cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
TudorRaduta
Community Manager
Community Manager
15 hours ago
  • 98 Views

403 Forbidden: The SELinux Edition

Friday Challenge: Why is my web server “Forbidden”?

Happy Friday, everyone!

Let’s close the week with a real-world troubleshooting scenario. If you’ve ever worked with Apache, SELinux, or custom web directories, this one will feel familiar.

This is the classic “Everything looks right… but it still doesn’t work” moment. Permissions are set, the firewall is open, and yet you’re staring at a 403 Forbidden.

The Scenario:

You’ve set up a new website for the marketing team. To keep things tidy, you stored the files in a new directory: /srv/marketing/.

You’ve already:

  • Updated httpd.conf with a new DocumentRoot.
  • Set the ownership with chown -R apache:apache.
  • Applied correct UNIX permissions.
  • Confirmed the firewall allows HTTP traffic.

The service starts cleanly, but your browser still shows 403 Forbidden. A look in /var/log/audit/audit.log reveals an AVC denied message. This points to SELinux.

Your Challenge:

Share the exact commands you’d use — in order — to fix this permanently.

  1. How do you check the current SELinux context of /srv/marketing?
  2. What SELinux context type should Apache be allowed to read? (Hint: httpd_sys_content_t)
  3. What semanage fcontext command permanently assigns the correct context?
  4. Which command applies the new context recursively?
  • Bonus: If Apache serves on port 8080, which SELinux command allows it?

Let’s see your SELinux fixes! Have a great weekend!

0 Kudos
Join the discussion
1 Reply
Ad_astra
Flight Engineer Flight Engineer
Flight Engineer
13 hours ago
  • 65 Views

1) The command ls -Z /srv will show the current SE Linux context of the directory.

2) As the 'hint' suggests, the correct SE Linux context type should be httpd_sys_content_t.

3) The command semanage fcontext -a -t httpd_sys_content_t "/srv/marketing(/.*)?" will assign the correct SE Linux context.

4) The command restorecon -R -v /srv/marketing will assign the context recursively.

Bonus:

The command semanage port -l will list the current SE Linux port labels. Port 8080 should, by default, be set to http_cache_port_t, which is not what you want!

Run the command semanage -m -t http_port_t -p tcp 8080 to assign the correct SE Linux port label.

Join the discussion
You must log in to join this conversation.
Red Hat Learning Community

Red Hat

Learning Community

A collaborative learning environment, enabling open source skill development.

Red Hat Inc. Copyright @ 2025 Red Hat Privacy statement Terms of service Community Guidelines