🟠 High   ⏱ 5–30 min  Last verified: 20 May 2026
Affected versions: RHEL 10

📖 ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution — Primary Fix
  7. Solution — Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

httpd starts then serves 403/500 responses due to access denials on content paths.

Environment & Reproduction

Happens after deploying site files under custom directories without SELinux labeling.

systemctl status httpd ; sudo ausearch -m avc -ts recent | tail

Root Cause Analysis

Content path labels do not match expected httpd types, blocking reads or script execution.

Quick Triage

Review AVCs and check labels on DocumentRoot and writable paths.

ls -lZ /var/www /srv ; sudo journalctl -u httpd -n 80

Step-by-Step Diagnosis

Map required context types and enabled booleans for app behavior.

sudo semanage fcontext -l | grep httpd ; sudo getsebool -a | grep httpd
Illustrative mockup for rhel-10 — httpd-selinux-log
HTTPD AVC denials and startup errors — Illustrative mockup — Progressive Robot

Solution — Primary Fix

Assign correct contexts, restore labels, and restart httpd.

Still having issues? Our IT Solutions & Services team can diagnose and resolve this for you. Get in touch for a free consultation.

sudo semanage fcontext -a -t httpd_sys_content_t '/srv/site(/.*)?' ; sudo restorecon -Rv /srv/site ; sudo setsebool -P httpd_can_network_connect on ; sudo systemctl restart httpd
Illustrative mockup for rhel-10 — httpd-selinux-fix
HTTPD starts after context restore — Illustrative mockup — Progressive Robot

Solution — Alternative Approaches

Package app into standard /var/www paths to minimize custom policy needs.

Verification & Acceptance Criteria

Site responds successfully and no new AVC denials occur for httpd domain.

curl -I http://localhost ; sudo ausearch -m avc -ts recent | grep httpd

Rollback Plan

Remove added fcontext rules and restore prior deployment path if necessary.

sudo semanage fcontext -d '/srv/site(/.*)?' ; sudo restorecon -Rv /srv/site

Prevention & Hardening

Integrate SELinux labeling into deployment pipeline and preflight checks.

Can overlap with firewalld blocks, PHP-FPM unit failures, or file ownership mistakes.

Related tutorial: View the step-by-step tutorial for rhel-10.

View all rhel-10 tutorials on the Tutorials Hub →

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

RHEL web server SELinux patterns and Apache hardening notes.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today — we respond within one business day.