A CentOS file server also hosts an internal web application from /var/www/html. A junior administrator recently copied user-supplied files into that directory with the command cp -a /home/upload/*.pdf /var/www/html/. Immediately afterward, the application began returning HTTP 403 Forbidden when those PDFs are requested. The Apache error log shows "Permission denied," and /var/log/audit/audit.log contains AVC messages in which httpd_t is denied read access to objects labeled user_home_t. No traditional POSIX permissions were changed.
Which action should you take first to restore user access while keeping SELinux protections in place?
Add Require all granted to the Apache virtual-host configuration and reload the httpd service.
Temporarily disable SELinux enforcement with setenforce 0, verify access, and re-enable it after testing.
Recursively change ownership of the files to apache:apache and set permissions to 755.
Run restorecon -R /var/www/html to reset the files and directories to their default SELinux contexts.
Copying files with the -a (archive) option preserves all attributes, including SELinux labels. As a result, the PDFs carried the user_home_t type from the users' home directories into /var/www/html. By default the httpd_t domain is not allowed to read objects of type user_home_t, so SELinux blocks the access and the web server returns HTTP 403.
The supported fix is to relabel the affected path so that it regains the default httpd_sys_content_t type. The restorecon -R command consults the active policy and recursively applies the correct label to every item under /var/www/html, restoring normal access without weakening SELinux. Disabling SELinux (setenforce 0) would work but removes the protection entirely. Changing Apache directives or file ownership does not address the label mismatch, so access would still fail until the contexts are corrected.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is SELinux and why are contexts important?
Open an interactive chat with Bash
What does the `restorecon` command do in SELinux?
Open an interactive chat with Bash
Why is `setenforce 0` not the best solution in this scenario?