🟠 High   ⏱ 5–30 min  Last verified: 19 May 2026
Affected versions: Oracle Linux 10

📖 ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution – Primary Fix
  7. Solution – Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

Apache returns 403/500 after moving content to a custom directory not labeled for httpd access.

Environment & Reproduction

Frequently triggered after migrations to `/srv` or mounted storage.

getenforce
ls -Zd /srv/www/site
systemctl status httpd

Root Cause Analysis

Directory and file SELinux contexts do not match policies expected by `httpd_t`, causing AVC denials.

Quick Triage

Confirm SELinux denial source before changing policy.

ausearch -m avc -ts recent
sealert -a /var/log/audit/audit.log | head -n 40
journalctl -u httpd -n 50 --no-pager

Step-by-Step Diagnosis

Inspect labels and booleans relevant to web access.

semanage fcontext -l | grep httpd
getsebool -a | grep httpd
ps -eZ | grep httpd
Illustrative mockup for oracle-linux-10 — terminal_or_shell
Reviewing AVC denials for httpd — Illustrative mockup — Progressive Robot

Solution – Primary Fix

Assign correct file context and relabel recursively.

Still having issues? Our IT Solutions & Services team can diagnose and resolve this for you. Get in touch for a free consultation.

sudo semanage fcontext -a -t httpd_sys_content_t '/srv/www/site(/.*)?'
sudo restorecon -Rv /srv/www/site
sudo systemctl restart httpd
Illustrative mockup for oracle-linux-10 — log_or_config
Setting file contexts and restoring labels — Illustrative mockup — Progressive Robot

Solution – Alternative Approaches

Enable specific booleans only when app behavior requires extended access.

sudo setsebool -P httpd_can_network_connect on
sudo setsebool -P httpd_read_user_content off

Verification & Acceptance Criteria

No new AVC denials and application serves content correctly.

curl -I http://localhost
ausearch -m avc -ts recent
ls -Zd /srv/www/site

Rollback Plan

Remove custom context if wrong policy was applied.

sudo semanage fcontext -d '/srv/www/site(/.*)?'
sudo restorecon -Rv /srv/www/site
sudo systemctl restart httpd

Prevention & Hardening

Define SELinux labeling as part of deployment automation and validate after releases.

semanage fcontext -l | grep '/srv/www'
getenforce

Related to NFS context mounts, mislabeled custom ports, and policy module overuse.

Related tutorial: View the step-by-step tutorial for oracle-linux-10.

View all oracle-linux-10 tutorials on the Tutorials Hub →

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

RHEL SELinux user and administrator guide for file context management and AVC analysis.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today — we respond within one business day.