cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
TudorRaduta
Community Manager
Community Manager
yesterday
  • 133 Views

Wednesday Challenge: The Permissions “Lie” (403 Forbidden)

Jump to solution

A classic trap hidden beyond ls -l

Happy Wednesday. Time for another From Problem & To Polish scenario.

We usually trust ls -l to tell us who can access a file. But sometimes it tells you everything is fine, while the system quietly blocks access anyway.

Today’s challenge digs into a classic pitfall where permissions look correct, but SELinux has the final say.

The Scenario

You’re setting up a simple web page. You create the file in your home directory:

[user@server ~]$ vim index.html

Then you move it into the web server directory:

[root@server ~]# mv /home/user/index.html /var/www/html/

You check permissions with ls -l. Everything looks right. The file is readable.

But when you access the page, Apache or Nginx returns a 403 Forbidden. The audit log shows an AVC denial.

Your Challenge

You’ve run into the classic mv versus cp trap. Let’s break it down.

  1. The Diagnosis: ls -l isn’t showing the full picture. What flag do you add to reveal the SELinux context?
  2. The Cause: You see the file labeled as user_home_t. Why did it keep that label after being moved into /var/www/html?
  3. The Fix: What single command immediately restores the correct SELinux labels on everything under /var/www/html?
  • Bonus: If you had used cp instead of mv, this problem wouldn’t have shown up. Why not?

Who can spot the real permission issue here? Share your answers below.

Join the discussion
1 Solution

Accepted Solutions
Ad_astra
Flight Engineer Flight Engineer
Flight Engineer
yesterday
  • 89 Views

Jump to solution

Hi 

My answers are:

1) The -Z option for the ls command will show the SE Linux contexts. For example; ls -lZ.

2) Moving a file retains the SE Linux file context of the directory it was created in. This means the SE Linux context will be incorrect for the directory that the file is being moved to. 

3) Running the following command will change the SE Linux context on the moved file and restore the defaults to any other files in the directory:

sudo restorecon -Rv /var/www/html/

Bonus) When you copy a file, the file system creates a new file in place. The new file is created with the default SE Linux context/labelling rules for the directory it is created in. Copying a file from one directory to another keeps the original file context and labelling from the original directory. 

View solution in original post

3 Replies
sr5
Cadet
Cadet
yesterday
  • 122 Views

Jump to solution

restorecon -R 

 /var/www/html/index.html 

 

sr5
Cadet
Cadet
yesterday
  • 120 Views

Jump to solution

cp instead of mv, this problem wouldn’t have shown up. Why not? Because it retains the selinux permissions

Ad_astra
Flight Engineer Flight Engineer
Flight Engineer
yesterday
  • 90 Views

Jump to solution

Hi 

My answers are:

1) The -Z option for the ls command will show the SE Linux contexts. For example; ls -lZ.

2) Moving a file retains the SE Linux file context of the directory it was created in. This means the SE Linux context will be incorrect for the directory that the file is being moved to. 

3) Running the following command will change the SE Linux context on the moved file and restore the defaults to any other files in the directory:

sudo restorecon -Rv /var/www/html/

Bonus) When you copy a file, the file system creates a new file in place. The new file is created with the default SE Linux context/labelling rules for the directory it is created in. Copying a file from one directory to another keeps the original file context and labelling from the original directory. 

Join the discussion
You must log in to join this conversation.
Red Hat Learning Community

Red Hat

Learning Community

A collaborative learning environment, enabling open source skill development.

Red Hat Inc. Copyright @ 2025 Red Hat Privacy statement Terms of service Community Guidelines