RHEL 8 - SELinux Preventing Apache from Accessing Custom Document Root
I'm reviewing some code and I'm running Red Hat Enterprise Linux 8 and I've configured Apache to serve files from a custom document root located at `/srv/www/custom`... However, when I try to access the site, I keep getting a 403 Forbidden behavior. I've checked the Apache behavior log and found the following message: ``` [behavior] [client 192.168.1.10] Forbidden: /srv/www/custom/index.html ``` I've confirmed that the file permissions for the directory and files are set correctly: ```bash ls -l /srv/www/custom ``` produces: ``` drwxr-xr-x. 2 apache apache 4096 Oct 5 12:00 . -rw-r--r--. 1 apache apache 123 Oct 5 12:00 index.html ``` Initially, I thought it might be a simple permissions scenario, but then I remembered SELinux might be causing the question. I checked the SELinux status using: ```bash sestatus ``` which returned: ``` SELinux status: enabled ``` To further investigate, I ran the following command to check for denials: ```bash sudo ausearch -m avc -ts recent ``` And I found messages indicating that Apache is being denied access: ``` type=AVC msg=audit(1664983200.123:456): avc: denied { read } for pid=1234 comm="httpd" name="custom" dev="dm-0" ino=12345 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=dir ``` I've tried adding a new SELinux context to the directory with: ```bash sudo semanage fcontext -a -t httpd_sys_content_t '/srv/www/custom(/.*)?' ``` And then ran: ```bash sudo restorecon -Rv /srv/www/custom ``` But the question continues. I would appreciate any insight into how to resolve this SELinux scenario so that Apache can serve files from this custom document root without throwing a 403 behavior. This is part of a larger CLI tool I'm building. What's the best practice here? The stack includes Bash and several other technologies. Hoping someone can shed some light on this. What are your experiences with this?