This is where I have actually come to appreciate SELinux. A newer dev comes along and makes a folder in the document root to 777 thinking that will solve their problems. SELinux still needs to explicitly allow that folder to be writable. That slows them down long enough to come find me, and then we get to have the proper conversation about what needs to happen. A folder in the document root with 777 scares the crap out of me
Do you know of any good intro to SELinux guides? I'm hoping to use it to lock down webroots to prevent other users from modifying them even if the user messes up all the permissions via SFTP.
Sadly, no. I only play a sysadmin on TV ;-) I don't fully feel like I have groked SELinux, but when things behave unexpectedly, it takes me less and less time to remember to check if SELinux is involved. I have at least come to accept that it is there to help, and it has saved me from doing some really dumb things.
Things to know is that there is a specific setting to allow httpd to write to a folder. There is a way to list files `ls -Z` that shows you the SELinux Context for files/folders. httpd error_log entries will just give permission denied errors, but if you feel like the perms are correct, SELinux will probably be why you're getting denied. That's how I started learning. One error at a time.
