On 3/3/25 2:30 AM, Filippo Bonazzi wrote:
In fact, hold up on doing the above. It looks like this could just be due to bad labeling as well, as suggested by Andrei above. Have you tried simply running $ restorecon -Rv /srv/http
and seeing if that is enough?
/srv/http *is* a custom path, but there is some allowance for it in the policy. Note I'm not an expert in web servers or the SELinux policy for them.
Luckily so far I've only done the chcon -R -t httpd_sys_rw_content_t /srv/http and that seems to have survived so far. I'm with SELinux for now having to run in permissive mode due to something breaking the properties on /var/log/php.log which prevents php-fpm from starting when SELinux is enforcing: type=AVC msg=audit(1741223800.854:322): avc: denied { open } for pid=13651 comm="php-fpm" path="/var/log/php-fpm.log" dev="nvme0n1p5" ino=19138140 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=1 So pretty much everything works except for some strange jpg issue with splash screens and greeter backgrounds. (I'm not even worried about those at the moment) The last zypper dup broke a lot of SELinux permissions and there is currently a bug open on it: Bug 1238403 - https://bugzilla.opensuse.org/show_bug.cgi?id=1238403 We will wait until that bug is resolved to restore SELinux to enforcing mode. -- David C. Rankin, J.D.,P.E.