[tlug] Troubleshooting SELinux enforcement on httpd daemon

[scott <scott@example.com>]

Hi Tluggers,

After doing a yum update on this Centos server, suddenly httpd and
mysqld were not starting. Logs showed a lot of avc:denied messages IRT
httpd so to troubleshoot I disabled selinux enforcement on httpd using
system-config-securitylevel. After this httpd started fine, so I reset
the contexts of the server using restorecon -v -R, restarted the
enforcement of selinux on httpd, restarted the http daemon and voila it
came up fine. The only remaining issue now is that httpd can't serve
data from symlinked filesystems where it could before. When you try to
access pages that are not in the /var/www filesystem you get an error
like this:

 You don't have permission to access /foo/bar on this server.

Additionally, a 403 Forbidden error was encountered while trying to use
an ErrorDocument to handle the request.

of course the .htaccess files have not changed or anything, so it's
gotta be Selinux. Logs give this:

Jan  4 11:09:48 slackisland kernel: audit(1199412588.320:229): avc:
denied  { getattr } for  pid=2692 comm="httpd" name="Foobar" dev=dm-4
ino=4884727 scontext=root:system_r:httpd_t
tcontext=system_u:object_r:var_t tclass=lnk_file

so I guess I need to update the context to allow lnk_file or something.
I'm still a newbie at SElinux so I thought I would ask if anyone has any
advice on this. Plus maybe solving this will be informative for anyone
else playing around with SElinux. Any hints? Thanks in advance..

Cheers,
Scott VanDusen
Tokyo