I'm trying to start small webpage just for fun.

Fedora 17 64bit

[root@coolermaster laresa]# ls -al
total 1640
drwxr-xr-x. 2 root root 4096 Jul 7 22:52 .
drwxr-xr-x. 4 root root 4096 Jul 7 21:35 ..
-rwxr-xr-x. 1 root root 220 Jun 19 10:28 laresa.html
-rwxr-xr-x. 1 jaison jaison 995005 Jul 7 22:28 newyorkdog.png
-rwxr-xr-x. 1 jaison jaison 668494 Jun 18 23:17 us.png

Why is it that i can serve up us.png just fine, but newyorkdog.png trips an selinux alert and a 403 Forbidden? They both have the same file permissions.

Any ideas?

You could disable SELinux like I always do.

You could disable SELinux
after

after restart...

Disabling SELinux without even trying to troubleshoot the issue is like sticking your head in the sand.
Probably wrong context ('ls -alZ') or missing boolean for non-/var/www location.
Either Setroubleshootd, /var/log/messages or /var/log/audit/audit.log should indicate.

Like sticking your head in the sand? Come on man, not all of us are as proficient as you with the kind of solution you present here. Nor do we all have the time it takes to learn. I'm pretty sure there are quite a few users not talking about it who disable SElinux. It's just not necessary for most users. It became a headache very quickly several years ago to me, almost constantly troubleshooting something to do with SElinux. The man just wants to build a simple web page. I'm offering him a simple way around the problem he's having without leaving him open to security risks. I say let's keep the fun in Linux. SElinux has been a pain and a joke since it's inception, just like Pulseaudio. Yes, I disable that too, every time I upgrade.

It's clear old open sores and misconception formed your opinion and made you post your so-called "advice". By suggesting the OP to disable it, you've forgotten four things:
- Fedora is a community project. Everyone can help out. Should help out. Reporting changes helps make the product better. Disabling SELinux does not.
- Security: like Fedora SELinux is a work in progress. Disabling SELinux may be helpful now in terms of shallow and instant gratification but it is not a long-term solution. Disabling SELinux is not even necessary when a workaround is possible. While there are other means to secure slash harden a machine, SELinux offers a substantial and "combat-proven" increase. Disabling SELinux lowers the security posture of the whole machine and here seems disproportional for "fixing" just one measly problem.
- (mis)Information: when SELinux was in its infancy there were Real Life reasons to disable it. Unfortunately the reflex still exists and is often advertised without careful thought. Since there is no comparable alternative (GRSecurity-enabled kernel or another MAC or moving to another OS) that's usable, maintained and supported we should advertise instead it's OK to run it because much has improved since more recent Fedora releases, it's maintained and supported and help can be had for the asking. The Fedora web site provides tons of easily readable documentation to start troubleshooting and fixing the problem.

Suggesting to turn off SELinux completely is not helping Fedora, the LQ Community, SELinux and the OP. IMHO.

@ unspawn: I figured I'd get that kind of response from you. In fact I was counting on it. Bye.

NOT just unspawn!!!

you should NEVER disable it
except for the normal testing to see IF you NEED to create a new SE rule
and to see IF it is SE and not a miss configuring of something else

on fedora you have" SELinuxTroubleShooter" install ed BY DEFAULT
a little yellow/gold star will show up informing you there IS an error

read the error !
trouble shooter will post THE FIX in that error
and 99 % of the time it works

for that 1 % you need to wright a new SE rule ,using "audit2allow"

SELinux is VERY VERY easy to use these days
a bit old but...
http://fedoraproject.org/wiki/SELinux
and PLEASE FALLOW the guides for troubleshooting
http://fedoraproject.org/wiki/SELinux/Troubleshooting
http://rackerhacker.com/2012/01/25/g...-with-selinux/


turning it off is like

having ADT home security installed in your house
BUT because you can NOT be bothered using the key pad to type in a password and turn it on or off

you KEEP it OFF and REALLY ONLY on the sticker on the door

yea selinux is good. plus its easy.

# this will show you the selinux permissions.
ls -lZ /path/to/files
# ... just an example ...
drwx------ user group user_ubject_r:user_home_t bin
-rw-rw-r-- user group user_ubject_r:user_home_t some.tar


Then you can find the logs about why something is failing in /var/log/audit/audit.log. So cause the failure and do, this will show you why its failing. Read them they are pretty self explanatory.
sudo tail /var/log/audit/audit.log
#... just an example ... Here the problem was the context was unconfined_t, i needed to relabel the file.
type=USER_CMD msg=audit(13391111118.101:30000): user pid=795 uid=0 auid=500 subj=user_u:system_r:unconfined_t:s0 msg='cwd="/path/to/file" cmd=7888999463336562121E20266671711 (terminal=pts/0 res=failed)'

# Then run this. It may tell you to relabel your files. something like restorecon /path/to/file, in which case just do that. but if it shows a module type output, see John VV's links for more info,
# you will need to make a new module to fix it.
sudo tail /var/log/audit/audit.log | audit2allow

###
### My guess is you need to do restorecon on your newyorkdog.png file.
###

# then to fix it you can do.
sudo tail /var/log/audit/audit.log | audit2allow -M test
sudo semodule -i test.pp

# this should solve your problem. If you find you need to add stuff to test.pp, then you can change the audit2allow command like this.
sudo tail /var/log/audit/audit.log | audit2allow -o test
sudo semodule -i test.pp

this will add "more" to the test.pp module. So you can try it and if you get another failure for a different file or something.

Well I just had a quick scan of http://fedoraproject.org/wiki/SELinux and frankly I'm lost. I'm not a programmer, don't know any programing languages unless you count HTML with a little CSS thrown in. I don't run any servers. It looks to me like the proponents of SElinux are saying if you don't use it you shouldn't use Linux. Which is odd because I've been using Linux very sucessfully now since 2002. I keep a firewall up and I know enough about it to serve my needs. So, is SElinux mainly for people running HTTP and/or FTP servers? I can't really tell from the provided links.