Find if permission denied errors are caused by SELinux

SELinux, short for Security Enhanced Linux, is a Linux security module that is part of many Linux server distributions. While SELinux increases server security (despite being created by NSA), it often results in some unexpected access/permission denied errors.

If you get one of such errors on a server with SELinux enabled, and there are no obvious file permission issues, you should check if the issue is caused by SELinux. To check the status of SELinux, run:

sestatus

You should get something like this:

SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 28

"Current mode: enforcing" indicates that SELinux is running.

To temporary disable SELinux, run:

setenforce 0

If this resolves the problem, and you no longer get "permission denied" errors, it means the issue was caused by SELinux. Re-enable it with setenforce 1 and try to find the root cause.

To help with troubleshooting, you can check SELinux log files located in /var/log/audit/audit.log

Very often, the issue is caused by incorrect security context (also called security label) assigned to the affected files or folders. To view security context that SELinux has applied to files or folders, run one of the following commands (they all display security contexts, just in different formats):

ls -Z or ls --context
ls --lcontext
ls --scontext

To modify the security context, you can use chcon command, i.e:

chcon -R -t httpd_sys_content_t /www/sites

httpd_sys_content_t - Apache Read-Only access
httpd_sys_rw_content_t - Apache Read/Write access
httpd_log_t - Apache log files
httpd_cache_t - Apache caching

or use reference directory:

chcon -R --reference=/var/www/html /www/sites

 

01.2015
CentOS 7



Newsletter

Subscribe to receive occasional updates on new posts.
Your email will not be used for any other purpose and you can unsubscribe at any time.
Please wait