Ask Your Question

SELinux mislabeling Apache directories on F22 Server

asked 2015-09-26 15:25:46 -0500

jflory7 gravatar image

updated 2015-09-28 08:04:09 -0500

I have a small KVM VPS spinning with a F22 Server install running on it. I have a few virtual hosts running on the machine, located in /var/www/ However, when using the machine, I've run into the issue where I cannot run the Apache web server because SELinux is mislabeling the files under the entire directory.

I'm not sure if this is an issue related to my configuration or if it's a bug, but I'm curious as to why SELinux isn't recognizing my Apache web directories as web directories. I'm consistently having to execute restorecon -Rv /var/www/ on my server in order to make Apache not fail to start up whenever I restart the service.

Any ideas why this is an issue or how I can fix this?

Edit 1: Of course, when I try to replicate this behavior for debugging purposes, I can't seem to get it to repeat past behavior. The best I could do was find an audit log from the day that I think this behavior was occurring, and I grep'd it for httpd. The output of that log can be found here, although I'm not sure how useful it is.

In terms of the actions I'm performing, I've noticed this issue when making new sites, e.g. mkdir -p /var/www/ and generating new content in them. For example, a few days ago, I had installed a WordPress installation on this machine using wp-cli, and when I went to restart Apache, it failed to restart. I can't remember how I discovered the issue originally, but I knew restoring the SELinux labels would fix the problem. Sure enough, it did:

# journalctl -u httpd
Sep 26 11:46:28 systemd[1]: Starting The Apache HTTP Server...
Sep 26 11:46:28 systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
Sep 26 11:46:28 systemd[1]: Failed to start The Apache HTTP Server.
Sep 26 11:46:28 systemd[1]: Unit httpd.service entered failed state.
Sep 26 11:46:28 systemd[1]: httpd.service failed.

[...running restorecon -Rv /var/www/...]

Sep 26 11:48:01 systemd[1]: Starting The Apache HTTP Server...
Sep 26 11:48:02 systemd[1]: Started The Apache HTTP Server.
edit retag flag offensive close merge delete


To what label are the files being assigned? Can you tell what seems to be causing the mislabeling? When you take any particular action, for example, like creating new files or moving files? I take it that you correct the situation, only to find that sometime during runtime later, some process has changed the context labels for the files?

bitwiseoperator gravatar imagebitwiseoperator ( 2015-09-26 21:31:59 -0500 )edit

Are you moving your files into /var/www ? cp inherits attributes from the target, mv carries attributes with the file. Some trimmed examples of ls -alZ /var/www/ or whatever would help give some context.

randomuser gravatar imagerandomuser ( 2015-09-26 23:07:41 -0500 )edit

@bitwiseoperator@randomuser The original question was updated with more information. For the most part, I am working with new, freshly-generated content.

jflory7 gravatar imagejflory7 ( 2015-09-28 08:06:23 -0500 )edit

If you run ls -Z on the mislabeled content, we could probably figure out from where its label is coming. If you use a script that builds content in /tmp, for example, and then copies it into the Apache directory without taking care to modify the files with the proper SELinux context, that could be causing the trouble. It's unlikely that this is a problem with SELinux at this point, and more likely that the files are being treated properly, but in an unintended fashion. I doubt you want to post too much of your creation process here, but whatever you can post would be helpful.

bitwiseoperator gravatar imagebitwiseoperator ( 2015-09-28 21:45:56 -0500 )edit

@bitwiseoperator I've been playing around with this during the week, and I think the issue is actually as @randomuser described - I think the way the content was being created in the web directories was causing the issue (i.e. wp-cli using cached files in my home directory). I have tried to replicate the situation and this was the only way I was able to duplicate the scenario. So I think it is related to cp / mv! I'll mark an answer as correct if added.

jflory7 gravatar imagejflory7 ( 2015-10-04 21:04:37 -0500 )edit

1 Answer

Sort by ยป oldest newest most voted

answered 2015-10-05 08:07:05 -0500

updated 2015-10-05 08:08:10 -0500

randomuser was onto the same theory I was when I posted my initial questions regarding your creation or movement of files. Since SELinux labels new files based on their directories, that's the most likely reason you'll find newly created files (especially if created through some sort of automated process, such as the method you describe which bases the new content off of cached files in your home directory) to be seemingly mislabeled. I'll post this explanation as an answer you can mark as correct, but if @randomuser thinks I've snaked him on this one, I'll let him have it. =)

edit flag offensive delete link more


Seems like it was converted from a comment to an answer - marked as correct. Thanks for the help, both you and @randomuser!

jflory7 gravatar imagejflory7 ( 2015-10-05 11:24:49 -0500 )edit

+1 from me :)

randomuser gravatar imagerandomuser ( 2015-10-05 22:48:54 -0500 )edit

Haha - thanks!

bitwiseoperator gravatar imagebitwiseoperator ( 2015-10-06 08:11:29 -0500 )edit

Question Tools



Asked: 2015-09-26 15:25:46 -0500

Seen: 192 times

Last updated: Oct 05 '15