A systems administrator is troubleshooting an Apache web server on a Linux host that has SELinux in 'Enforcing' mode. The web server service is running, but it cannot serve content from a newly created directory at /srv/web. The administrator confirms standard Linux file permissions are correct and the firewall is not blocking requests. The audit log at /var/log/audit/audit.log contains avc: denied messages related to the httpd process and the /srv/web directory. Which of the following commands should the administrator use NEXT to diagnose the specific cause of the access denial?
The correct command to diagnose the problem is ls -Z /srv/web. The -Z option for the ls command displays the SELinux security context of files and directories. Since the audit log shows avc: denied messages, it strongly indicates that an SELinux policy is blocking access. The most likely cause is that the new /srv/web directory and its contents do not have the correct security context type (e.g., httpd_sys_content_t) that allows the httpd process to read them. Using ls -Z is the proper next step in the troubleshooting process to verify this theory by inspecting the current labels.
The setenforce 0 command switches SELinux to permissive mode, which logs but does not block policy violations. While this would likely make the website accessible, it is a temporary workaround that lowers security and does not diagnose the root cause of the incorrect context.
The chcon -t httpd_sys_content_t /srv/web command is used to change the security context. This is part of the solution, but it should only be performed after diagnosing the problem. The question asks for the next diagnostic step, not the resolution.
The systemctl status httpd command shows the operational status of the Apache service. The scenario already states that the service is running but failing to serve specific content, so this command is unlikely to provide new information about the file-level security denial.