Q: I have installed apache and chose to put my document root into a home directory. I could not get apache to start and after much research I found it was SELINUX stopping it from starting. I was told not to disable SELINUX and to configure it to work with the new directory. Do you have any idea how I can accomplish this?
A: Set the httpd_enable_homedirs boolean in SELINUX to allow such access.
So the first thing I would do is use the sealert command to pull the relevant information from the audit log.
First try to start the httpd service, when it fails run the following command.
sealert -a /var/log/audit/audit.log
This will give you some background on why SELINUX is stopping the service from starting. It will also give you some information on how to allow such access.
setsebool -P httpd_enable_homedirs=1
If you run the above command it will tell SELINUX that you are allowing httpd to read a users home directory.
Along with the boolean, you also need to make sure the directory has the correct permissions and is labelled correctly.
You can see the permissions and SELINUX label by using the “ls” command.
-rwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 favicon.ico
drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 images
-rwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 index.html
You can label a file or group of files using the “chcon” command, like so:
chcon unconfined_u:object_r:httpd_user_content_t:s0 <filename>
or use a wildcard to change all files in a directory:
chcon unconfined_u:object_r:httpd_user_content_t:s0 *
You can also change all the files in a directory and all subdirectories by using the recursive switch:
chcon -R unconfined_u:object_r:httpd_user_content_t:s0 *
Permissions much be world readable and executable for apache and the httpd process to have the correct access.
I hope this answered your question and helps you to understand a little bit about how SELINUX works. If you have any further questions about this please sound off in the comments.
semanage fcontext -a -t httpd_sys_rw_content_t ‘/var/www/html(/.*)?’
restorecon -R /var/www/html