Patrick O'Callaghan wrote:

I've set up a simple web server for private use (though I will enable https access from outside the network), but I want some of the content to be outside the default /var/www/html tree. When I do this, I get file access errors when SElinux is enabled, but not when I set 'setenforcing=0'.

I'd prefer to use SElinux as intended, so what do I need to do?

You should just need to set the proper file context for the new location. The `semanage fcontext` command is what you'd use. There are a few options:

semanage fcontext -a -t public_content_t "/var/httpd(/.*)?" restorecon -F -R -v /var/httpd

or

semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?" restorecon -R -v /web

The first is from semanage-fcontext(8) and the second is from httpd_selinux(1) (in the selinux-policy-doc package)¹.

Either context should work. The `public_content_t` works across some other services, so it's a little more generic (plus it's shorter and clearer, at least to me). The difference in path for those examples is inconsequential.

¹ Yes, if you knew what command to use, finding the manpage would be the easy part. :)

The *_selinux man pages are pretty handy. A large number of SELinux confined services have similar man pages. They're generally a good starting point for finding out how to manage and adjust the policy for a given service.