I'm enabling SELinux on a server, and the httpd server (nginx and phusion passenger) is unable to read the app's dir (/home/app
), with the following message:
#============= httpd_t ==============
#!!!! WARNING: 'home_root_t' is a base type.
#!!!! The file '/home/app/config.ru' is mislabeled on your system.
#!!!! Fix with $ restorecon -R -v /home/app/config.ru
allow httpd_t home_root_t:file { getattr open read };
I'd like to keep SELinux on, but enable this.
- What command do I use to relabel
/home/app
so that httpd can read it? - Will this survive reboots?
- I'd like this to be sticky, so that if I
rm /home/app
and put other content there (e.g. an app upgrade), I don't need to relabel it. - And of course it should apply to subdirs as well (
/home/app/sub
), both existing and future. - Finally, there are log files in
/home/app/log
, and I'll need rw access to it. I'd be willing to allow rw access to the entire/home/app
if necessary.
How can I configure SELinux to work with my custom app?