avc can be allowed using one of the these booleans:
#     httpd_can_network_connect, httpd_can_network_relay
allow httpd_t http_cache_port_t:tcp_socket name_connect;

#!!!! This avc can be allowed using the boolean 'httpd_execmem'
allow httpd_t self:process execmem;
allow httpd_t var_log_t:file open;
allow httpd_t var_run_t:file read;
allow httpd_t var_t:lnk_file create;

GazetaCypr · May 3, 2026, 4:55pm

And after full rebooting my computer.

sudo ausearch -ts boot -m avc -i
----
type=AVC msg=audit(05/03/2026 18:52:20.404:62) : avc:  denied  { write } for  pid=1549 comm=httpd-prefork name=zm dev="dm-0" ino=1151971 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:zoneminder_log_t:s0 tclass=dir permissive=0 
----
type=AVC msg=audit(05/03/2026 18:52:23.103:457) : avc:  denied  { create } for  pid=3162 comm=zmdc.pl name=zmdc.sock scontext=system_u:system_r:zoneminder_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=0

GazetaCypr · May 3, 2026, 5:07pm

How to name it?
After ‘Bug reporting’ and choosing ‘OpenSuse Leap 16.0’ and login…

hui · May 3, 2026, 5:13pm

https://en.opensuse.org/openSUSE:Bugreport_SELinux

phil524 · May 3, 2026, 6:45pm

So the problem of execmem/execstack is solved but the write is denied because the context are not correct
for : name=zm dev=“dm-0”

source:
scontext=system_u:system_r:httpd_t:s0
target:
tcontext=system_u:object_r:zoneminder_log_t:s0

I don’t know ZoneMinder but in tumbleweed it is not present (I don’t checked in leap)
I suppose that ZoneMinder has some SElinux setting installed that are not correct for leap + SElinux.
You can do the following to have a proposed solution:

# ausearch -ts boot --raw | audit2allow

if it is not to complex you can then create a new module via

ausearch -ts boot --raw | audit2allow -M my-init-zoneminder

This creates two files “my-init-zoneminder.pp” and “my-init-zoneminder.te” in the current directory
and the command to install this module is

semodule -X 400 -i my-init-zoneminder.pp

On tumbleweed this module is installed in /var/lib/selinux/targeted/active/modules/400
reboot and retest. Il it still fails with the same error you can remove the module via semodule (see man page)

Have also a look to “man sealert”

Regards
Philippe

flint · May 4, 2026, 10:05am

I’m having a simular problem and already opened a forum thread “Nextcloud with Leap” (Nextcloud with Leap 16.0) and also a bug report "SELinux blocks Nextcloud* (https://bugzilla.opensuse.org/show_bug.cgi?id=1261535).
Nextcloud needs a running apache2, mysql & mariadb.

dcurtisfra · May 4, 2026, 4:20pm

# restorecon -F -R -v /usr /var /etc

GazetaCypr · May 7, 2026, 6:17am

After spending (a lot of) time to run in circles I decided to switch from SELinux to AppArmor after all.
I used this path: https://en.opensuse.org/How_to_switch_from_SELinux_to_AppArmor_in_Leap_16
It solved my case.

Maybe in the future I’ll switch to SELinux again. At least I will give it a try.

flint · May 15, 2026, 9:17am

After all I think your way and switching to App Armor is the better way…

See also bug report "SELinux blocks Nextcloud* (https://bugzilla.opensuse.org/show_bug.cgi?id=1261535) which after two updates does not help nor solve the issue…