cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
TudorRaduta
Community Manager
Community Manager
2 weeks ago
  • 386 Views

403 Forbidden: The SELinux Edition

Friday Challenge: Why is my web server “Forbidden”?

Happy Friday, everyone!

Let’s close the week with a real-world troubleshooting scenario. If you’ve ever worked with Apache, SELinux, or custom web directories, this one will feel familiar.

This is the classic “Everything looks right… but it still doesn’t work” moment. Permissions are set, the firewall is open, and yet you’re staring at a 403 Forbidden.

The Scenario:

You’ve set up a new website for the marketing team. To keep things tidy, you stored the files in a new directory: /srv/marketing/.

You’ve already:

  • Updated httpd.conf with a new DocumentRoot.
  • Set the ownership with chown -R apache:apache.
  • Applied correct UNIX permissions.
  • Confirmed the firewall allows HTTP traffic.

The service starts cleanly, but your browser still shows 403 Forbidden. A look in /var/log/audit/audit.log reveals an AVC denied message. This points to SELinux.

Your Challenge:

Share the exact commands you’d use — in order — to fix this permanently.

  1. How do you check the current SELinux context of /srv/marketing?
  2. What SELinux context type should Apache be allowed to read? (Hint: httpd_sys_content_t)
  3. What semanage fcontext command permanently assigns the correct context?
  4. Which command applies the new context recursively?
  • Bonus: If Apache serves on port 8080, which SELinux command allows it?

Let’s see your SELinux fixes! Have a great weekend!

0 Kudos
Join the discussion
3 Replies
Ad_astra
Flight Engineer Flight Engineer
Flight Engineer
2 weeks ago
  • 353 Views

1) The command ls -Z /srv will show the current SE Linux context of the directory.

2) As the 'hint' suggests, the correct SE Linux context type should be httpd_sys_content_t.

3) The command semanage fcontext -a -t httpd_sys_content_t "/srv/marketing(/.*)?" will assign the correct SE Linux context.

4) The command restorecon -R -v /srv/marketing will assign the context recursively.

Bonus:

The command semanage port -l will list the current SE Linux port labels. Port 8080 should, by default, be set to http_cache_port_t, which is not what you want!

Run the command semanage -m -t http_port_t -p tcp 8080 to assign the correct SE Linux port label.

TudorRaduta
Community Manager
Community Manager
Wednesday
  • 125 Views

That’s a solid approach

How do you usually decide when to use chcon for a quick fix versus semanage fcontext for a permanent change?

 

0 Kudos
Ad_astra
Flight Engineer Flight Engineer
Flight Engineer
Wednesday
  • 120 Views

Thanks.

I would not use chcon as the change is not permanent; does not survive a restorecon or file system relabelling. I would usually apply semanage fontext and restorecon to ensure the change is persistent across reboots. 

0 Kudos
Join the discussion
You must log in to join this conversation.
Red Hat Learning Community

Red Hat

Learning Community

A collaborative learning environment, enabling open source skill development.

Red Hat Inc. Copyright @ 2025 Red Hat Privacy statement Terms of service Community Guidelines