🔴 Critical   ⏱ 5–30 min  Last verified: 19 May 2026
Affected versions: RHEL 10

📖 ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution — Primary Fix
  7. Solution — Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

Application responds with permission denied behavior even when Unix permissions look correct.

Environment & Reproduction

Usually after moving app files to non-standard paths without updating SELinux context.

getenforce ; sudo ausearch -m avc -ts recent

Root Cause Analysis

Mandatory Access Control denies process access because file labels or booleans are incorrect.

Quick Triage

Identify exact denied class and source context before applying any policy change.

sudo journalctl -t setroubleshoot -n 50 ; sudo ausearch -m avc -ts recent | tail -n 30

Step-by-Step Diagnosis

Review AVCs, inspect file labels, and test candidate allow rules safely.

ls -lZ /var/www/html ; sudo sealert -a /var/log/audit/audit.log ; sudo getsebool -a | grep httpd
Illustrative mockup for rhel-10 — selinux-avc-log
AVC denial messages in audit log — Illustrative mockup — Progressive Robot

Solution — Primary Fix

Restore proper file contexts and enable required SELinux booleans for the service.

Still having issues? Our IT Solutions & Services team can diagnose and resolve this for you. Get in touch for a free consultation.

sudo semanage fcontext -a -t httpd_sys_content_t '/srv/myapp(/.*)?' ; sudo restorecon -Rv /srv/myapp ; sudo setsebool -P httpd_can_network_connect on ; sudo systemctl restart httpd
Illustrative mockup for rhel-10 — selinux-avc-fix
Correct SELinux context and policy module — Illustrative mockup — Progressive Robot

Solution — Alternative Approaches

Create a minimal custom policy module from AVC logs when booleans and labels are insufficient.

Verification & Acceptance Criteria

No new AVC denials for target service and application endpoints return success.

sudo ausearch -m avc -ts recent ; curl -I http://localhost ; systemctl status httpd

Rollback Plan

Remove custom module or temporary fcontext entries if they over-permit access.

sudo semodule -l | grep myapp ; sudo semodule -r myapp_custom ; sudo semanage fcontext -d '/srv/myapp(/.*)?'

Prevention & Hardening

Never disable SELinux globally; use correct labels and least-privilege policy changes.

Can look similar to firewalld issues, file ACL problems, or systemd sandbox restrictions.

Related tutorial: View the step-by-step tutorial for rhel-10.

View all rhel-10 tutorials on the Tutorials Hub →

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

RHEL SELinux User and Administrator Guide with semanage and restorecon examples.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today — we respond within one business day.