So, you have decided to leave SELinux enabled. Congratulations, you have just taken a major step in securing your Internet-facing system.
Let’s say you are hosting a website that needs to be updated using FTP. By default, webserver content is labeled as:
httpd_sys_content_t
This context prevents you from updating files using the FTP server. If both HTTP (Apache) and FTP (vsftpd) access is needed, the SELinux context should be:
public_content_rw_t
You can either run “chcon” to temporarily fix this, or make the changes permanent by adding a proper local SELinux rule:
semanage fcontext -a -t public_content_rw_t "/var/www/html(/.*)?"
restorecon -Rv /var/www/html
Replace “/var/www/html” by your actual DocumentRoot as defined in Apache. The “semanage” command merely adds the rule to the SELinux database. The “restorecon” command performs the actual relabeling of your files.
Verify your changes using “ls -lZ”:
[root@webserver www]# ls -lZ
drwxr-sr-x. ed www unconfined_u:object_r:httpd_sys_content_t:s0 cgi-bin
drwxr-sr-x. ed www unconfined_u:object_r:httpd_sys_content_t:s0 error
drwxr-sr-x. ed www unconfined_u:object_r:public_content_rw_t:s0 html
drwxr-sr-x. ed www unconfined_u:object_r:httpd_sys_content_t:s0 icons
Done!